From a3bcd81ccee31e30f8c7af252207365e3ed8c361 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Fri, 13 Jan 2023 14:43:44 +0100 Subject: [PATCH 01/36] Add molecule stuff --- .github/workflows/molecule.yml | 32 ++++++++++++++++++++++++++++ molecule/default/converge.yml | 23 ++++++++++++++++++++ molecule/default/molecule.yml | 38 ++++++++++++++++++++++++++++++++++ molecule/default/prepare.yml | 11 ++++++++++ molecule/default/verify.yml | 10 +++++++++ 5 files changed, 114 insertions(+) create mode 100644 .github/workflows/molecule.yml create mode 100644 molecule/default/converge.yml create mode 100644 molecule/default/molecule.yml create mode 100644 molecule/default/prepare.yml create mode 100644 molecule/default/verify.yml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml new file mode 100644 index 0000000..8dbcdd8 --- /dev/null +++ b/.github/workflows/molecule.yml @@ -0,0 +1,32 @@ +--- +name: Ansible Molecule + +on: + pull_request: + push: + +jobs: + lint: + runs-on: ubuntu-20.04 + steps: + - name: checkout + uses: actions/checkout@v3 + - name: ansible-lint + uses: ansible-community/ansible-lint-action@main + test: + needs: + - lint + runs-on: ubuntu-20.04 + strategy: + fail-fast: false + steps: + - name: checkout + uses: actions/checkout@v3 + with: + path: "${{ github.repository }}" + - name: disable apparmor for mysql + run: sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ + - name: parse apparmor for mysql + run: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld + - name: molecule + uses: robertdebock/molecule-action@5.0.0 diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml new file mode 100644 index 0000000..757b824 --- /dev/null +++ b/molecule/default/converge.yml @@ -0,0 +1,23 @@ +--- +- name: all tasks + hosts: all + gather_facts: true + vars: + maintenance_exclude_tasks: + - 10-051 # TODO: remove these! + - 10-028 + - 10-032 + - 10-039 + - 10-041 + - 10-042 + tasks: + - name: "Include 10_linux/" + include_role: + name: "maintenance_10_linux/" + register: my_role + ignore_errors: True + + - name: "Output variable" + ansible.builtin.debug: + var: my_role + failed_when: x.rc = 0 diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml new file mode 100644 index 0000000..fedcced --- /dev/null +++ b/molecule/default/molecule.yml @@ -0,0 +1,38 @@ +--- +dependency: + name: galaxy + +driver: + name: docker + +platforms: + - name: debian10 + image: debian:10 + - name: debian11 + image: debian:11 + - name: centos8 + image: quay.io/centos/centos:stream8 + - name: centos9 + image: quay.io/centos/centos:stream9 + +provisioner: + name: ansible + env: + ANSIBLE_ROLES_PATH: "../../roles" + +scenario: + test_sequence: + - dependency + - destroy + - syntax + - create + - prepare + - converge + - prepare + - converge + - idempotence + #- verify # TODO + - destroy + +verifier: + name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml new file mode 100644 index 0000000..0626aaa --- /dev/null +++ b/molecule/default/prepare.yml @@ -0,0 +1,11 @@ +--- + +- name: Prepare debian vm for tests to succeed + hosts: all + tasks: + - name: Create aliases file + lineinfile: + line: "root: serverlogs@tux42.ch" + dest: /etc/aliases + state: present + create: true diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml new file mode 100644 index 0000000..79044cd --- /dev/null +++ b/molecule/default/verify.yml @@ -0,0 +1,10 @@ +--- +# This is an example playbook to execute Ansible tests. + +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Example assertion + assert: + that: true From 2f6fa83dcfe439858ef67821fe7f1e666f07abe4 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Fri, 13 Jan 2023 14:51:27 +0100 Subject: [PATCH 02/36] Fix linting errors --- galaxy.yml | 1 + molecule/default/converge.yml | 19 ++++++++++--------- molecule/default/molecule.yml | 2 +- molecule/default/prepare.yml | 2 +- molecule/default/verify.yml | 6 +++--- 5 files changed, 16 insertions(+), 14 deletions(-) diff --git a/galaxy.yml b/galaxy.yml index 748de51..50c4fa6 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -1,3 +1,4 @@ +--- ### REQUIRED # The namespace of the collection. This can be a company/brand/organization or product namespace under which all # content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 757b824..fb13d8a 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -1,21 +1,22 @@ --- -- name: all tasks + +- name: All tasks hosts: all gather_facts: true vars: maintenance_exclude_tasks: - - 10-051 # TODO: remove these! - - 10-028 - - 10-032 - - 10-039 - - 10-041 - - 10-042 + - 10-051 # TODO: remove these! + - 10-028 + - 10-032 + - 10-039 + - 10-041 + - 10-042 tasks: - name: "Include 10_linux/" - include_role: + ansible.builtin.include_role: name: "maintenance_10_linux/" register: my_role - ignore_errors: True + ignore_errors: true - name: "Output variable" ansible.builtin.debug: diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index fedcced..1d3fa84 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -31,7 +31,7 @@ scenario: - prepare - converge - idempotence - #- verify # TODO + # - verify # TODO - destroy verifier: diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 0626aaa..44f7ff1 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -4,7 +4,7 @@ hosts: all tasks: - name: Create aliases file - lineinfile: + ansible.builtin.lineinfile: line: "root: serverlogs@tux42.ch" dest: /etc/aliases state: present diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index 79044cd..a5cfa75 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -5,6 +5,6 @@ hosts: all gather_facts: false tasks: - - name: Example assertion - assert: - that: true + - name: Example assertion + ansible.builtin.assert: + that: true From 1bbb914cb7a5a7181255978fdaf149b1aed184a8 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Fri, 13 Jan 2023 16:07:32 +0100 Subject: [PATCH 03/36] A lot of changes, run per distribution --- molecule/default/converge.yml | 22 ++++++++++++++-------- molecule/default/molecule.yml | 24 ++++++++++++++++++++++++ molecule/default/verify.yml | 10 ---------- 3 files changed, 38 insertions(+), 18 deletions(-) delete mode 100644 molecule/default/verify.yml diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index fb13d8a..5f197ed 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,20 +5,26 @@ gather_facts: true vars: maintenance_exclude_tasks: - - 10-051 # TODO: remove these! - 10-028 - 10-032 - 10-039 - 10-041 - 10-042 + - 10-051 # TODO: remove these! + tasks: - name: "Include 10_linux/" ansible.builtin.include_role: - name: "maintenance_10_linux/" - register: my_role - ignore_errors: true + name: "maintenance_10_linux" - - name: "Output variable" - ansible.builtin.debug: - var: my_role - failed_when: x.rc = 0 + - name: "Include 11_debian/" + ansible.builtin.include_role: + name: "maintenance_11_debian" + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + + - name: "Include 15_rhel/" + ansible.builtin.include_role: + name: "maintenance_15_rhel" + when: | + ansible_distribution == 'CentOS' or ansible_distribution == 'Red hat Enterprise Linux' + or ansible_distribution == 'SLES' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 1d3fa84..17b5a3b 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,17 +8,41 @@ driver: platforms: - name: debian10 image: debian:10 + groups: + - debian - name: debian11 image: debian:11 + groups: + - debian - name: centos8 image: quay.io/centos/centos:stream8 + groups: + - centos - name: centos9 image: quay.io/centos/centos:stream9 + groups: + - centos provisioner: name: ansible + inventory: + group_vars: + centos: + ansible_distribution: "CentOS" + debian: + ansible_distribution: "Debian" env: ANSIBLE_ROLES_PATH: "../../roles" + config_options: + defaults: + retry_files_enabled: false + display_skipped_hosts: false + display_ok_hosts: false + callback_whitelist: "adfinis.maintenance.report" + callbacks_enabled: "adfinis.maintenance.report" + duplicate_dict_key: ignore + inject_facts_as_vars: false + scenario: test_sequence: diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml deleted file mode 100644 index a5cfa75..0000000 --- a/molecule/default/verify.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# This is an example playbook to execute Ansible tests. - -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Example assertion - ansible.builtin.assert: - that: true From 865e2fa1c30292f4ef481bb0846e4a83f7b46956 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Fri, 13 Jan 2023 17:27:16 +0100 Subject: [PATCH 04/36] Use full prepare from beat --- molecule/default/molecule.yml | 12 +++++- molecule/default/prepare.yml | 26 +++++++++---- molecule/default/prepare/CentOS7.yml | 37 ++++++++++++++++++ molecule/default/prepare/CentOS8.yml | 22 +++++++++++ molecule/default/prepare/CentOS9.yml | 22 +++++++++++ molecule/default/prepare/Debian10.yml | 40 ++++++++++++++++++++ molecule/default/prepare/Debian11.yml | 40 ++++++++++++++++++++ molecule/default/prepare/openSUSE Leap15.yml | 35 +++++++++++++++++ 8 files changed, 225 insertions(+), 9 deletions(-) create mode 100644 molecule/default/prepare/CentOS7.yml create mode 100644 molecule/default/prepare/CentOS8.yml create mode 100644 molecule/default/prepare/CentOS9.yml create mode 100644 molecule/default/prepare/Debian10.yml create mode 100644 molecule/default/prepare/Debian11.yml create mode 100644 molecule/default/prepare/openSUSE Leap15.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 17b5a3b..86634f4 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -7,13 +7,17 @@ driver: platforms: - name: debian10 - image: debian:10 + image: debian:buster groups: - debian - name: debian11 - image: debian:11 + image: debian:bullseye groups: - debian + - name: centos7 + image: centos:7 + groups: + - centos - name: centos8 image: quay.io/centos/centos:stream8 groups: @@ -22,6 +26,10 @@ platforms: image: quay.io/centos/centos:stream9 groups: - centos + - name: suse15 + image: registry.opensuse.org/opensuse/leap:15 + groups: + - centos provisioner: name: ansible diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 44f7ff1..17b71e5 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -1,11 +1,23 @@ --- -- name: Prepare debian vm for tests to succeed +- name: Prepare hosts hosts: all tasks: - - name: Create aliases file - ansible.builtin.lineinfile: - line: "root: serverlogs@tux42.ch" - dest: /etc/aliases - state: present - create: true + - name: Fetch package index + ansible.builtin.raw: apt-get update + when: '"maintain-debian" in inventory_hostname' + + - name: Install python + ansible.builtin.raw: apt-get install -y python3 + when: '"maintain-debian" in inventory_hostname' + + - name: Install python + ansible.builtin.raw: zypper install -y python3 + when: '"maintain-suse" in inventory_hostname' + + - name: Gather facts + ansible.builtin.setup: + + - name: Prepare container + ansible.builtin.include_tasks: + file: "prepare/{{ ansible_facts.distribution }}{{ ansible_facts.distribution_major_version }}.yml" diff --git a/molecule/default/prepare/CentOS7.yml b/molecule/default/prepare/CentOS7.yml new file mode 100644 index 0000000..4ee76d5 --- /dev/null +++ b/molecule/default/prepare/CentOS7.yml @@ -0,0 +1,37 @@ +--- +- name: Install packages + ansible.builtin.yum: + name: + - selinux-policy + - libselinux-python + - libselinux-python3 + - openssh-server + - audit + - sysvinit-tools + state: installed + +# EL7 delivers Ansible 2.9 throuh EPEL which is too old for +# ansible-collection-maintenance +# To keep effort low, we take the package through pip + +- name: Upgrade pip + ansible.builtin.command: + cmd: "pip3 install --upgrade pip" + creates: /usr/local/lib/python3.6/site-packages/pip + environment: + - LANG: en_US.UTF-8 + - LC_ALL: en_US.UTF-8 + +- name: Install Ansible + ansible.builtin.command: + cmd: "pip3 install ansible" + creates: /usr/local/bin/ansible + environment: + - LANG: en_US.UTF-8 + - LC_ALL: en_US.UTF-8 + +- name: Create SSH keys + ansible.builtin.command: + cmd: "ssh-keygen -A" + creates: /etc/ssh/ssh_host_rsa_key + diff --git a/molecule/default/prepare/CentOS8.yml b/molecule/default/prepare/CentOS8.yml new file mode 100644 index 0000000..6852d3d --- /dev/null +++ b/molecule/default/prepare/CentOS8.yml @@ -0,0 +1,22 @@ +--- +- name: Install packages + ansible.builtin.yum: + name: + - ansible-core + - selinux-policy + - python3-libselinux + - hostname + - openssh-server + - audit + state: installed + +- name: Create SSH keys + ansible.builtin.command: + cmd: "ssh-keygen -A" + creates: /etc/ssh/ssh_host_rsa_key + +- name: Create wtmp + ansible.builtin.file: + path: /var/log/wtmp + state: file + diff --git a/molecule/default/prepare/CentOS9.yml b/molecule/default/prepare/CentOS9.yml new file mode 100644 index 0000000..6852d3d --- /dev/null +++ b/molecule/default/prepare/CentOS9.yml @@ -0,0 +1,22 @@ +--- +- name: Install packages + ansible.builtin.yum: + name: + - ansible-core + - selinux-policy + - python3-libselinux + - hostname + - openssh-server + - audit + state: installed + +- name: Create SSH keys + ansible.builtin.command: + cmd: "ssh-keygen -A" + creates: /etc/ssh/ssh_host_rsa_key + +- name: Create wtmp + ansible.builtin.file: + path: /var/log/wtmp + state: file + diff --git a/molecule/default/prepare/Debian10.yml b/molecule/default/prepare/Debian10.yml new file mode 100644 index 0000000..cdb656e --- /dev/null +++ b/molecule/default/prepare/Debian10.yml @@ -0,0 +1,40 @@ +--- +- name: Install packages + ansible.builtin.apt: + name: + - python3-pip + - python3-apt + - openssh-server + state: present + update_cache: true + +# Buster delivers Ansible 2.7 which is too old for +# ansible-collection-maintenance +# To keep effort low, we take the package through pip + +- name: Upgrade pip + ansible.builtin.command: + cmd: "pip3 install --upgrade pip" + creates: /usr/local/bin/pip3 + +- name: Install Ansible + ansible.builtin.command: + cmd: "pip3 install ansible" + creates: /usr/local/bin/ansible + +- name: SSH working directory + ansible.builtin.file: + path: /run/sshd + state: directory + mode: 0755 + owner: root + group: root + +- name: Security repo + ansible.builtin.copy: + src: buster/etc/apt/sources.list.d/security_debian_org_debian_security.list + dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list + mode: "0755" + owner: root + group: root + diff --git a/molecule/default/prepare/Debian11.yml b/molecule/default/prepare/Debian11.yml new file mode 100644 index 0000000..f6a0bad --- /dev/null +++ b/molecule/default/prepare/Debian11.yml @@ -0,0 +1,40 @@ +--- +- name: Install packages + ansible.builtin.apt: + name: + - python3-pip + - python3-apt + - openssh-server + state: present + update_cache: true + +# Bullseye delivers Ansible 2.10 which is too old for +# ansible-collection-maintenance +# To keep effort low, we take the package through pip + +- name: Upgrade pip + ansible.builtin.command: + cmd: "pip3 install --upgrade pip" + creates: /usr/local/bin/pip + +- name: Install Ansible + ansible.builtin.command: + cmd: "pip install ansible" + creates: /usr/local/bin/ansible + +- name: SSH working directory + ansible.builtin.file: + path: /run/sshd + state: directory + mode: 0755 + owner: root + group: root + +- name: Security repo + ansible.builtin.copy: + src: bullseye/etc/apt/sources.list.d/security_debian_org_debian_security.list + dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list + mode: "0755" + owner: root + group: root + diff --git a/molecule/default/prepare/openSUSE Leap15.yml b/molecule/default/prepare/openSUSE Leap15.yml new file mode 100644 index 0000000..5b3f83a --- /dev/null +++ b/molecule/default/prepare/openSUSE Leap15.yml @@ -0,0 +1,35 @@ +--- +- name: Install packages + community.general.zypper: + name: + - python3-pip + - python3-rpm + - hostname + - openssh-server + state: installed + disable_gpg_check: true + +# SUSE 12 delivers Ansible 2.9 which is too old for +# ansible-collection-maintenance +# To keep effort low, we take the package through pip + +- name: Upgrade pip + ansible.builtin.command: + cmd: "pip3 install --upgrade pip" + creates: /usr/bin/pip3.6 + +- name: Install Ansible + ansible.builtin.command: + cmd: "pip3.6 install ansible" + creates: /usr/bin/ansible + +- name: Create wtmp + ansible.builtin.file: + path: /var/log/wtmp + type: file + state: present + +- name: Create SSH keys + ansible.builtin.command: + cmd: "ssh-keygen -A" + creates: /etc/ssh/ssh_host_rsa_key From 0cd36cfddba559db8fca5be91eaaa1eb4f5d68f5 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 10:54:57 +0100 Subject: [PATCH 05/36] Molecule ran per image --- .github/workflows/molecule.yml | 28 ++++++++++++++++++++++++++++ molecule/default/molecule.yml | 33 ++------------------------------- 2 files changed, 30 insertions(+), 31 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 8dbcdd8..3ff3a4e 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -18,6 +18,29 @@ jobs: - lint runs-on: ubuntu-20.04 strategy: + matrix: + config: + - name: "maintain-debian" + image: "debian" + tag: "bullseye" + - name: "maintain-debian" + image: "debian" + tag: "buster" + - name: "maintain-rhel" + image: "centos" + tag: "7" + - name: "maintain-rhel" + image: "centos" + namespace: "quay.io/centos/" + tag: "stream8" + - name: "maintain-rhel" + image: "centos" + namespace: "quay.io/centos/" + tag: "stream9" + - name: "maintain-suse" + image: "leap" + namespace: "registry.opensuse.org/opensuse/" + tag: "15" fail-fast: false steps: - name: checkout @@ -30,3 +53,8 @@ jobs: run: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld - name: molecule uses: robertdebock/molecule-action@5.0.0 + with: + name: ${{ matrix.config.name }} + image: ${{ matrix.config.image }} + tag: ${{ matrix.config.tag }} + namespace: ${{ matrix.config.namespace }} diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 86634f4..4c283f2 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,39 +6,11 @@ driver: name: docker platforms: - - name: debian10 - image: debian:buster - groups: - - debian - - name: debian11 - image: debian:bullseye - groups: - - debian - - name: centos7 - image: centos:7 - groups: - - centos - - name: centos8 - image: quay.io/centos/centos:stream8 - groups: - - centos - - name: centos9 - image: quay.io/centos/centos:stream9 - groups: - - centos - - name: suse15 - image: registry.opensuse.org/opensuse/leap:15 - groups: - - centos + - name: "${name}-${image:-debian10}-${tag:-latest}" + image: "${namespace}${image}:${tag:-latest}" provisioner: name: ansible - inventory: - group_vars: - centos: - ansible_distribution: "CentOS" - debian: - ansible_distribution: "Debian" env: ANSIBLE_ROLES_PATH: "../../roles" config_options: @@ -46,7 +18,6 @@ provisioner: retry_files_enabled: false display_skipped_hosts: false display_ok_hosts: false - callback_whitelist: "adfinis.maintenance.report" callbacks_enabled: "adfinis.maintenance.report" duplicate_dict_key: ignore inject_facts_as_vars: false From 4b7ac8867d41292f3dd5fefc2dddda73041f7fd5 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 10:57:21 +0100 Subject: [PATCH 06/36] github workflow: Don't run molecule twice --- .github/workflows/molecule.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 3ff3a4e..76dd01b 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -3,7 +3,6 @@ name: Ansible Molecule on: pull_request: - push: jobs: lint: From 0bca99f05ccb093285ac5cefc2a4cf064fc135ce Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 10:59:11 +0100 Subject: [PATCH 07/36] ansible-lint remove overfluous nl --- molecule/default/prepare/CentOS7.yml | 1 - molecule/default/prepare/CentOS8.yml | 1 - molecule/default/prepare/CentOS9.yml | 1 - molecule/default/prepare/Debian10.yml | 1 - molecule/default/prepare/Debian11.yml | 1 - 5 files changed, 5 deletions(-) diff --git a/molecule/default/prepare/CentOS7.yml b/molecule/default/prepare/CentOS7.yml index 4ee76d5..c7546e3 100644 --- a/molecule/default/prepare/CentOS7.yml +++ b/molecule/default/prepare/CentOS7.yml @@ -34,4 +34,3 @@ ansible.builtin.command: cmd: "ssh-keygen -A" creates: /etc/ssh/ssh_host_rsa_key - diff --git a/molecule/default/prepare/CentOS8.yml b/molecule/default/prepare/CentOS8.yml index 6852d3d..008f416 100644 --- a/molecule/default/prepare/CentOS8.yml +++ b/molecule/default/prepare/CentOS8.yml @@ -19,4 +19,3 @@ ansible.builtin.file: path: /var/log/wtmp state: file - diff --git a/molecule/default/prepare/CentOS9.yml b/molecule/default/prepare/CentOS9.yml index 6852d3d..008f416 100644 --- a/molecule/default/prepare/CentOS9.yml +++ b/molecule/default/prepare/CentOS9.yml @@ -19,4 +19,3 @@ ansible.builtin.file: path: /var/log/wtmp state: file - diff --git a/molecule/default/prepare/Debian10.yml b/molecule/default/prepare/Debian10.yml index cdb656e..df38b23 100644 --- a/molecule/default/prepare/Debian10.yml +++ b/molecule/default/prepare/Debian10.yml @@ -37,4 +37,3 @@ mode: "0755" owner: root group: root - diff --git a/molecule/default/prepare/Debian11.yml b/molecule/default/prepare/Debian11.yml index f6a0bad..078b171 100644 --- a/molecule/default/prepare/Debian11.yml +++ b/molecule/default/prepare/Debian11.yml @@ -37,4 +37,3 @@ mode: "0755" owner: root group: root - From 3fd9e0c0138563f5eff9207ef169541b1e7d091d Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 11:26:48 +0100 Subject: [PATCH 08/36] molecule: Use hostname-prefix for playbook selection --- .github/workflows/molecule.yml | 12 ++++++------ molecule/default/converge.yml | 6 ++---- molecule/default/molecule.yml | 4 +--- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 76dd01b..3dd3403 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -19,24 +19,24 @@ jobs: strategy: matrix: config: - - name: "maintain-debian" + - host-prefix: "maintain-debian" image: "debian" tag: "bullseye" - - name: "maintain-debian" + - host-prefix: "maintain-debian" image: "debian" tag: "buster" - - name: "maintain-rhel" + - host-prefix: "maintain-rhel" image: "centos" tag: "7" - - name: "maintain-rhel" + - host-prefix: "maintain-rhel" image: "centos" namespace: "quay.io/centos/" tag: "stream8" - - name: "maintain-rhel" + - host-prefix: "maintain-rhel" image: "centos" namespace: "quay.io/centos/" tag: "stream9" - - name: "maintain-suse" + - host-prefix: "maintain-suse" image: "leap" namespace: "registry.opensuse.org/opensuse/" tag: "15" diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 5f197ed..1ad1df7 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -20,11 +20,9 @@ - name: "Include 11_debian/" ansible.builtin.include_role: name: "maintenance_11_debian" - when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + when: '"maintain-debian" in inventory_hostname' - name: "Include 15_rhel/" ansible.builtin.include_role: name: "maintenance_15_rhel" - when: | - ansible_distribution == 'CentOS' or ansible_distribution == 'Red hat Enterprise Linux' - or ansible_distribution == 'SLES' + when: '"maintain-rhel" in inventory_hostname or "maintain-suse" in inventory_hostname' diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 4c283f2..50de6ac 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,7 +6,7 @@ driver: name: docker platforms: - - name: "${name}-${image:-debian10}-${tag:-latest}" + - name: "${host-prefix}-${image:-debian10}-${tag:-latest}" image: "${namespace}${image}:${tag:-latest}" provisioner: @@ -16,8 +16,6 @@ provisioner: config_options: defaults: retry_files_enabled: false - display_skipped_hosts: false - display_ok_hosts: false callbacks_enabled: "adfinis.maintenance.report" duplicate_dict_key: ignore inject_facts_as_vars: false From 18d34ef8e6e58096e80dd6c7ff2e31dcb02410fa Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 11:27:51 +0100 Subject: [PATCH 09/36] Molecule: Remove ansible install in prepare This is only required for the ansible-local, where I took it --- molecule/default/prepare/CentOS7.yml | 18 ------------------ molecule/default/prepare/CentOS8.yml | 2 -- molecule/default/prepare/CentOS9.yml | 2 -- molecule/default/prepare/Debian10.yml | 16 ---------------- molecule/default/prepare/Debian11.yml | 16 ---------------- 5 files changed, 54 deletions(-) diff --git a/molecule/default/prepare/CentOS7.yml b/molecule/default/prepare/CentOS7.yml index c7546e3..6672ffc 100644 --- a/molecule/default/prepare/CentOS7.yml +++ b/molecule/default/prepare/CentOS7.yml @@ -3,8 +3,6 @@ ansible.builtin.yum: name: - selinux-policy - - libselinux-python - - libselinux-python3 - openssh-server - audit - sysvinit-tools @@ -14,22 +12,6 @@ # ansible-collection-maintenance # To keep effort low, we take the package through pip -- name: Upgrade pip - ansible.builtin.command: - cmd: "pip3 install --upgrade pip" - creates: /usr/local/lib/python3.6/site-packages/pip - environment: - - LANG: en_US.UTF-8 - - LC_ALL: en_US.UTF-8 - -- name: Install Ansible - ansible.builtin.command: - cmd: "pip3 install ansible" - creates: /usr/local/bin/ansible - environment: - - LANG: en_US.UTF-8 - - LC_ALL: en_US.UTF-8 - - name: Create SSH keys ansible.builtin.command: cmd: "ssh-keygen -A" diff --git a/molecule/default/prepare/CentOS8.yml b/molecule/default/prepare/CentOS8.yml index 008f416..f672e5d 100644 --- a/molecule/default/prepare/CentOS8.yml +++ b/molecule/default/prepare/CentOS8.yml @@ -2,9 +2,7 @@ - name: Install packages ansible.builtin.yum: name: - - ansible-core - selinux-policy - - python3-libselinux - hostname - openssh-server - audit diff --git a/molecule/default/prepare/CentOS9.yml b/molecule/default/prepare/CentOS9.yml index 008f416..f672e5d 100644 --- a/molecule/default/prepare/CentOS9.yml +++ b/molecule/default/prepare/CentOS9.yml @@ -2,9 +2,7 @@ - name: Install packages ansible.builtin.yum: name: - - ansible-core - selinux-policy - - python3-libselinux - hostname - openssh-server - audit diff --git a/molecule/default/prepare/Debian10.yml b/molecule/default/prepare/Debian10.yml index df38b23..2dcdae5 100644 --- a/molecule/default/prepare/Debian10.yml +++ b/molecule/default/prepare/Debian10.yml @@ -2,26 +2,10 @@ - name: Install packages ansible.builtin.apt: name: - - python3-pip - - python3-apt - openssh-server state: present update_cache: true -# Buster delivers Ansible 2.7 which is too old for -# ansible-collection-maintenance -# To keep effort low, we take the package through pip - -- name: Upgrade pip - ansible.builtin.command: - cmd: "pip3 install --upgrade pip" - creates: /usr/local/bin/pip3 - -- name: Install Ansible - ansible.builtin.command: - cmd: "pip3 install ansible" - creates: /usr/local/bin/ansible - - name: SSH working directory ansible.builtin.file: path: /run/sshd diff --git a/molecule/default/prepare/Debian11.yml b/molecule/default/prepare/Debian11.yml index 078b171..8957910 100644 --- a/molecule/default/prepare/Debian11.yml +++ b/molecule/default/prepare/Debian11.yml @@ -2,26 +2,10 @@ - name: Install packages ansible.builtin.apt: name: - - python3-pip - - python3-apt - openssh-server state: present update_cache: true -# Bullseye delivers Ansible 2.10 which is too old for -# ansible-collection-maintenance -# To keep effort low, we take the package through pip - -- name: Upgrade pip - ansible.builtin.command: - cmd: "pip3 install --upgrade pip" - creates: /usr/local/bin/pip - -- name: Install Ansible - ansible.builtin.command: - cmd: "pip install ansible" - creates: /usr/local/bin/ansible - - name: SSH working directory ansible.builtin.file: path: /run/sshd From a908414ef5a34b70da7f0b47bd4a10ff950e2a50 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 11:37:37 +0100 Subject: [PATCH 10/36] Remove more unnecessary preparation and fix Debian prep file --- molecule/default/prepare.yml | 12 ------------ molecule/default/prepare/Debian10.yml | 3 ++- molecule/default/prepare/Debian11.yml | 3 ++- 3 files changed, 4 insertions(+), 14 deletions(-) diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml index 17b71e5..6f1cbb8 100644 --- a/molecule/default/prepare.yml +++ b/molecule/default/prepare.yml @@ -3,18 +3,6 @@ - name: Prepare hosts hosts: all tasks: - - name: Fetch package index - ansible.builtin.raw: apt-get update - when: '"maintain-debian" in inventory_hostname' - - - name: Install python - ansible.builtin.raw: apt-get install -y python3 - when: '"maintain-debian" in inventory_hostname' - - - name: Install python - ansible.builtin.raw: zypper install -y python3 - when: '"maintain-suse" in inventory_hostname' - - name: Gather facts ansible.builtin.setup: diff --git a/molecule/default/prepare/Debian10.yml b/molecule/default/prepare/Debian10.yml index 2dcdae5..94e60cb 100644 --- a/molecule/default/prepare/Debian10.yml +++ b/molecule/default/prepare/Debian10.yml @@ -16,7 +16,8 @@ - name: Security repo ansible.builtin.copy: - src: buster/etc/apt/sources.list.d/security_debian_org_debian_security.list + content: | + deb http://security.debian.org/debian-security buster/updates main dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list mode: "0755" owner: root diff --git a/molecule/default/prepare/Debian11.yml b/molecule/default/prepare/Debian11.yml index 8957910..5e7596b 100644 --- a/molecule/default/prepare/Debian11.yml +++ b/molecule/default/prepare/Debian11.yml @@ -16,7 +16,8 @@ - name: Security repo ansible.builtin.copy: - src: bullseye/etc/apt/sources.list.d/security_debian_org_debian_security.list + content: | + deb http://security.debian.org/debian-security bullseye-security main dest: /etc/apt/sources.list.d/security_debian_org_debian_security.list mode: "0755" owner: root From ac2a49f22a94dcf88cfccb7c91434eb7a78119ab Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Mon, 16 Jan 2023 14:25:08 +0100 Subject: [PATCH 11/36] Molecule: Various small fixes --- .github/workflows/molecule.yml | 12 ++++++------ molecule/default/converge.yml | 20 ++++++++++++-------- molecule/default/molecule.yml | 6 ++---- molecule/default/prepare/CentOS9.yml | 1 + molecule/default/prepare/Debian10.yml | 1 + molecule/default/prepare/Debian11.yml | 1 + 6 files changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 3dd3403..353e8ed 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -19,24 +19,24 @@ jobs: strategy: matrix: config: - - host-prefix: "maintain-debian" + - host_prefix: "maintain-debian" image: "debian" tag: "bullseye" - - host-prefix: "maintain-debian" + - host_prefix: "maintain-debian" image: "debian" tag: "buster" - - host-prefix: "maintain-rhel" + - host_prefix: "maintain-rhel" image: "centos" tag: "7" - - host-prefix: "maintain-rhel" + - host_prefix: "maintain-rhel" image: "centos" namespace: "quay.io/centos/" tag: "stream8" - - host-prefix: "maintain-rhel" + - host_prefix: "maintain-rhel" image: "centos" namespace: "quay.io/centos/" tag: "stream9" - - host-prefix: "maintain-suse" + - host_prefix: "maintain-suse" image: "leap" namespace: "registry.opensuse.org/opensuse/" tag: "15" diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 1ad1df7..4163d06 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,12 +5,12 @@ gather_facts: true vars: maintenance_exclude_tasks: - - 10-028 - - 10-032 - - 10-039 - - 10-041 - - 10-042 - - 10-051 # TODO: remove these! + - 11-020 # Initramfs update + - 10-028 # Hard depends on systemd -> Doesn't work yet with centos + # - 10-039 + # - 10-041 + # - 10-042 + # - 10-051 # TODO: remove these! tasks: - name: "Include 10_linux/" @@ -20,9 +20,13 @@ - name: "Include 11_debian/" ansible.builtin.include_role: name: "maintenance_11_debian" - when: '"maintain-debian" in inventory_hostname' + when: ansible_facts['os_family'] == "Debian" + + - name: "Print os Family" + ansible.builtin.debug: + var: ansible_facts['os_family'] - name: "Include 15_rhel/" ansible.builtin.include_role: name: "maintenance_15_rhel" - when: '"maintain-rhel" in inventory_hostname or "maintain-suse" in inventory_hostname' + when: ansible_facts['os_family'] == "RedHat" or ansible_facts['os_family'] == "Suse" diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 50de6ac..5d024d7 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,7 +6,7 @@ driver: name: docker platforms: - - name: "${host-prefix}-${image:-debian10}-${tag:-latest}" + - name: "${host_prefix}-${image:-debian10}-${tag:-latest}" image: "${namespace}${image}:${tag:-latest}" provisioner: @@ -29,10 +29,8 @@ scenario: - create - prepare - converge - - prepare - - converge + # TODO: - side-effects - idempotence - # - verify # TODO - destroy verifier: diff --git a/molecule/default/prepare/CentOS9.yml b/molecule/default/prepare/CentOS9.yml index f672e5d..0c09ed4 100644 --- a/molecule/default/prepare/CentOS9.yml +++ b/molecule/default/prepare/CentOS9.yml @@ -6,6 +6,7 @@ - hostname - openssh-server - audit + - postfix state: installed - name: Create SSH keys diff --git a/molecule/default/prepare/Debian10.yml b/molecule/default/prepare/Debian10.yml index 94e60cb..24c8c7f 100644 --- a/molecule/default/prepare/Debian10.yml +++ b/molecule/default/prepare/Debian10.yml @@ -3,6 +3,7 @@ ansible.builtin.apt: name: - openssh-server + - postfix state: present update_cache: true diff --git a/molecule/default/prepare/Debian11.yml b/molecule/default/prepare/Debian11.yml index 5e7596b..6609756 100644 --- a/molecule/default/prepare/Debian11.yml +++ b/molecule/default/prepare/Debian11.yml @@ -3,6 +3,7 @@ ansible.builtin.apt: name: - openssh-server + - postfix state: present update_cache: true From 5fd67915e1f164902bf525e0ecb724059ca28067 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 06:37:30 +0000 Subject: [PATCH 12/36] remove linting from molecule and install rsync --- .github/workflows/molecule.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 353e8ed..0c9f0ef 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -5,16 +5,7 @@ on: pull_request: jobs: - lint: - runs-on: ubuntu-20.04 - steps: - - name: checkout - uses: actions/checkout@v3 - - name: ansible-lint - uses: ansible-community/ansible-lint-action@main test: - needs: - - lint runs-on: ubuntu-20.04 strategy: matrix: @@ -46,10 +37,8 @@ jobs: uses: actions/checkout@v3 with: path: "${{ github.repository }}" - - name: disable apparmor for mysql - run: sudo ln -s /etc/apparmor.d/usr.sbin.mysqld /etc/apparmor.d/disable/ - - name: parse apparmor for mysql - run: sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld + - name: Install rsync + run: apt update && apt -y install rsync - name: molecule uses: robertdebock/molecule-action@5.0.0 with: From ffa43c81730772b44b326cec9500b99318ccedcf Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 06:39:39 +0000 Subject: [PATCH 13/36] Molecule worflow: install rsync with sudo --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 0c9f0ef..3852fd2 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -38,7 +38,7 @@ jobs: with: path: "${{ github.repository }}" - name: Install rsync - run: apt update && apt -y install rsync + run: sudo apt update && sudo apt -y install rsync - name: molecule uses: robertdebock/molecule-action@5.0.0 with: From d8c631209d7b3d643a5becdedd607e623fd9dbdd Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 06:45:41 +0000 Subject: [PATCH 14/36] Molecule: Fix variable namings --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 3852fd2..0cd45b4 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -42,7 +42,7 @@ jobs: - name: molecule uses: robertdebock/molecule-action@5.0.0 with: - name: ${{ matrix.config.name }} + host_prefix: ${{ matrix.config.host_prefix }} image: ${{ matrix.config.image }} tag: ${{ matrix.config.tag }} namespace: ${{ matrix.config.namespace }} From cab7df3dc50fd099217c1e534a0d1a3be0277dd9 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 06:59:01 +0000 Subject: [PATCH 15/36] Molecule: no hos_prefix and use privileged mode --- .github/workflows/molecule.yml | 19 ++++++------------- molecule/default/molecule.yml | 6 ++++-- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 0cd45b4..0c51389 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -10,25 +10,19 @@ jobs: strategy: matrix: config: - - host_prefix: "maintain-debian" - image: "debian" + - image: "debian" tag: "bullseye" - - host_prefix: "maintain-debian" - image: "debian" + - image: "debian" tag: "buster" - - host_prefix: "maintain-rhel" - image: "centos" + - image: "centos" tag: "7" - - host_prefix: "maintain-rhel" - image: "centos" + - image: "centos" namespace: "quay.io/centos/" tag: "stream8" - - host_prefix: "maintain-rhel" - image: "centos" + - image: "centos" namespace: "quay.io/centos/" tag: "stream9" - - host_prefix: "maintain-suse" - image: "leap" + - image: "leap" namespace: "registry.opensuse.org/opensuse/" tag: "15" fail-fast: false @@ -42,7 +36,6 @@ jobs: - name: molecule uses: robertdebock/molecule-action@5.0.0 with: - host_prefix: ${{ matrix.config.host_prefix }} image: ${{ matrix.config.image }} tag: ${{ matrix.config.tag }} namespace: ${{ matrix.config.namespace }} diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 5d024d7..dd44307 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,8 +6,10 @@ driver: name: docker platforms: - - name: "${host_prefix}-${image:-debian10}-${tag:-latest}" - image: "${namespace}${image}:${tag:-latest}" + - name: "${image:-debian10}-${tag:-latest}" + image: "${namespace}${image:-debian10}:${tag:-latest}" + privileged: yes + # pre_build_image: yes provisioner: name: ansible From 092fb1d43d218745b420352001a57c9ccccbe482 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 13:55:18 +0100 Subject: [PATCH 16/36] Use pre_build_image --- molecule/default/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index dd44307..7e2bae7 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -9,7 +9,7 @@ platforms: - name: "${image:-debian10}-${tag:-latest}" image: "${namespace}${image:-debian10}:${tag:-latest}" privileged: yes - # pre_build_image: yes + pre_build_image: yes provisioner: name: ansible From e1312701508f14705a6a14897110fc66a62e4cf4 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 18 Jan 2023 16:39:32 +0100 Subject: [PATCH 17/36] Use updated molecule action --- .github/workflows/molecule.yml | 2 +- molecule/default/molecule.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 0c51389..0caf2dc 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -34,7 +34,7 @@ jobs: - name: Install rsync run: sudo apt update && sudo apt -y install rsync - name: molecule - uses: robertdebock/molecule-action@5.0.0 + uses: robertdebock/molecule-action@5.0.1 with: image: ${{ matrix.config.image }} tag: ${{ matrix.config.tag }} diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 7e2bae7..66de3f7 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -8,8 +8,6 @@ driver: platforms: - name: "${image:-debian10}-${tag:-latest}" image: "${namespace}${image:-debian10}:${tag:-latest}" - privileged: yes - pre_build_image: yes provisioner: name: ansible From dd88f753aa32e1991f0e837aec68e503065679f5 Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Thu, 19 Jan 2023 13:19:56 +0000 Subject: [PATCH 18/36] Molecule: Remove unnecessary rsync install --- .github/workflows/molecule.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 0caf2dc..6d0024d 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -31,8 +31,6 @@ jobs: uses: actions/checkout@v3 with: path: "${{ github.repository }}" - - name: Install rsync - run: sudo apt update && sudo apt -y install rsync - name: molecule uses: robertdebock/molecule-action@5.0.1 with: From a44c559ec7718e6f3787093ac1f0d7c2ab42c97d Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Fri, 20 Jan 2023 14:49:06 +0100 Subject: [PATCH 19/36] Molecule: Add very basic readme info --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 53e9419..2696f65 100644 --- a/README.md +++ b/README.md @@ -136,6 +136,14 @@ changed: [debian01.example.org] There is also a checklist summarising all tasks that were run but finished with either `ok` or `skipped`. +## Molecule Tests + +Before testing, create a file `.env.yml` with the infos on the platform you want to test (see the matrix in the [molecule workflow](.github/workflows/molecule.yml) for examples): + +``` yaml +image: "debian" +tag: "bullseye" +``` ## License From d5c47c0671e197f93dc4e16516956ab903257603 Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Fri, 10 Feb 2023 16:14:25 +0100 Subject: [PATCH 20/36] feat(tests): make maintenance_10_linux idempotent --- molecule/default/molecule.yml | 7 +++---- molecule/default/side_effect.yml | 18 ++++++++++++++++++ roles/maintenance_10_linux/tasks/main.yml | 1 + 3 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 molecule/default/side_effect.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 66de3f7..c318848 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,8 +6,8 @@ driver: name: docker platforms: - - name: "${image:-debian10}-${tag:-latest}" - image: "${namespace}${image:-debian10}:${tag:-latest}" + - name: "${image:-debian}-${tag:-10}" + image: "${namespace}${image:-debian}:${tag:-10}" provisioner: name: ansible @@ -20,7 +20,6 @@ provisioner: duplicate_dict_key: ignore inject_facts_as_vars: false - scenario: test_sequence: - dependency @@ -29,7 +28,7 @@ scenario: - create - prepare - converge - # TODO: - side-effects + - side_effect - idempotence - destroy diff --git a/molecule/default/side_effect.yml b/molecule/default/side_effect.yml new file mode 100644 index 0000000..c2dfe27 --- /dev/null +++ b/molecule/default/side_effect.yml @@ -0,0 +1,18 @@ +--- + +- name: All tasks + hosts: all + gather_facts: true + + tasks: + - name: "10-050: Fix serverlogs address" + ansible.builtin.lineinfile: + path: /etc/aliases + regexp: "^root:" + line: "root: serverlogs@example.org" + insertbefore: EOF + + - name: "11-017: Execute the package upgrade" + ansible.builtin.apt: + update_cache: yes + upgrade: safe diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index 6264ec5..976a831 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -102,6 +102,7 @@ vars: taskid: 10-039 name: "Logfiles: Does journald log to persistent storage? | Report age of system journal" + tags: molecule-idempotence-notest ansible.builtin.debug: msg: >- /var/log/journal/{{ ansible_facts.machine_id }}/system.journal From bcc6363d9806b9f1c6395c2fb8f38946bd4632bf Mon Sep 17 00:00:00 2001 From: Samuel Hierholzer Date: Wed, 8 Feb 2023 16:05:09 +0100 Subject: [PATCH 21/36] yum check-update fails when error status is wrong --- roles/maintenance_15_rhel/tasks/main.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/roles/maintenance_15_rhel/tasks/main.yml b/roles/maintenance_15_rhel/tasks/main.yml index aead645..460840a 100644 --- a/roles/maintenance_15_rhel/tasks/main.yml +++ b/roles/maintenance_15_rhel/tasks/main.yml @@ -33,21 +33,20 @@ vars: taskid: 15-011 name: "Does yum check-update work" - args: - warn: false ansible.builtin.command: "yum check-update -q" register: yum_checkupdate_output check_mode: no + failed_when: no changed_when: no - failed_when: "yum_checkupdate_output.stderr_lines | length > 0" - <<: *task vars: taskid: 15-011 - name: "Does yum check-update work | Print new pkgs" + name: "Does yum check-update work | Show exit status" ansible.builtin.debug: - var: yum_checkupdate_output.stdout_lines - changed_when: no + msg: "Exited with: {{ yum_checkupdate_output.rc }}, Error is: {{ yum_checkupdate_output.stderr_lines|default('Not available') }}" + changed_when: "yum_checkupdate_output.rc != 0 and yum_checkupdate_output.rc != 100" + when: "yum_checkupdate_output.rc != 0 and yum_checkupdate_output.rc != 100" - <<: *task vars: From d81e7533a1871755cceacb59646f12fe9cdbe58b Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Tue, 14 Feb 2023 11:56:01 +0100 Subject: [PATCH 22/36] feat(molecule): make debian green --- molecule/default/side_effect.yml | 15 +++++++++------ molecule/default/side_effect/Debian.yml | 6 ++++++ molecule/default/side_effect/empty.yml | 0 roles/maintenance_11_debian/tasks/main.yml | 1 + 4 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 molecule/default/side_effect/Debian.yml create mode 100644 molecule/default/side_effect/empty.yml diff --git a/molecule/default/side_effect.yml b/molecule/default/side_effect.yml index c2dfe27..fcf8d44 100644 --- a/molecule/default/side_effect.yml +++ b/molecule/default/side_effect.yml @@ -5,14 +5,17 @@ gather_facts: true tasks: + - name: "Load distribution version specific tasks" + ansible.builtin.include_tasks: + file: "{{ item }}" + with_first_found: + - "side_effect/{{ ansible_facts.distribution }}{{ ansible_facts.distribution_major_version }}.yml" + - "side_effect/{{ ansible_facts.distribution }}.yml" + - "side_effect/empty.yml" + - name: "10-050: Fix serverlogs address" ansible.builtin.lineinfile: path: /etc/aliases regexp: "^root:" line: "root: serverlogs@example.org" - insertbefore: EOF - - - name: "11-017: Execute the package upgrade" - ansible.builtin.apt: - update_cache: yes - upgrade: safe + insertbefore: EOF \ No newline at end of file diff --git a/molecule/default/side_effect/Debian.yml b/molecule/default/side_effect/Debian.yml new file mode 100644 index 0000000..5e0be1f --- /dev/null +++ b/molecule/default/side_effect/Debian.yml @@ -0,0 +1,6 @@ +--- + +- name: "11-017: Execute the package upgrade" + ansible.builtin.apt: + update_cache: yes + upgrade: safe diff --git a/molecule/default/side_effect/empty.yml b/molecule/default/side_effect/empty.yml new file mode 100644 index 0000000..e69de29 diff --git a/roles/maintenance_11_debian/tasks/main.yml b/roles/maintenance_11_debian/tasks/main.yml index ffd882f..8bf108a 100644 --- a/roles/maintenance_11_debian/tasks/main.yml +++ b/roles/maintenance_11_debian/tasks/main.yml @@ -149,6 +149,7 @@ vars: taskid: 10-061 name: "Updates: Check if a major update is pending. | Check release name against stable" + tags: molecule-idempotence-notest # this will always be changed on old distros until they are upgraded ansible.builtin.command: distro-info --stable changed_when: - "ansible_facts.distribution_release != 'testing'" From 4a820067da6c1d2034c6654bf0bf24aef651f847 Mon Sep 17 00:00:00 2001 From: Sebastian P <5564491+s3lph@users.noreply.github.com> Date: Fri, 13 Jan 2023 14:24:14 +0100 Subject: [PATCH 23/36] Fix typo in example ansible.cfg --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2696f65..5197740 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Check out `roles/maintenance_*/defaults/main.yml` to see which options can be ov [defaults] display_skipped_hosts=no display_ok_hosts=no -callbacks_whitelist=adfinis.maintenance.report +callback_whitelist=adfinis.maintenance.report callbacks_enabled=adfinis.maintenance.report duplicate_dict_key=ignore inject_facts_as_vars=no From 2bfcb62b64eeed109b2a440a01a6c80fb70c7f66 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Tue, 10 Jan 2023 15:59:39 +0100 Subject: [PATCH 24/36] fix(10-034): use actual size on disk to account for sparse files --- roles/maintenance_10_linux/tasks/main.yml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index 976a831..5b1d77c 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -68,13 +68,27 @@ register: linux_large_logfiles changed_when: no + # Some of the files produced by the task above are sparse files, most notably /var/log/lastlog + # Use stat to figure out the actual on-disk size +- <<: *task + vars: + taskid: 10-034 + name: "Disk: logrotate: Are there files in /var/log that are not rotated? | Stat found files in /var/log" + ansible.builtin.stat: + path: "{{ item }}" + loop: "{{ linux_large_logfiles.files | map(attribute='path') | list }}" + register: linux_large_logfiles_stat + changed_when: no + - <<: *task vars: taskid: 10-034 name: "Disk: logrotate: Are there files in /var/log that are not rotated? | Report large files in /var/log" + # 4096 blocks equals 16M (assuming 4k logical blocksize, which is to be expected nowadays) + large_files: "{{ linux_large_logfiles_stat.results | map(attribute='stat') | selectattr('blocks', 'gt', 4096) | map(attribute='path') | list }}" ansible.builtin.debug: - var: "linux_large_logfiles.files | map(attribute='path') | list" - changed_when: "linux_large_logfiles.matched > 0" + var: "{{ large_files }}" + changed_when: "large_files | length > 0" - <<: *task vars: From bd0bad467e4e7e6d639c95af1c004360954bb0e9 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Wed, 11 Jan 2023 18:29:42 +0100 Subject: [PATCH 25/36] fix(10-034): only get necessary info from stat --- roles/maintenance_10_linux/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index 5b1d77c..a2b58a3 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -76,6 +76,9 @@ name: "Disk: logrotate: Are there files in /var/log that are not rotated? | Stat found files in /var/log" ansible.builtin.stat: path: "{{ item }}" + get_attributes: no + get_checksum: no + get_mime: no loop: "{{ linux_large_logfiles.files | map(attribute='path') | list }}" register: linux_large_logfiles_stat changed_when: no From 9605ae8725ab113be16120a43c26d653300b22a0 Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Wed, 25 Jan 2023 10:57:51 +0100 Subject: [PATCH 26/36] feat(12-ubuntu): implement ubuntu checklist --- roles/maintenance_12_ubuntu/README.md | 1 + roles/maintenance_12_ubuntu/defaults/main.yml | 8 ++ roles/maintenance_12_ubuntu/tasks/main.yml | 98 +++++++++++++++++++ 3 files changed, 107 insertions(+) create mode 100644 roles/maintenance_12_ubuntu/README.md create mode 100644 roles/maintenance_12_ubuntu/defaults/main.yml create mode 100644 roles/maintenance_12_ubuntu/tasks/main.yml diff --git a/roles/maintenance_12_ubuntu/README.md b/roles/maintenance_12_ubuntu/README.md new file mode 100644 index 0000000..17c4a38 --- /dev/null +++ b/roles/maintenance_12_ubuntu/README.md @@ -0,0 +1 @@ +# Ansible Role adfinis.maintenance.maintenance_12_ubuntu diff --git a/roles/maintenance_12_ubuntu/defaults/main.yml b/roles/maintenance_12_ubuntu/defaults/main.yml new file mode 100644 index 0000000..761d337 --- /dev/null +++ b/roles/maintenance_12_ubuntu/defaults/main.yml @@ -0,0 +1,8 @@ +--- + +ubuntu_release_train: lts +# Define which version of Ubuntu the Upgrade is checked against +# Possible options: all, devel, latest, lts, stable, supported, supported-esm, series, unsupported + +maintenance_exclude_tasks: [] +# Define defaults which can be overriden on a host-by-host basis diff --git a/roles/maintenance_12_ubuntu/tasks/main.yml b/roles/maintenance_12_ubuntu/tasks/main.yml new file mode 100644 index 0000000..efb4bca --- /dev/null +++ b/roles/maintenance_12_ubuntu/tasks/main.yml @@ -0,0 +1,98 @@ +--- + +- name: This task only serves as a template for the tasks below + ansible.builtin.set_fact: + ignoreme: &task + name: "{{ vars.taskid }}: {{ vars.name }}" + register: task + when: + - "vars.taskid not in maintenance_exclude_tasks" + - "maintenance_only is not defined or maintenance_only == vars.taskid" + vars: + taskid: ignoreme + name: bar + +#(12-010) Update package lists and check for errors `apt update` +- <<: *task + vars: + taskid: 12-010 + name: "Update package lists and check for errors `apt update`" + ansible.builtin.apt: + update_cache: yes + changed_when: no + + +#(12-012) dkpg status: Are there packages which do not have the dpkg status ii or hi? `dpkg -l | grep -vE '^[hi]i'` Packages with status rc or similar can be removed completely with `dpkg -P`, be careful, usually the configuration files are removed. +- <<: *task + vars: + taskid: 12-012 + name: "dpkg status: Are there packages which do not have the dpkg status ii or hi? | Get list of matching packages" + ansible.builtin.shell: dpkg -l | tail -n +6 | grep -vE '^[hi]i' # noqa risky-shell-pipe never fails + register: ubuntu_dpkg_status + check_mode: no + changed_when: no + failed_when: "ubuntu_dpkg_status.rc not in [0, 1]" + +- <<: *task + vars: + taskid: 11-012 + name: "dpkg status: Are there packages which do not have the dpkg status ii or hi? | Report matching packages" + ansible.builtin.debug: + var: "ubuntu_dpkg_status.stdout_lines" + changed_when: "ubuntu_dpkg_status.stdout_lines | length > 0" + + +#(12-017) apt: Simulate the package upgrade `apt --simulate upgrade`. +- <<: *task + vars: + taskid: 12-017 + name: "apt: Simulate the package upgrade" + ansible.builtin.apt: + update_cache: yes + upgrade: safe + check_mode: yes + + +#(12-019) apt: Remove obsolete packages `apt autoremove`. +- <<: *task + vars: + taskid: 12-019 + name: "apt: Remove obsolete packages" + ansible.builtin.apt: + autoremove: yes + check_mode: yes + +#(12-020) boot-config: Check boot configuration: Check ramdisk for actuality `update-initramfs -u` and keep bootloader up to date with `update-grub`. +- <<: *task + vars: + taskid: 12-020 + name: "boot-config: Check boot configuration: update initramfs" + ansible.builtin.command: update-initramfs -u + changed_when: no # only requires human interaction in case of errors + +- <<: *task + vars: + taskid: 12-020 + name: "boot-config: Check boot configuration: keep bootloader up to date" + ansible.builtin.command: update-grub + changed_when: no # only requires human interaction in case of errors + +- <<: *task + vars: + taskid: 10-061 + name: "Updates: Check if a major update is pending. | Update Ubuntu distribution info" + ansible.builtin.apt: + name: + - distro-info + - distro-info-data + state: latest # noqa package-latest we need the latest distro-info-data + update_cache: yes + changed_when: no # Don't care if this task actually changed, it's only preparation for the following task + +- <<: *task + vars: + taskid: 10-061 + name: "Updates: Check if a major update is pending. | Check release name against LTS" + ansible.builtin.command: distro-info --{{ ubuntu_release_train }} + changed_when: + - "ansible_facts.distribution_release not in task.stdout_lines" From 8b4e69051b6ce8d770f4bede225eba3c15838b75 Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Fri, 27 Jan 2023 13:37:45 +0100 Subject: [PATCH 27/36] fix(12-ubuntu): use the correct `taskid` for the template task exclude Co-authored-by: Sebastian P. <5564491+s3lph@users.noreply.github.com> --- roles/maintenance_12_ubuntu/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/maintenance_12_ubuntu/tasks/main.yml b/roles/maintenance_12_ubuntu/tasks/main.yml index efb4bca..3432d04 100644 --- a/roles/maintenance_12_ubuntu/tasks/main.yml +++ b/roles/maintenance_12_ubuntu/tasks/main.yml @@ -9,7 +9,7 @@ - "vars.taskid not in maintenance_exclude_tasks" - "maintenance_only is not defined or maintenance_only == vars.taskid" vars: - taskid: ignoreme + taskid: ignore-me name: bar #(12-010) Update package lists and check for errors `apt update` From 6decdcb7d556264936f13fb317fcc3f82a36b263 Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Fri, 27 Jan 2023 13:40:59 +0100 Subject: [PATCH 28/36] fix(12-ubuntu): fix sorting and comments of the defaults --- roles/maintenance_12_ubuntu/defaults/main.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/maintenance_12_ubuntu/defaults/main.yml b/roles/maintenance_12_ubuntu/defaults/main.yml index 761d337..53c8770 100644 --- a/roles/maintenance_12_ubuntu/defaults/main.yml +++ b/roles/maintenance_12_ubuntu/defaults/main.yml @@ -1,8 +1,7 @@ --- -ubuntu_release_train: lts +maintenance_exclude_tasks: [] + # Define which version of Ubuntu the Upgrade is checked against # Possible options: all, devel, latest, lts, stable, supported, supported-esm, series, unsupported - -maintenance_exclude_tasks: [] -# Define defaults which can be overriden on a host-by-host basis +ubuntu_release_train: lts From f6b1111a1523e50b774acfc462337a95005812a7 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Fri, 27 Jan 2023 15:52:18 +0100 Subject: [PATCH 29/36] feat(report): implement tristate checklist and show indeterminate state for skipped --- plugins/callback/report.py | 68 ++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/plugins/callback/report.py b/plugins/callback/report.py index f2a88fa..0bc5e5a 100644 --- a/plugins/callback/report.py +++ b/plugins/callback/report.py @@ -18,14 +18,14 @@ Example: example01.example.org - - [x] 10-028 - - [x] 10-032 - - [ ] 10-034 + - [x] 10-028: This task is ok + - [x] 10-032: This is ok as well + - [ ] 10-034: This task reported changed example02.example.org - - [x] 10-028 - - [ ] 10-032 - - [x] 10-034 + - [x] 10-028 A task that reported ok + - [~] 10-032 This task was skipped + - [x] 10-034 Another ok task options: {} # # Kept around as reference # format_string: @@ -41,11 +41,19 @@ import json from datetime import datetime +from enum import IntEnum from ansible.plugins.callback import CallbackBase from ansible.executor.task_result import TaskResult +class TaskState(IntEnum): + SKIPPED = 0 + OK = 1 + CHANGED = 2 + FAILED = 3 + + class CallbackModule(CallbackBase): """ Print Markdown checklists indicating which tasks require human interaction. @@ -61,49 +69,45 @@ def __init__(self): self.tasknames = {} super(CallbackModule, self).__init__() - def on_any(self, *args, **kwargs): - # on_any is a horribly hacky catch-all handler that's triggered on every single event during a play. - - # There is no clearly defined "event type" at the top level of the args/kwargs, so we carefully need to check - # the result object's internal structure. - if len(args) != 2 and len(args[0]) != 2: - return - task = args[0][0] - if not isinstance(task, TaskResult): + def _process_task_result(self, result, state): + if not isinstance(result, TaskResult): return - - if task.is_skipped(): - return - if task.is_failed(): - state = 2 - elif task.is_changed(): - state = 1 - else: - state = 0 - # Extract the task information from the TaskResult. # Unfortunately, some protected members need to be accessed to get the information we need. If something in # this plugin breaks with future ansible versions, it's probably the next 3 lines. - host = task._host.name - taskid = task._task.vars.get('taskid') - taskname = task._task.vars.get('name', '') + host = result._host.name + taskid = result._task.vars.get('taskid') + taskname = result._task.vars.get('name', '') if taskid is None or taskid == 'ignore-me': return - - # Store the "worst" result (max, failed=2, changed=1, ok=0) per host and taskid. + # Store the "worst" result (max, failed=3, changed=2, ok=1, skipped=0) per host and taskid. # E.g. if one subtask failed, consider the entire maintenance task failed. hostdict = self.hosts.setdefault(host, {}) - hostdict[taskid] = max(hostdict.get(taskid, 0), state) + hostdict[taskid] = max(hostdict.get(taskid, TaskState.SKIPPED), state) # Pipe `|` is used as the separator for "subtasks" if one maintenance task is split into multiple ansible tasks self.tasknames[taskid] = taskname.split('|', 1)[0].strip() + def v2_runner_on_failed(self, result, ignore_errors=False): + self._process_task_result(result, TaskState.FAILED) + + def v2_runner_on_skipped(self, result): + self._process_task_result(result, TaskState.SKIPPED) + + def v2_runner_on_ok(self, result): + if result.is_changed(): + self._process_task_result(result, TaskState.CHANGED) + else: + self._process_task_result(result, TaskState.OK) + def v2_playbook_on_stats(self, stats): # Generate checklist report at the end of the playbook run for host, tasks in self.hosts.items(): self._display.display('') self._display.display(host) for task, result in tasks.items(): - if result == 0: + if result == TaskState.SKIPPED: + self._display.display('- [~] %s: %s' % (task, self.tasknames.get(task, ''))) + elif result == TaskState.OK: self._display.display('- [x] %s: %s' % (task, self.tasknames.get(task, ''))) else: self._display.display('- [ ] %s: %s' % (task, self.tasknames.get(task, ''))) From 121f0948f6b6de9bda80241f3c3accfa87ae822e Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Mon, 20 Feb 2023 16:00:31 +0100 Subject: [PATCH 30/36] feat(molecule): make CentOS green --- molecule/default/molecule.yml | 2 ++ molecule/default/prepare/CentOS7.yml | 1 + molecule/default/prepare/CentOS8.yml | 1 + molecule/default/prepare/CentOS9.yml | 1 + molecule/default/side_effect/CentOS7.yml | 12 ++++++++++++ molecule/default/side_effect/CentOS8.yml | 18 ++++++++++++++++++ molecule/default/side_effect/CentOS9.yml | 19 +++++++++++++++++++ roles/maintenance_10_linux/defaults/main.yml | 3 +++ 8 files changed, 57 insertions(+) create mode 100644 molecule/default/side_effect/CentOS7.yml create mode 100644 molecule/default/side_effect/CentOS8.yml create mode 100644 molecule/default/side_effect/CentOS9.yml diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index c318848..100e74a 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible env: ANSIBLE_ROLES_PATH: "../../roles" + options: + D: true config_options: defaults: retry_files_enabled: false diff --git a/molecule/default/prepare/CentOS7.yml b/molecule/default/prepare/CentOS7.yml index 6672ffc..dedba44 100644 --- a/molecule/default/prepare/CentOS7.yml +++ b/molecule/default/prepare/CentOS7.yml @@ -6,6 +6,7 @@ - openssh-server - audit - sysvinit-tools + - libselinux-python state: installed # EL7 delivers Ansible 2.9 throuh EPEL which is too old for diff --git a/molecule/default/prepare/CentOS8.yml b/molecule/default/prepare/CentOS8.yml index f672e5d..12f8552 100644 --- a/molecule/default/prepare/CentOS8.yml +++ b/molecule/default/prepare/CentOS8.yml @@ -6,6 +6,7 @@ - hostname - openssh-server - audit + - libselinux-python3 state: installed - name: Create SSH keys diff --git a/molecule/default/prepare/CentOS9.yml b/molecule/default/prepare/CentOS9.yml index 0c09ed4..ce64d67 100644 --- a/molecule/default/prepare/CentOS9.yml +++ b/molecule/default/prepare/CentOS9.yml @@ -7,6 +7,7 @@ - openssh-server - audit - postfix + - libselinux-python3 state: installed - name: Create SSH keys diff --git a/molecule/default/side_effect/CentOS7.yml b/molecule/default/side_effect/CentOS7.yml new file mode 100644 index 0000000..ca7bbb3 --- /dev/null +++ b/molecule/default/side_effect/CentOS7.yml @@ -0,0 +1,12 @@ +--- + +- name: "15-010: Create local repo" + ansible.builtin.copy: + dest: "/etc/yum.repos.d/local.repo" + content: | + [rhel-{{ ansible_facts.distribution_major_version }}-server-x86_64] + name = {{ ansible_facts.distribution_major_version }}-server-x86_64 + enabled = 1 + mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra + gpgcheck=0 + cost=9001 diff --git a/molecule/default/side_effect/CentOS8.yml b/molecule/default/side_effect/CentOS8.yml new file mode 100644 index 0000000..2ea45d1 --- /dev/null +++ b/molecule/default/side_effect/CentOS8.yml @@ -0,0 +1,18 @@ +--- + +- name: "15-010: Create local repo" + ansible.builtin.copy: + dest: "/etc/yum.repos.d/local.repo" + content: | + [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-baseos-rpms] + name = {{ ansible_facts.distribution_major_version }}-server-x86_64 + enabled = 1 + mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=BaseOS&infra=$infra + gpgcheck=0 + cost=9001 + [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-appstream-rpms] + name = {{ ansible_facts.distribution_major_version }}-server-x86_64 + enabled = 1 + mirrorlist=http://mirrorlist.centos.org/?release=$stream&arch=$basearch&repo=AppStream&infra=$infra + gpgcheck=0 + cost=9001 diff --git a/molecule/default/side_effect/CentOS9.yml b/molecule/default/side_effect/CentOS9.yml new file mode 100644 index 0000000..00072b7 --- /dev/null +++ b/molecule/default/side_effect/CentOS9.yml @@ -0,0 +1,19 @@ +--- + +- name: "15-010: Create local repo" + ansible.builtin.copy: + dest: "/etc/yum.repos.d/local.repo" + content: | + [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-baseos-rpms] + name = {{ ansible_facts.distribution_major_version }}-server-x86_64 + enabled = 1 + mirrorlist=https://mirrors.centos.org/metalink?repo=centos-baseos-$stream&arch=$basearch&protocol=https,http + gpgcheck=0 + cost=9001 + [rhel-{{ ansible_facts.distribution_major_version }}-for-x86_64-appstream-rpms] + name = {{ ansible_facts.distribution_major_version }}-server-x86_64 + enabled = 1 + mirrorlist=https://mirrors.centos.org/metalink?repo=centos-appstream-$stream&arch=$basearch&protocol=https,http + gpgcheck=0 + cost=9001 + diff --git a/roles/maintenance_10_linux/defaults/main.yml b/roles/maintenance_10_linux/defaults/main.yml index 8f1a178..72e533c 100644 --- a/roles/maintenance_10_linux/defaults/main.yml +++ b/roles/maintenance_10_linux/defaults/main.yml @@ -36,6 +36,9 @@ linux_allowed_large_files: - "/var/lib/dirsrv/" - "/var/log/journal/" - "/var/lib/rpm/Packages$" + - "./var/lib/rpm/Packages" - "/var/cache/yum/" + - "./var/cache/dnf/appstream-filenames.solvx" + - "./var/cache/dnf/appstream-.*/repodata/.*-filelists.xml.gz" linux_additional_allowed_large_files: [] From 3e8ed4f708ab6461b0a4346190bb57c89c27a877 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Fri, 10 Feb 2023 17:03:45 +0100 Subject: [PATCH 31/36] fix(10-034): jinja error in debug. --- roles/maintenance_10_linux/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index a2b58a3..40604b4 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -90,7 +90,7 @@ # 4096 blocks equals 16M (assuming 4k logical blocksize, which is to be expected nowadays) large_files: "{{ linux_large_logfiles_stat.results | map(attribute='stat') | selectattr('blocks', 'gt', 4096) | map(attribute='path') | list }}" ansible.builtin.debug: - var: "{{ large_files }}" + var: "large_files" changed_when: "large_files | length > 0" - <<: *task From 416b6c5b184858048694fcc47bf8e3ca6dd44779 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Wed, 18 Jan 2023 17:30:28 +0100 Subject: [PATCH 32/36] fix(10-042): Limit user lookups to "local" NSS passwd databases By default, only users from files, compat, db and systemd backends are enumerated. If other backends are active, a warning is emitted. Adds an option for chaning the set of backends Also emits a warning if AuthorizedKeysCommand is enabled. --- plugins/modules/audit_ssh_authorizedkeys.py | 70 ++++++++++++++++---- roles/maintenance_10_linux/defaults/main.yml | 6 ++ roles/maintenance_10_linux/tasks/main.yml | 1 + 3 files changed, 64 insertions(+), 13 deletions(-) diff --git a/plugins/modules/audit_ssh_authorizedkeys.py b/plugins/modules/audit_ssh_authorizedkeys.py index 08afd03..db49aef 100644 --- a/plugins/modules/audit_ssh_authorizedkeys.py +++ b/plugins/modules/audit_ssh_authorizedkeys.py @@ -46,6 +46,11 @@ required: false default: [] type: list + limit_nss_backends: + description: Only retrieve users from these NSS backends, and emit a warning if other backends are configured. + required: false + default: [files, compat, db, systemd] + type: list config: description: Path to the sshd config fille required: false @@ -73,6 +78,13 @@ allowed: - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA' + +- name: The same, but also check users from sssd (use with caution if your domain contains a large number of users) + adfinis.maintenance.audit_ssh_authorizedkeys: + allowed: + - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA' + limit_nss_backends: [files, compat, db, systemd, sss] ''' @@ -89,12 +101,17 @@ from ansible.module_utils.basic import AnsibleModule +import collections import os import pwd import subprocess import shlex +# pwdent class conforming to https://docs.python.org/3/library/pwd.html +GetentPwdEnt = collections.namedtuple('pwdent', ['pw_name', 'pw_passwd', 'pw_uid', 'pw_gid', 'pw_gecos', 'pw_dir', 'pw_shell']) + + def run_module(): # define available arguments/parameters a user can pass to the module module_args = dict( @@ -105,6 +122,7 @@ def run_module(): required=dict(type='list', required=False, default=[]), allowed=dict(type='list', required=False, default=[]), forbidden=dict(type='list', required=False, default=[]), + limit_nss_backends=dict(type='list', required=False, default=['files', 'compat', 'db', 'systemd']) ) # seed the result dict in the object @@ -125,18 +143,42 @@ def run_module(): supports_check_mode=True, ) + warnings = [] + + getent_backends = [] + # Check NSS passwd db backends against list of limited backends, and emit warnings if additional backends are present + with open('/etc/nsswitch.conf', 'r') as nssf: + for line in nssf.readlines(): + line = line.split('#', 1)[0].strip() + if not line: + continue + db, *backends = line.split() + if db != 'passwd:': + continue + for backend in backends: + if backend in module.params['limit_nss_backends']: + getent_backends.append(backend) + else: + msg = 'Users from the NSS passwd backend "{}" are excluded from this check. '.format(backend) + \ + 'Please audit manually or include the backend in limit_nss_backends' + warnings.append(msg) + # Get user homes - users = [] + users = set() if module.params['user'] is not None: user = module.params['user'] try: pwdent = pwd.getpwnam(user) - users.append(pwdent) + users.add(pwdent) except KeyError: module.fail_json(msg='User {} does not exist'.format(user), **result) else: - for pwdent in pwd.getpwall(): - users.append(pwdent) + # getpwnam/getpwall don't allow filtering by backends, need to user getent + for backend in getent_backends: + getent = subprocess.Popen(['/usr/bin/getent', 'passwd', '-s', backend], stdout=subprocess.PIPE) + getent_stdout, _ = getent.communicate() + for line in getent_stdout.decode().splitlines(): + users.add(GetentPwdEnt(*line.split(':', 6))) # Read the acutal ssh authorized_keys result['authorized_keys'] = {} @@ -148,18 +190,20 @@ def run_module(): authorized_keys_paths = [module.params['file']] else: ufilter = 'host=,addr=,user=' + pwdent.pw_name # host and addr are required by some implementations - sshd_cmdline = [module.params['sshd'], '-C', ufilter , '-T', '-f', module.params['config']] + sshd_cmdline = [module.params['sshd'], '-C', ufilter, '-T', '-f', module.params['config']] sshd_configtest = subprocess.Popen(sshd_cmdline, stdout=subprocess.PIPE) sshd_stdout, _ = sshd_configtest.communicate() if sshd_configtest.returncode != 0: module.fail_json(msg='SSHD configuration invalid (or insufficient privileges, try become_user=root become=yes)', **result) for cline in sshd_stdout.decode().splitlines(): - conf = cline.split() - if conf[0] != 'authorizedkeysfile': - continue - authorized_keys_paths = conf[1:] - + conf = cline.split(maxsplit=1) + if conf[0] == 'authorizedkeyscommand' and conf[1] != 'none': + msg = 'AuthorizedKeysCommand is configured: "{}". Keys returned by this command are not audited.'.format(conf[1]) + warnings.append(msg) + elif conf[0] == 'authorizedkeysfile': + authorized_keys_paths = conf[1].split() + if authorized_keys_paths is None: authorized_keys_paths = [] @@ -227,13 +271,13 @@ def run_module(): 'after_header': 'authorized_keys ({})'.format(user), }) - if len(violations) > 0: + if len(violations) > 0 or len(warnings) > 0: result['changed'] = True if not module.check_mode: - module.fail_json(msg=violations, **result) + module.fail_json(warnings=warnings, msg=violations, **result) # in the event of a successful module execution, you will want to # simple AnsibleModule.exit_json(), passing the key/value results - module.exit_json(**result) + module.exit_json(warnings=warnings, **result) def main(): diff --git a/roles/maintenance_10_linux/defaults/main.yml b/roles/maintenance_10_linux/defaults/main.yml index 72e533c..f4fb59f 100644 --- a/roles/maintenance_10_linux/defaults/main.yml +++ b/roles/maintenance_10_linux/defaults/main.yml @@ -8,6 +8,12 @@ linux_allowed_ssh_authorized_keys: [] linux_additional_ssh_authorized_keys: [] +linux_allowed_ssh_nss_backends: + - files + - compat + - db + - systemd + linux_allowed_login_users: - root diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index 40604b4..bffa0c9 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -165,6 +165,7 @@ name: "Security: SSH keys: Check for unknown or outdated keys for root and all users" adfinis.maintenance.audit_ssh_authorizedkeys: allowed: "{{ linux_allowed_ssh_authorized_keys + linux_additional_ssh_authorized_keys }}" + limit_nss_backends: "{{ linux_allowed_ssh_nss_backends }}" check_mode: yes - <<: *task From baca8a73a07cdaa38754401112e7275feaacf759 Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Mon, 30 Jan 2023 15:34:54 +0100 Subject: [PATCH 33/36] fix(10-042): make changes in audit_ssh_authorizedkeys compatible with python2.7 --- plugins/modules/audit_ssh_authorizedkeys.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/plugins/modules/audit_ssh_authorizedkeys.py b/plugins/modules/audit_ssh_authorizedkeys.py index db49aef..93668f9 100644 --- a/plugins/modules/audit_ssh_authorizedkeys.py +++ b/plugins/modules/audit_ssh_authorizedkeys.py @@ -152,7 +152,8 @@ def run_module(): line = line.split('#', 1)[0].strip() if not line: continue - db, *backends = line.split() + tokens = line.split() + db, backends = tokens[0], tokens[1:] if db != 'passwd:': continue for backend in backends: @@ -197,7 +198,7 @@ def run_module(): module.fail_json(msg='SSHD configuration invalid (or insufficient privileges, try become_user=root become=yes)', **result) for cline in sshd_stdout.decode().splitlines(): - conf = cline.split(maxsplit=1) + conf = cline.split(None, 1) if conf[0] == 'authorizedkeyscommand' and conf[1] != 'none': msg = 'AuthorizedKeysCommand is configured: "{}". Keys returned by this command are not audited.'.format(conf[1]) warnings.append(msg) From a02593e420fbbbd57fe92f21aa0de32f5e0452fa Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Fri, 10 Feb 2023 17:22:07 +0100 Subject: [PATCH 34/36] feat(10-042): introduce a second param ignore_nss_backends that silences warnings about skipped backends --- plugins/modules/audit_ssh_authorizedkeys.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/plugins/modules/audit_ssh_authorizedkeys.py b/plugins/modules/audit_ssh_authorizedkeys.py index 93668f9..19343a5 100644 --- a/plugins/modules/audit_ssh_authorizedkeys.py +++ b/plugins/modules/audit_ssh_authorizedkeys.py @@ -51,6 +51,11 @@ required: false default: [files, compat, db, systemd] type: list + ignore_nss_backends: + description: Consider these NSS backends as "safe" and don't emit a warning if they are not present in limit_nss_backends. + required: false + default: [] + type: list config: description: Path to the sshd config fille required: false @@ -85,6 +90,13 @@ - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA' limit_nss_backends: [files, compat, db, systemd, sss] + +- name: Silence the warning that sss users are not audited + adfinis.maintenance.audit_ssh_authorizedkeys: + allowed: + - 'from="2001:db8::42/128" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKBIpR/ccV9KAL5eoyPaT0frG1+moHO2nM2TsRKrdANU root@backup.example.org' + - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZWKDPix+uTd+P+ZdoD3AkrD8cfikji9JKzvrfhczMA' + ignore_nss_backends: [sss] ''' @@ -122,7 +134,8 @@ def run_module(): required=dict(type='list', required=False, default=[]), allowed=dict(type='list', required=False, default=[]), forbidden=dict(type='list', required=False, default=[]), - limit_nss_backends=dict(type='list', required=False, default=['files', 'compat', 'db', 'systemd']) + limit_nss_backends=dict(type='list', required=False, default=['files', 'compat', 'db', 'systemd']), + ignore_nss_backends=dict(type='list', required=False, default=[]), ) # seed the result dict in the object @@ -159,9 +172,9 @@ def run_module(): for backend in backends: if backend in module.params['limit_nss_backends']: getent_backends.append(backend) - else: + elif backend not in module.params['ignore_nss_backends']: msg = 'Users from the NSS passwd backend "{}" are excluded from this check. '.format(backend) + \ - 'Please audit manually or include the backend in limit_nss_backends' + 'Please audit manually or include the backend in either limit_nss_backends or ignore_nss_backends' warnings.append(msg) # Get user homes From ae0b22d2b2ee067e43aaa207e9912cea3caae89b Mon Sep 17 00:00:00 2001 From: Sebastian Philipp Date: Fri, 10 Feb 2023 17:25:37 +0100 Subject: [PATCH 35/36] feat(10-042): actually use ignore_nss_backends in the maintenance_10_linux role --- roles/maintenance_10_linux/defaults/main.yml | 1 + roles/maintenance_10_linux/tasks/main.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/maintenance_10_linux/defaults/main.yml b/roles/maintenance_10_linux/defaults/main.yml index f4fb59f..26fe616 100644 --- a/roles/maintenance_10_linux/defaults/main.yml +++ b/roles/maintenance_10_linux/defaults/main.yml @@ -13,6 +13,7 @@ linux_allowed_ssh_nss_backends: - compat - db - systemd +linux_allowed_ssh_ignored_nss_backends: [] linux_allowed_login_users: - root diff --git a/roles/maintenance_10_linux/tasks/main.yml b/roles/maintenance_10_linux/tasks/main.yml index bffa0c9..ebea141 100644 --- a/roles/maintenance_10_linux/tasks/main.yml +++ b/roles/maintenance_10_linux/tasks/main.yml @@ -166,6 +166,7 @@ adfinis.maintenance.audit_ssh_authorizedkeys: allowed: "{{ linux_allowed_ssh_authorized_keys + linux_additional_ssh_authorized_keys }}" limit_nss_backends: "{{ linux_allowed_ssh_nss_backends }}" + ignore_nss_backends: "{{ linux_allowed_ssh_ignored_nss_backends }}" check_mode: yes - <<: *task From 07f97770957e237550711482f417d76eb1a18558 Mon Sep 17 00:00:00 2001 From: Philipp Marmet Date: Mon, 20 Feb 2023 16:12:08 +0100 Subject: [PATCH 36/36] feat(molecule): update molecule action --- .github/workflows/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 6d0024d..de6070b 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -32,7 +32,7 @@ jobs: with: path: "${{ github.repository }}" - name: molecule - uses: robertdebock/molecule-action@5.0.1 + uses: robertdebock/molecule-action@5.0.2 with: image: ${{ matrix.config.image }} tag: ${{ matrix.config.tag }}