From 91784d1874b96c17b15fa568bc7c610b52f90783 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 6 Aug 2021 20:52:42 +0200 Subject: [PATCH 1/8] Workaround namespace feature also for RHEL6 The OpenSSH 5.3 in RHEL6 is so old it does not support "Match all" so we need some creative workaround for this old stuff. --- tasks/install.yml | 2 +- tests/tests_config_namespace.yml | 18 ++++++++++++++++-- vars/RedHat_6.yml | 1 + vars/main.yml | 2 ++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/tasks/install.yml b/tasks/install.yml index 978b8fb..1fc13f7 100644 --- a/tasks/install.yml +++ b/tasks/install.yml @@ -126,7 +126,7 @@ group: "{{ sshd_config_group }}" mode: "{{ sshd_config_mode }}" block: | - Match all + {{ __sshd_compat_match_all }} {{ lookup('template', 'sshd_config_snippet.j2') }} create: yes marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}" diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index eab0aa7..80c5afa 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -60,17 +60,31 @@ command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 register: nonmatching + - name: Check content of configuration file (blocks) + assert: + that: + - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')" + - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')" + when: + - ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6' + + - name: Check content of configuration file (blocks for RHEL 6) + assert: + that: + - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv EDITOR')" + - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv LS_COLORS')" + when: + - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6' + - name: Check content of configuration file assert: that: - "'AcceptEnv EDITOR' in config.content | b64decode" - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')" - "'PasswordAuthentication yes' in config.content | b64decode" - "'Match user root' in config.content | b64decode" - "'AllowAgentForwarding no' in config.content | b64decode" - "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')" - "'AcceptEnv LS_COLORS' in config.content | b64decode" - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')" - "'PasswordAuthentication no' in config.content | b64decode" - "'Match Address 127.0.0.1' in config.content | b64decode" - "'AllowTcpForwarding no' in config.content | b64decode" diff --git a/vars/RedHat_6.yml b/vars/RedHat_6.yml index 03ae474..182e4e4 100644 --- a/vars/RedHat_6.yml +++ b/vars/RedHat_6.yml @@ -22,3 +22,4 @@ __sshd_defaults: Subsystem: "sftp {{ sshd_sftp_server }}" __sshd_os_supported: yes __sshd_sysconfig_supports_use_strong_rng: true +__sshd_compat_match_all: Match address * diff --git a/vars/main.yml b/vars/main.yml index 01d7aee..37a46ed 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,3 +5,5 @@ __sshd_config_mode: "0600" __sshd_hostkey_owner: "root" __sshd_hostkey_group: "root" __sshd_hostkey_mode: "0600" +# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround +__sshd_compat_match_all: Match all From f1ab55508431809acab20908fae9006453fb1d56 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 6 Aug 2021 21:10:03 +0200 Subject: [PATCH 2/8] tests: The AcceptEnv is not accepted in Match block on RHEL6 --- tests/tests_config_namespace.yml | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/tests/tests_config_namespace.yml b/tests/tests_config_namespace.yml index 80c5afa..6688907 100644 --- a/tests/tests_config_namespace.yml +++ b/tests/tests_config_namespace.yml @@ -16,8 +16,8 @@ sshd_config_file: /etc/ssh/sshd_config sshd_config_namespace: nm1 sshd: - AcceptEnv: EDITOR PasswordAuthentication: yes + PermitRootLogin: yes Match: Condition: user root AllowAgentForwarding: no @@ -29,8 +29,8 @@ sshd_config_file: /etc/ssh/sshd_config sshd_config_namespace: nm2 sshd: - AcceptEnv: LS_COLORS PasswordAuthentication: no + PermitRootLogin: no Match: Condition: Address 127.0.0.1 AllowTcpForwarding: no @@ -63,28 +63,28 @@ - name: Check content of configuration file (blocks) assert: that: - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')" - - "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')" + - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')" + - "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')" when: - ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6' - name: Check content of configuration file (blocks for RHEL 6) assert: that: - - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv EDITOR')" - - "config.content | b64decode | regex_search('Match address *\\s*AcceptEnv LS_COLORS')" + - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')" + - "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')" when: - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6' - name: Check content of configuration file assert: that: - - "'AcceptEnv EDITOR' in config.content | b64decode" + - "'PermitRootLogin yes' in config.content | b64decode" - "'PasswordAuthentication yes' in config.content | b64decode" - "'Match user root' in config.content | b64decode" - "'AllowAgentForwarding no' in config.content | b64decode" - "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')" - - "'AcceptEnv LS_COLORS' in config.content | b64decode" + - "'PermitRootLogin no' in config.content | b64decode" - "'PasswordAuthentication no' in config.content | b64decode" - "'Match Address 127.0.0.1' in config.content | b64decode" - "'AllowTcpForwarding no' in config.content | b64decode" @@ -94,9 +94,8 @@ # note, the options are in lower-case here assert: that: - - "'acceptenv EDITOR' in runtime.stdout" + - "'permitrootlogin yes' in runtime.stdout" - "'allowagentforwarding no' in runtime.stdout" - - "'acceptenv LS_COLORS' in runtime.stdout" - "'allowtcpforwarding no' in runtime.stdout" - "'passwordauthentication yes' in runtime.stdout" @@ -104,9 +103,8 @@ # note, the options are in lower-case here assert: that: - - "'acceptenv EDITOR' in nonmatching.stdout" + - "'permitrootlogin yes' in runtime.stdout" - "'allowAgentforwarding no' not in nonmatching.stdout" - - "'acceptenv LS_COLORS' in nonmatching.stdout" - "'allowtcpforwarding no' not in nonmatching.stdout" - "'passwordauthentication yes' in nonmatching.stdout" tags: tests::verify From a2646b75519ab405bf845fa1c3e58a79f53f5bf1 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 6 Aug 2021 21:59:33 +0200 Subject: [PATCH 3/8] tests: Fix condition to match also CentOS --- tests/tests_hostkeys_missing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index e4cee9f..94375dd 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -34,7 +34,7 @@ msg: "Role has not failed when it should have" when: - ansible_facts['os_family'] != 'Debian' - - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') tags: tests::verify - name: Make sure the key was not created From d16170bf314a2171a42ac687e0beb13d9802f032 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Fri, 6 Aug 2021 22:10:57 +0200 Subject: [PATCH 4/8] tests: Skip the negative test in RHEL6 entirely --- tests/tests_hostkeys_missing.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index 94375dd..0acfce7 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -32,9 +32,9 @@ - ansible_failed_result.msg != 'UNREACH' - not role_result.changed msg: "Role has not failed when it should have" - when: - - ansible_facts['os_family'] != 'Debian' - - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') + when: + - ansible_facts['os_family'] != 'Debian' + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') tags: tests::verify - name: Make sure the key was not created From f6d26d8781be8be7b086d0980a78044b2dfdd72e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 9 Aug 2021 08:50:01 +0200 Subject: [PATCH 5/8] tests: Skip service status check on RHEL6 the init system there can not just "check" the status --- tests/tests_hostkeys_missing.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/tests_hostkeys_missing.yml b/tests/tests_hostkeys_missing.yml index 0acfce7..ad739a4 100644 --- a/tests/tests_hostkeys_missing.yml +++ b/tests/tests_hostkeys_missing.yml @@ -52,6 +52,8 @@ register: result failed_when: result.changed tags: tests::verify + when: + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: "Restore configuration files" include_tasks: tasks/restore.yml From 9326a46dd83b324e4d70b0c18a4103a7939e365a Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 9 Aug 2021 09:10:02 +0200 Subject: [PATCH 6/8] tests: Skip the OS defaults test on CentOS 6 too The CentOS6/RHEL6 images have modified sshd_config from what is shipped in rpm package --- tests/tests_os_defaults.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/tests_os_defaults.yml b/tests/tests_os_defaults.yml index 6409a5f..b1e93e5 100644 --- a/tests/tests_os_defaults.yml +++ b/tests/tests_os_defaults.yml @@ -34,7 +34,8 @@ that: - runtime_before.stdout == runtime_after.stdout when: - - not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') + # RHEL6/CentOS6 images have modified sshd_config, different from what is in rpm package + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Restore configuration files include_tasks: tasks/restore.yml From 2e3b3c0581c35cf13710903bf4cd364f568cc88b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 9 Aug 2021 09:49:13 +0200 Subject: [PATCH 7/8] tests: Skip the negative test in RHEL6 The ansible_failed_result is not available in old Ansible on RHEL6 --- tests/tests_set_uncommon.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/tests_set_uncommon.yml b/tests/tests_set_uncommon.yml index bf5ee58..0660da4 100644 --- a/tests/tests_set_uncommon.yml +++ b/tests/tests_set_uncommon.yml @@ -48,6 +48,8 @@ - ansible_failed_result.msg != 'UNREACH' - not role_result.changed msg: "Role has not failed when it should have" + when: + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: Make sure service is still running service: @@ -56,6 +58,8 @@ register: result failed_when: result.changed tags: tests::verify + when: + - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - name: "Restore configuration files" include_tasks: tasks/restore.yml From d9e1934a837bedaed071b6d92afc7e1d11458122 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Wed, 11 Nov 2020 12:33:02 +0100 Subject: [PATCH 8/8] Add CentOS 6 to CI --- .github/workflows/ansible-centos6.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/ansible-centos6.yml diff --git a/.github/workflows/ansible-centos6.yml b/.github/workflows/ansible-centos6.yml new file mode 100644 index 0000000..4cf093a --- /dev/null +++ b/.github/workflows/ansible-centos6.yml @@ -0,0 +1,19 @@ +name: Run tests on CentOS 6 + +on: [push, pull_request] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + # Workaround missing support for end_host in old ansible + - run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml" + + - name: ansible check with centos:6 + uses: roles-ansible/check-ansible-centos-centos6-action@master + with: + group: local + hosts: localhost + targets: "tests/*.yml"