ansible: enhance ceos image discovery to detect pre-pulled registry images

[wangxinbot]

Description of PR

Summary:
Enhance ceos image discovery logic so that pre-pulled registry images are detected even when ceos_registry is not defined. This prevents unnecessary local image builds that trigger S360 security alerts.

This is a follow-up improvement to PR #22794 which added registry support for ceos images.

Type of change

• Testbed and Framework(new/improvement)

Back port request

• 202205
• 202305
• 202311
• 202405
• 202411
• 202505
• 202511

Approach

What is the motivation for this PR?

PR #22794 added support for pulling ceos images from a configured registry (ceos_registry). However, when ceos_registry is not defined (e.g. in public code where the registry URL should not be exposed), pre-pulled registry images are not discovered. The code falls through to the download-and-build path, creating a local image that triggers S360 security alerts.

This is problematic for PR testing where ceos images are pre-pulled from a registry during VMSS instance provisioning, but ceos_registry is not defined in public configuration.

How did you do it?

Added a consolidated docker images | grep discovery task that runs when ceos_registry is not defined. The grep matches ceos_image at the end of the image name, so it discovers both:

• Plain local images: ceosimage:4.32.5M-1
• Registry-prefixed images: any-registry/ceosimage:4.32.5M-1

Changes are made in two files:

• ansible/roles/vm_set/tasks/add_ceos_list.yml — controls whether to download/build the image
• ansible/roles/eos/tasks/ceos.yml — sets ceos_effective_image for container creation

When ceos_registry IS defined, the existing explicit registry check is preserved unchanged.

Used {% raw %}...{% endraw %} Jinja2 blocks for Go template syntax in docker format strings, improving readability over the previous {{ '{{' }} escaping.

How did you verify/test it?

Manually tested on testbed with:

1. Pre-pulled registry image present, ceos_registry undefined — image discovered correctly
2. Plain local image present, ceos_registry undefined — image discovered correctly
3. ceos_registry defined — existing behavior preserved

Any platform specific information?

N/A

Supported testbed topology if it's a new test case?

N/A — this is an infrastructure/provisioning change, not a test case.

Documentation

N/A — internal infrastructure improvement.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[StormLiangMS]

Review: Looks good to merge 👍

Summary: Clean solution for detecting pre-pulled registry images when ceos_registry is not defined, preventing unnecessary local builds that trigger S360 alerts.

Positives:

• Well-scoped fix with clear problem statement
• Good defensive coding: ignore_errors, changed_when: no, proper is not skipped + rc == 0 + stdout != '' guards
• {% raw %}...{% endraw %} is much more readable than {{ '{{' }} escaping
• Backward compatible — ceos_registry defined path unchanged
• 3-tier fallback logic in ceos_effective_image is sound

Minor observations (non-blocking):

1. Regex dot in grep: grep -m1 '{{ ceos_image }}$' — the . in version strings like 4.32.5M-1 is a regex wildcard. Extremely low risk in practice, but grep -F would be theoretically safer if an end-anchor isn't needed.
2. -m1 ordering: Multiple matching images return whichever docker images lists first (newest). Acceptable since any match beats none in the ceos_registry is not defined case.
3. Duplicated discovery task across both files follows existing pattern — could be extracted to a shared task file in a future cleanup.