molecule scenario ssh_hardening if failing due to missing docker image

[seven-beep]

Description

As title say.

Reproduction steps

# molecule check -s ssh_hardening
WARNING  Driver docker does not provide a schema.
INFO     ssh_hardening scenario test matrix: dependency, destroy, create, prepare, converge, check, destroy
INFO     Performing prerun with role_name_check=0...
INFO     Running ssh_hardening > dependency
WARNING  Skipping, missing the requirements file.
WARNING  Skipping, missing the requirements file.
INFO     Running ssh_hardening > destroy
INFO     Sanity checks: 'docker'

PLAY [Destroy] *****************************************************************

TASK [Set async_dir for HOME env] **********************************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.045)       0:00:00.045 ******
ok: [localhost]

TASK [Destroy molecule instance(s)] ********************************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.057)       0:00:00.102 ******
changed: [localhost] => (item=instance)

TASK [Wait for instance(s) deletion to complete] *******************************
Friday 06 September 2024  13:39:29 +0200 (0:00:00.690)       0:00:00.793 ******
FAILED - RETRYING: [localhost]: Wait for instance(s) deletion to complete (300 retries left).
ok: [localhost] => (item=instance)

TASK [Delete docker networks(s)] ***********************************************
Friday 06 September 2024  13:39:35 +0200 (0:00:05.590)       0:00:06.383 ******
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=3    changed=1    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0

Friday 06 September 2024  13:39:35 +0200 (0:00:00.034)       0:00:06.418 ******
===============================================================================
Wait for instance(s) deletion to complete ------------------------------- 5.59s
Destroy molecule instance(s) -------------------------------------------- 0.69s
Set async_dir for HOME env ---------------------------------------------- 0.06s
Delete docker networks(s) ----------------------------------------------- 0.03s
Playbook run took 0 days, 0 hours, 0 minutes, 6 seconds
INFO     Running ssh_hardening > create

PLAY [Create] ******************************************************************

TASK [Set async_dir for HOME env] **********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.045)       0:00:00.045 ******
ok: [localhost]

TASK [Log into a Docker registry] **********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.047)       0:00:00.092 ******
skipping: [localhost] => (item=None)
skipping: [localhost]

TASK [Check presence of custom Dockerfiles] ************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.049)       0:00:00.142 ******
ok: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})

TASK [Create Dockerfiles from image names] *************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.313)       0:00:00.455 ******
skipping: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})
skipping: [localhost]

TASK [Synchronization the context] *********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.056)       0:00:00.512 ******
skipping: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})
skipping: [localhost]

TASK [Discover local Docker images] ********************************************
Friday 06 September 2024  13:39:36 +0200 (0:00:00.041)       0:00:00.553 ******
ok: [localhost] => (item={'changed': False, 'skipped': True, 'skip_reason': 'Conditional result was False', 'false_condition': 'not item.pre_build_image | default(false)', 'item': {'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']}, 'ansible_loop_var': 'item', 'i': 0, 'ansible_index_var': 'i'})

TASK [Create docker network(s)] ************************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.579)       0:00:01.133 ******
skipping: [localhost]

TASK [Build an Ansible compatible image (new)] *********************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.031)       0:00:01.165 ******
skipping: [localhost] => (item=molecule_local/rndmh3ro/docker--ansible:latest)
skipping: [localhost]

TASK [Determine the CMD directives] ********************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.038)       0:00:01.203 ******
ok: [localhost] => (item={'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']})

TASK [Create molecule instance(s)] *********************************************
Friday 06 September 2024  13:39:37 +0200 (0:00:00.056)       0:00:01.260 ******
changed: [localhost] => (item=instance)

TASK [Wait for instance(s) creation to complete] *******************************
Friday 06 September 2024  13:39:38 +0200 (0:00:00.707)       0:00:01.968 ******
failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j852982516930.5450', 'results_file': '/home/user/.ansible_async/j852982516930.5450', 'changed': True, 'item': {'cgroupns_mode': 'host', 'command': '/lib/systemd/systemd', 'image': 'rndmh3ro/docker--ansible:latest', 'name': 'instance', 'pre_build_image': True, 'privileged': True, 'volumes': ['/sys/fs/cgroup:/sys/fs/cgroup:rw']}, 'ansible_loop_var': 'item'}) => {"ansible_job_id": "j852982516930.5450", "ansible_loop_var": "item", "attempts": 2, "changed": false, "finished": 1, "item": {"ansible_job_id": "j852982516930.5450", "ansible_loop_var": "item", "changed": true, "failed": 0, "finished": 0, "item": {"cgroupns_mode": "host", "command": "/lib/systemd/systemd", "image": "rndmh3ro/docker--ansible:latest", "name": "instance", "pre_build_image": true, "privileged": true, "volumes": ["/sys/fs/cgroup:/sys/fs/cgroup:rw"]}, "results_file": "/home/user/.ansible_async/j852982516930.5450", "started": 1}, "msg": "Error pulling image rndmh3ro/docker--ansible:latest - 404 Client Error for http+docker://localhost/v1.47/images/create?tag=latest&fromImage=rndmh3ro%2Fdocker--ansible: Not Found (\"pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\")", "results_file": "/home/user/.ansible_async/j852982516930.5450", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
FAILED - RETRYING: [localhost]: Wait for instance(s) creation to complete (300 retries left).

PLAY RECAP *********************************************************************
localhost                  : ok=5    changed=1    unreachable=0    failed=1    skipped=5    rescued=0    ignored=0

Friday 06 September 2024  13:39:43 +0200 (0:00:05.555)       0:00:07.523 ******
===============================================================================
Wait for instance(s) creation to complete ------------------------------- 5.56s
Create molecule instance(s) --------------------------------------------- 0.71s
Discover local Docker images -------------------------------------------- 0.58s
Check presence of custom Dockerfiles ------------------------------------ 0.31s
Create Dockerfiles from image names ------------------------------------- 0.06s
Determine the CMD directives -------------------------------------------- 0.06s
Log into a Docker registry ---------------------------------------------- 0.05s
Set async_dir for HOME env ---------------------------------------------- 0.05s
Synchronization the context --------------------------------------------- 0.04s
Build an Ansible compatible image (new) --------------------------------- 0.04s
Create docker network(s) ------------------------------------------------ 0.03s
Playbook run took 0 days, 0 hours, 0 minutes, 7 seconds
CRITICAL Ansible return code was 2, command was: ansible-playbook --inventory /home/user/.cache/molecule/ansible-collection-hardening/ssh_hardening/inventory --skip-tags molecule-notest,notest /home/user/.local/pipx/venvs/molecule/lib/python3.11/site-packages/molecule_plugins/docker/playbooks/create.yml

# cat /home/user/.ansible_async/j852982516930.5450
{"failed": true, "msg": "Error pulling image rndmh3ro/docker--ansible:latest - 404 Client Error for http+docker://localhost/v1.47/images/create?tag=latest&fromImage=rndmh3ro%2Fdocker--ansible: Not Found (\"pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\")", "invocation": {"module_args": {"name": "instance", "docker_host": "unix://var/run/docker.sock", "tls_verify": false, "hostname": "instance", "image": "rndmh3ro/docker--ansible:latest", "state": "started", "recreate": false, "log_driver": "json-file", "command": "/lib/systemd/systemd", "command_handling": "compatibility", "privileged": true, "volumes": ["/sys/fs/cgroup:/sys/fs/cgroup:rw"], "networks_cli_compatible": true, "labels": {"owner": "molecule"}, "container_default_behavior": "compatibility", "cgroupns_mode": "host", "comparisons": {"platform": "ignore"}, "validate_certs": false, "api_version": "auto", "timeout": 60, "tls": false, "use_ssh_client": false, "debug": false, "cleanup": false, "force_kill": false, "ignore_image": false, "image_comparison": "desired-image", "image_label_mismatch": "ignore", "keep_volumes": true, "output_logs": false, "pull": "missing", "pull_check_mode_behavior": "image_not_present", "purge_networks": false, "restart": false, "healthy_wait_timeout": 300.0, "tls_hostname": null, "ca_path": null, "client_cert": null, "client_key": null, "ssl_version": null, "default_host_ip": null, "image_name_mismatch": null, "kill_signal": null, "paused": false, "removal_wait_timeout": null, "auto_remove": false, "blkio_weight": null, "capabilities": null, "cap_drop": null, "cgroup_parent": null, "cpu_period": null, "cpu_quota": null, "cpuset_cpus": null, "cpuset_mems": null, "cpu_shares": null, "entrypoint": null, "cpus": null, "detach": true, "interactive": false, "devices": null, "device_read_bps": null, "device_write_bps": null, "device_read_iops": null, "device_write_iops": null, "device_requests": null, "device_cgroup_rules": null, "dns_servers": null, "dns_opts": null, "dns_search_domains": null, "domainname": null, "env": null, "env_file": null, "etc_hosts": null, "groups": null, "healthcheck": null, "init": false, "ipc_mode": null, "kernel_memory": null, "links": null, "log_options": null, "mac_address": null, "memory": "0", "memory_reservation": null, "memory_swap": null, "memory_swappiness": null, "stop_timeout": null, "network_mode": null, "networks": null, "oom_killer": null, "oom_score_adj": null, "pid_mode": null, "pids_limit": null, "platform": null, "read_only": false, "restart_policy": null, "restart_retries": null, "runtime": null, "security_opts": null, "shm_size": null, "stop_signal": null, "storage_opts": null, "sysctls": null, "tmpfs": null, "tty": false, "ulimits": null, "user": null, "userns_mode": null, "uts": null, "volume_driver": null, "volumes_from": null, "working_dir": null, "mounts": null, "exposed_ports": null, "publish_all_ports": null, "published_ports": null}}}

# docker pull rndmh3ro/docker--ansible:latest
Error response from daemon: pull access denied for rndmh3ro/docker--ansible, repository does not exist or may require 'docker login': denied: requested access to the resource is denied

Current Behavior

Molecule scenario is no available.

Expected Behavior

Molecule scenario should be utilsable.

OS / Environment

Debian 12

Ansible Version

ansible [core 2.17.1]
  config file = None
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/.local/pipx/venvs/ansible-core/lib/python3.11/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/.local/bin/ansible
  python version = 3.11.2 (main, Aug 26 2024, 07:20:54) [GCC 12.2.0] (/home/user/.local/pipx/venvs/ansible-core/bin/python)
  jinja version = 3.1.4
  libyaml = True

Collection Version

latest

Additional information

No response

[rndmh3ro]

It's not clear (because we did not document it) but to test locally, you have to set the following env-variable:

MOLECULE_DISTRO: debian12 molecule test -s ssh_hardening

See the supported list here: https://github.com/dev-sec/ansible-collection-hardening/blob/master/.github/workflows/ssh_hardening.yml#L39