Merge pull request #165 from Jakuje/centos6

This commit is contained in:
Matt Willsher 2021-08-10 21:39:29 +01:00 committed by GitHub
commit 1c5c48835e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 56 additions and 15 deletions

19
.github/workflows/ansible-centos6.yml vendored Normal file
View file

@ -0,0 +1,19 @@
name: Run tests on CentOS 6
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
# Workaround missing support for end_host in old ansible
- run: "sed -i -e 's/meta: end_host/assert:\\n that: __sshd_os_supported|bool/' tasks/install.yml"
- name: ansible check with centos:6
uses: roles-ansible/check-ansible-centos-centos6-action@master
with:
group: local
hosts: localhost
targets: "tests/*.yml"

View file

@ -126,7 +126,7 @@
group: "{{ sshd_config_group }}" group: "{{ sshd_config_group }}"
mode: "{{ sshd_config_mode }}" mode: "{{ sshd_config_mode }}"
block: | block: |
Match all {{ __sshd_compat_match_all }}
{{ lookup('template', 'sshd_config_snippet.j2') }} {{ lookup('template', 'sshd_config_snippet.j2') }}
create: yes create: yes
marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}" marker: "# {mark} sshd system role managed block: namespace {{ sshd_config_namespace }}"

View file

@ -16,8 +16,8 @@
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
sshd_config_namespace: nm1 sshd_config_namespace: nm1
sshd: sshd:
AcceptEnv: EDITOR
PasswordAuthentication: yes PasswordAuthentication: yes
PermitRootLogin: yes
Match: Match:
Condition: user root Condition: user root
AllowAgentForwarding: no AllowAgentForwarding: no
@ -29,8 +29,8 @@
sshd_config_file: /etc/ssh/sshd_config sshd_config_file: /etc/ssh/sshd_config
sshd_config_namespace: nm2 sshd_config_namespace: nm2
sshd: sshd:
AcceptEnv: LS_COLORS
PasswordAuthentication: no PasswordAuthentication: no
PermitRootLogin: no
Match: Match:
Condition: Address 127.0.0.1 Condition: Address 127.0.0.1
AllowTcpForwarding: no AllowTcpForwarding: no
@ -60,17 +60,31 @@
command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2 command: sshd -T -Cuser=nobody,host=example.com,addr=127.0.0.2
register: nonmatching register: nonmatching
- name: Check content of configuration file (blocks)
assert:
that:
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match all\\s*PasswordAuthentication no')"
when:
- ansible_facts['os_family'] != 'RedHat' or ansible_facts['distribution_major_version'] != '6'
- name: Check content of configuration file (blocks for RHEL 6)
assert:
that:
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication yes')"
- "config.content | b64decode | regex_search('Match address \\*\\s*PasswordAuthentication no')"
when:
- ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6'
- name: Check content of configuration file - name: Check content of configuration file
assert: assert:
that: that:
- "'AcceptEnv EDITOR' in config.content | b64decode" - "'PermitRootLogin yes' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv EDITOR')"
- "'PasswordAuthentication yes' in config.content | b64decode" - "'PasswordAuthentication yes' in config.content | b64decode"
- "'Match user root' in config.content | b64decode" - "'Match user root' in config.content | b64decode"
- "'AllowAgentForwarding no' in config.content | b64decode" - "'AllowAgentForwarding no' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')" - "config.content | b64decode | regex_search('Match user root\\s*AllowAgentForwarding no')"
- "'AcceptEnv LS_COLORS' in config.content | b64decode" - "'PermitRootLogin no' in config.content | b64decode"
- "config.content | b64decode | regex_search('Match all\\s*AcceptEnv LS_COLORS')"
- "'PasswordAuthentication no' in config.content | b64decode" - "'PasswordAuthentication no' in config.content | b64decode"
- "'Match Address 127.0.0.1' in config.content | b64decode" - "'Match Address 127.0.0.1' in config.content | b64decode"
- "'AllowTcpForwarding no' in config.content | b64decode" - "'AllowTcpForwarding no' in config.content | b64decode"
@ -80,9 +94,8 @@
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'acceptenv EDITOR' in runtime.stdout" - "'permitrootlogin yes' in runtime.stdout"
- "'allowagentforwarding no' in runtime.stdout" - "'allowagentforwarding no' in runtime.stdout"
- "'acceptenv LS_COLORS' in runtime.stdout"
- "'allowtcpforwarding no' in runtime.stdout" - "'allowtcpforwarding no' in runtime.stdout"
- "'passwordauthentication yes' in runtime.stdout" - "'passwordauthentication yes' in runtime.stdout"
@ -90,9 +103,8 @@
# note, the options are in lower-case here # note, the options are in lower-case here
assert: assert:
that: that:
- "'acceptenv EDITOR' in nonmatching.stdout" - "'permitrootlogin yes' in runtime.stdout"
- "'allowAgentforwarding no' not in nonmatching.stdout" - "'allowAgentforwarding no' not in nonmatching.stdout"
- "'acceptenv LS_COLORS' in nonmatching.stdout"
- "'allowtcpforwarding no' not in nonmatching.stdout" - "'allowtcpforwarding no' not in nonmatching.stdout"
- "'passwordauthentication yes' in nonmatching.stdout" - "'passwordauthentication yes' in nonmatching.stdout"
tags: tests::verify tags: tests::verify

View file

@ -32,9 +32,9 @@
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
msg: "Role has not failed when it should have" msg: "Role has not failed when it should have"
when: when:
- ansible_facts['os_family'] != 'Debian' - ansible_facts['os_family'] != 'Debian'
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
tags: tests::verify tags: tests::verify
- name: Make sure the key was not created - name: Make sure the key was not created
@ -52,6 +52,8 @@
register: result register: result
failed_when: result.changed failed_when: result.changed
tags: tests::verify tags: tests::verify
when:
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -34,7 +34,8 @@
that: that:
- runtime_before.stdout == runtime_after.stdout - runtime_before.stdout == runtime_after.stdout
when: when:
- not (ansible_facts['distribution'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6') # RHEL6/CentOS6 images have modified sshd_config, different from what is in rpm package
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Restore configuration files - name: Restore configuration files
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -48,6 +48,8 @@
- ansible_failed_result.msg != 'UNREACH' - ansible_failed_result.msg != 'UNREACH'
- not role_result.changed - not role_result.changed
msg: "Role has not failed when it should have" msg: "Role has not failed when it should have"
when:
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: Make sure service is still running - name: Make sure service is still running
service: service:
@ -56,6 +58,8 @@
register: result register: result
failed_when: result.changed failed_when: result.changed
tags: tests::verify tags: tests::verify
when:
- not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
- name: "Restore configuration files" - name: "Restore configuration files"
include_tasks: tasks/restore.yml include_tasks: tasks/restore.yml

View file

@ -22,3 +22,4 @@ __sshd_defaults:
Subsystem: "sftp {{ sshd_sftp_server }}" Subsystem: "sftp {{ sshd_sftp_server }}"
__sshd_os_supported: yes __sshd_os_supported: yes
__sshd_sysconfig_supports_use_strong_rng: true __sshd_sysconfig_supports_use_strong_rng: true
__sshd_compat_match_all: Match address *

View file

@ -5,3 +5,5 @@ __sshd_config_mode: "0600"
__sshd_hostkey_owner: "root" __sshd_hostkey_owner: "root"
__sshd_hostkey_group: "root" __sshd_hostkey_group: "root"
__sshd_hostkey_mode: "0600" __sshd_hostkey_mode: "0600"
# The OpenSSH 5.3 in RHEL6 does not support "Match all" so we need a workaround
__sshd_compat_match_all: Match all