Fix issues found by linters - enable all tests on all repos - remove suppressions

Cleaning up yamllint errors.
  - Use .yamllint.yml and .yamllint_defaults.yml instead of
    .yamllint.yaml.
  - Fix the invalid indentations.

Cleaning up ansible-lint errors.
  - Add "name" to every task.
  - Use command rather than shell
  - Add "changed_when: false".
  - Use '|' instead of '>' for the shell module.
  - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
  - Add "set -eu" and "set -o pipefail" if pipefail is available.
    Note: "pipefail" is not available in "sh" and "dash".
  - Add "- '306'  # Shells that use pipes should set the pipefail option"
    to .ansible-lint since ansible-lint does not recognize it if it's set
    in "if set -o | grep pipefail".

RHELPLAN-73804
This commit is contained in:
Noriko Hosoi 2021-04-07 11:12:03 -07:00
parent 428d390668
commit 6887864d2c
31 changed files with 831 additions and 765 deletions

View file

@ -1,2 +1,3 @@
warn_list: # or 'skip_list' to silence them completely │ warn_list: # or 'skip_list' to silence them completely │
- '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern - '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
- '306' # Shells that use pipes should set the pipefail option

View file

@ -6,7 +6,8 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:7 - name: ansible check with centos:7
uses: roles-ansible/check-ansible-centos-centos7-action@master uses: roles-ansible/check-ansible-centos-centos7-action@master

View file

@ -6,7 +6,8 @@ jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:8 - name: ansible check with centos:8
uses: roles-ansible/check-ansible-centos-centos8-action@master uses: roles-ansible/check-ansible-centos-centos8-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:buster (10) - name: ansible check with debian:buster (10)
uses: roles-ansible/check-ansible-debian-buster-action@master uses: roles-ansible/check-ansible-debian-buster-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:stretch (9) - name: ansible check with debian:stretch (9)
uses: roles-ansible/check-ansible-debian-stretch-action@master uses: roles-ansible/check-ansible-debian-stretch-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:latest - name: ansible check with debian:latest
uses: roles-ansible/check-ansible-debian-latest-action@master uses: roles-ansible/check-ansible-debian-latest-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with fedora:latest - name: ansible check with fedora:latest
uses: roles-ansible/check-ansible-fedora-latest-action@master uses: roles-ansible/check-ansible-fedora-latest-action@master

View file

@ -6,7 +6,8 @@ jobs:
# test-ansible28: # test-ansible28:
# runs-on: ubuntu-latest # runs-on: ubuntu-latest
# steps: # steps:
# - uses: actions/checkout@v2 # - name: checkout PR
# uses: actions/checkout@v2
# - name: Lint Ansible Playbook # - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master # uses: ansible/ansible-lint-action@master
# with: # with:
@ -17,7 +18,8 @@ jobs:
# test-ansible29: # test-ansible29:
# runs-on: ubuntu-latest # runs-on: ubuntu-latest
# steps: # steps:
# - uses: actions/checkout@v2 # - name: checkout PR
# uses: actions/checkout@v2
# - name: Lint Ansible Playbook # - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master # uses: ansible/ansible-lint-action@master
# with: # with:
@ -28,7 +30,8 @@ jobs:
test-ansible210: test-ansible210:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: Lint Ansible Playbook - name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master uses: ansible/ansible-lint-action@master
with: with:

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable # Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2 - name: checkout PR
uses: actions/checkout@v2
- name: ansible check with ubuntu:latest - name: ansible check with ubuntu:latest
uses: roles-ansible/check-ansible-ubuntu-latest-action@master uses: roles-ansible/check-ansible-ubuntu-latest-action@master

View file

@ -1,21 +0,0 @@
---
# Based on ansible-lint config
extends: default
rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines: {type: unix}
trailing-spaces: disable
truthy: disable

18
.yamllint.yml Normal file
View file

@ -0,0 +1,18 @@
# SPDX-License-Identifier: MIT
---
extends: .yamllint_defaults.yml
# possible customizations over the base yamllint config
# skip the yaml files in the /tests/ directory
# NOTE: If you want to customize `ignore` you'll have to
# copy in all of the config from .yamllint.yml, then
# add your own - so if you want to just add /tests/ to
# be ignored, you'll have to add the ignores from the base
ignore: |
/.tox/
/.github/
# /tests/
# skip checking line length
# NOTE: the above does not apply to `rules` - you do not
# have to copy all of the rules from the base config
rules:
line-length: disable

16
.yamllint_defaults.yml Normal file
View file

@ -0,0 +1,16 @@
# SPDX-License-Identifier: MIT
---
ignore: |
/.tox/
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
truthy:
allowed-values: ["yes", "no", "true", "false"]
level: error
document-start: disable

View file

@ -19,10 +19,15 @@
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6 # https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
- name: Reload sshd Service (AIX) - name: Reload sshd Service (AIX)
shell: | shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
stopsrc -s sshd stopsrc -s sshd
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
startsrc -s sshd startsrc -s sshd
listen: reload_sshd listen: reload_sshd
changed_when: false
when: when:
- sshd_allow_reload|bool - sshd_allow_reload|bool
- ansible_os_family == 'AIX' - ansible_os_family == 'AIX'

View file

@ -50,14 +50,19 @@
{% endif %} {% endif %}
block: block:
- name: Make sure hostkeys are available - name: Make sure hostkeys are available
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
{% if sshd_sysconfig %} {% if sshd_sysconfig %}
source /etc/sysconfig/sshd; source /etc/sysconfig/sshd
{% endif %} {% endif %}
ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N '' ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N ''
args: args:
creates: "{{ item }}" creates: "{{ item }}"
loop: "{{ __sshd_verify_hostkeys | from_json | list }}" loop: "{{ __sshd_verify_hostkeys | from_json | list }}"
changed_when: false
- name: Make sure private hostkeys have expected permissions - name: Make sure private hostkeys have expected permissions
file: file:
@ -75,14 +80,15 @@
tempfile: tempfile:
state: directory state: directory
register: sshd_test_hostkey register: sshd_test_hostkey
changed_when: False changed_when: false
when: when:
- __sshd_hostkeys_from_config | from_json == [] - __sshd_hostkeys_from_config | from_json == []
- sshd_config_file != "/etc/ssh/sshd_config" - sshd_config_file != "/etc/ssh/sshd_config"
- name: Generate temporary hostkey - name: Generate temporary hostkey
shell: "ssh-keygen -q -t rsa -f {{ sshd_test_hostkey.path }}/rsa_key -C '' -N ''" command: >
changed_when: False ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Make sure sshd runtime directory is present - name: Make sure sshd runtime directory is present
@ -119,7 +125,7 @@
file: file:
path: "{{ sshd_test_hostkey.path }}" path: "{{ sshd_test_hostkey.path }}"
state: absent state: absent
changed_when: False changed_when: false
when: sshd_test_hostkey.path is defined when: sshd_test_hostkey.path is defined
- name: Install systemd service files - name: Install systemd service files

View file

@ -6,17 +6,21 @@
tempfile: tempfile:
state: directory state: directory
register: __sshd_test_backup register: __sshd_test_backup
changed_when: False changed_when: false
when: when:
- sshd_test_backup_skip is not defined - sshd_test_backup_skip is not defined
- name: Backup files - name: Backup files
shell: > shell: |
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
set -eu
if test -f {{ item }}; then if test -f {{ item }}; then
mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }}); mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }})
cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }}) cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }})
fi fi
changed_when: False changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}" loop: "{{ __sshd_test_backup_files | d([]) }}"
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined

View file

@ -1,12 +1,16 @@
--- ---
- name: Restore backed up files and remove what was not present - name: Restore backed up files and remove what was not present
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test -f {{ __sshd_test_backup.path }}/{{ item }}; then if test -f {{ __sshd_test_backup.path }}/{{ item }}; then
cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }}) cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }})
elif test -f {{ item }}; then elif test -f {{ item }}; then
rm {{ item }} rm {{ item }}
fi fi
changed_when: False changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}" loop: "{{ __sshd_test_backup_files | d([]) }}"
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
@ -16,7 +20,7 @@
file: file:
path: "{{ __sshd_test_backup.path }}" path: "{{ __sshd_test_backup.path }}"
state: absent state: absent
changed_when: False changed_when: false
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
- __sshd_test_backup.path is defined - __sshd_test_backup.path is defined
@ -25,7 +29,7 @@
service: service:
name: sshd name: sshd
state: reloaded state: reloaded
changed_when: False changed_when: false
when: when:
- __sshd_test_backup is defined - __sshd_test_backup is defined
- ansible_virtualization_type|default(None) != 'docker' - ansible_virtualization_type|default(None) != 'docker'

View file

@ -54,11 +54,13 @@
src: "{{ main_sshd_config }}" src: "{{ main_sshd_config }}"
register: config register: config
- stat: - name: Get stat of private key
stat:
path: /tmp/ssh_host_rsa_key2 path: /tmp/ssh_host_rsa_key2
register: privkey register: privkey
- stat: - name: Get stat of public key
stat:
path: /tmp/ssh_host_rsa_key2.pub path: /tmp/ssh_host_rsa_key2.pub
register: pubkey register: pubkey

View file

@ -11,18 +11,24 @@
include_tasks: tasks/backup.yml include_tasks: tasks/backup.yml
- name: Show effective configuration before running role (system defaults) - name: Show effective configuration before running role (system defaults)
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test ! -f /etc/ssh/ssh_host_rsa_key; then if test ! -f /etc/ssh/ssh_host_rsa_key; then
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
fi; fi
sshd -T sshd -T
register: runtime_before register: runtime_before
changed_when: false
- name: Configure sshd - name: Configure sshd
include_role: include_role:
name: ansible-sshd name: ansible-sshd
- name: Show effective configuration after running role (role defaults) - name: Show effective configuration after running role (role defaults)
shell: sshd -T command: sshd -T
register: runtime_after register: runtime_after
changed_when: false
- debug: - debug:
var: ansible_facts['distribution'] var: ansible_facts['distribution']
- debug: - debug:

View file

@ -25,12 +25,17 @@
register: config register: config
- name: Print effective configuration - name: Print effective configuration
shell: > shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test ! -f /etc/ssh/ssh_host_rsa_key; then if test ! -f /etc/ssh/ssh_host_rsa_key; then
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N '' ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
fi; fi
sshd -T sshd -T
register: runtime register: runtime
changed_when: false
- name: Check the options were not applied - name: Check the options were not applied
# note, the options are in lower-case here # note, the options are in lower-case here

View file

@ -28,18 +28,28 @@
- name: Evaluate sysconfig similarly as systemd - name: Evaluate sysconfig similarly as systemd
shell: | shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
source /etc/sysconfig/sshd source /etc/sysconfig/sshd
echo "CP=|$CRYPTO_POLICY|" echo "CP=|${CRYPTO_POLICY:-}|"
echo "RNG=|$SSH_USE_STRONG_RNG|" echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation register: evaluation
changed_when: false
- name: Evaluate sysconfig similarly as systemd on RHEL 8 - name: Evaluate sysconfig similarly as systemd on RHEL 8
shell: | shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
source /etc/crypto-policies/back-ends/opensshserver.config source /etc/crypto-policies/back-ends/opensshserver.config
source /etc/sysconfig/sshd source /etc/sysconfig/sshd
echo "CP=|$CRYPTO_POLICY|" echo "CP=|${CRYPTO_POLICY:-}|"
echo "RNG=|$SSH_USE_STRONG_RNG|" echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation8 register: evaluation8
changed_when: false
when: when:
- ansible_facts['os_family'] == "RedHat" - ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution_major_version'] == "8" - ansible_facts['distribution_major_version'] == "8"