Fix issues found by linters - enable all tests on all repos - remove suppressions

Cleaning up yamllint errors.
  - Use .yamllint.yml and .yamllint_defaults.yml instead of
    .yamllint.yaml.
  - Fix the invalid indentations.

Cleaning up ansible-lint errors.
  - Add "name" to every task.
  - Use command rather than shell
  - Add "changed_when: false".
  - Use '|' instead of '>' for the shell module.
  - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
  - Add "set -eu" and "set -o pipefail" if pipefail is available.
    Note: "pipefail" is not available in "sh" and "dash".
  - Add "- '306'  # Shells that use pipes should set the pipefail option"
    to .ansible-lint since ansible-lint does not recognize it if it's set
    in "if set -o | grep pipefail".

RHELPLAN-73804
This commit is contained in:
Noriko Hosoi 2021-04-07 11:12:03 -07:00
parent 428d390668
commit 6887864d2c
31 changed files with 831 additions and 765 deletions

View file

@ -1,2 +1,3 @@
warn_list: # or 'skip_list' to silence them completely │
- '106' # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern
- '306' # Shells that use pipes should set the pipefail option

View file

@ -6,7 +6,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:7
uses: roles-ansible/check-ansible-centos-centos7-action@master

View file

@ -6,7 +6,8 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with centos:8
uses: roles-ansible/check-ansible-centos-centos8-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:buster (10)
uses: roles-ansible/check-ansible-debian-buster-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:stretch (9)
uses: roles-ansible/check-ansible-debian-stretch-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with debian:latest
uses: roles-ansible/check-ansible-debian-latest-action@master

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with fedora:latest
uses: roles-ansible/check-ansible-fedora-latest-action@master

View file

@ -3,32 +3,35 @@ name: Ansible Lint # feel free to pick your own name
on: [push, pull_request]
jobs:
# test-ansible28:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v2
# - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master
# with:
# targets: "tests/test_*.yml"
# override-deps: |
# ansible==2.8
# args: ""
# test-ansible29:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v2
# - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master
# with:
# targets: "tests/test_*.yml"
# override-deps: |
# ansible==2.9
# args: ""
# test-ansible28:
# runs-on: ubuntu-latest
# steps:
# - name: checkout PR
# uses: actions/checkout@v2
# - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master
# with:
# targets: "tests/test_*.yml"
# override-deps: |
# ansible==2.8
# args: ""
# test-ansible29:
# runs-on: ubuntu-latest
# steps:
# - name: checkout PR
# uses: actions/checkout@v2
# - name: Lint Ansible Playbook
# uses: ansible/ansible-lint-action@master
# with:
# targets: "tests/test_*.yml"
# override-deps: |
# ansible==2.9
# args: ""
test-ansible210:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: Lint Ansible Playbook
uses: ansible/ansible-lint-action@master
with:

View file

@ -7,7 +7,8 @@ jobs:
runs-on: ubuntu-latest
steps:
# Important: This sets up your GITHUB_WORKSPACE environment variable
- uses: actions/checkout@v2
- name: checkout PR
uses: actions/checkout@v2
- name: ansible check with ubuntu:latest
uses: roles-ansible/check-ansible-ubuntu-latest-action@master

View file

@ -1,21 +0,0 @@
---
# Based on ansible-lint config
extends: default
rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation: disable
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: disable
new-lines: {type: unix}
trailing-spaces: disable
truthy: disable

18
.yamllint.yml Normal file
View file

@ -0,0 +1,18 @@
# SPDX-License-Identifier: MIT
---
extends: .yamllint_defaults.yml
# possible customizations over the base yamllint config
# skip the yaml files in the /tests/ directory
# NOTE: If you want to customize `ignore` you'll have to
# copy in all of the config from .yamllint.yml, then
# add your own - so if you want to just add /tests/ to
# be ignored, you'll have to add the ignores from the base
ignore: |
/.tox/
/.github/
# /tests/
# skip checking line length
# NOTE: the above does not apply to `rules` - you do not
# have to copy all of the rules from the base config
rules:
line-length: disable

16
.yamllint_defaults.yml Normal file
View file

@ -0,0 +1,16 @@
# SPDX-License-Identifier: MIT
---
ignore: |
/.tox/
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
truthy:
allowed-values: ["yes", "no", "true", "false"]
level: error
document-start: disable

View file

@ -19,10 +19,15 @@
# https://www.ibm.com/developerworks/community/blogs/brian/entry/scripting_the_stop_and_restart_of_src_controlled_processes_on_aix6
- name: Reload sshd Service (AIX)
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
stopsrc -s sshd
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
startsrc -s sshd
listen: reload_sshd
changed_when: false
when:
- sshd_allow_reload|bool
- ansible_os_family == 'AIX'

View file

@ -50,14 +50,19 @@
{% endif %}
block:
- name: Make sure hostkeys are available
shell: >
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
{% if sshd_sysconfig %}
source /etc/sysconfig/sshd;
source /etc/sysconfig/sshd
{% endif %}
ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N ''
args:
creates: "{{ item }}"
loop: "{{ __sshd_verify_hostkeys | from_json | list }}"
changed_when: false
- name: Make sure private hostkeys have expected permissions
file:
@ -75,14 +80,15 @@
tempfile:
state: directory
register: sshd_test_hostkey
changed_when: False
changed_when: false
when:
- __sshd_hostkeys_from_config | from_json == []
- sshd_config_file != "/etc/ssh/sshd_config"
- name: Generate temporary hostkey
shell: "ssh-keygen -q -t rsa -f {{ sshd_test_hostkey.path }}/rsa_key -C '' -N ''"
changed_when: False
command: >
ssh-keygen -q -t rsa -f '{{ sshd_test_hostkey.path }}/rsa_key' -C '' -N ''
changed_when: false
when: sshd_test_hostkey.path is defined
- name: Make sure sshd runtime directory is present
@ -119,7 +125,7 @@
file:
path: "{{ sshd_test_hostkey.path }}"
state: absent
changed_when: False
changed_when: false
when: sshd_test_hostkey.path is defined
- name: Install systemd service files

View file

@ -6,17 +6,21 @@
tempfile:
state: directory
register: __sshd_test_backup
changed_when: False
changed_when: false
when:
- sshd_test_backup_skip is not defined
- name: Backup files
shell: >
shell: |
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
set -eu
if test -f {{ item }}; then
mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }});
mkdir -p {{ __sshd_test_backup.path }}/$(dirname {{ item }})
cp {{ item }} {{ __sshd_test_backup.path }}/$(dirname {{ item }})
fi
changed_when: False
changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}"
when:
- __sshd_test_backup is defined

View file

@ -1,12 +1,16 @@
---
- name: Restore backed up files and remove what was not present
shell: >
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test -f {{ __sshd_test_backup.path }}/{{ item }}; then
cp {{ __sshd_test_backup.path }}/{{ item }} $(dirname {{ item }})
elif test -f {{ item }}; then
rm {{ item }}
fi
changed_when: False
changed_when: false
loop: "{{ __sshd_test_backup_files | d([]) }}"
when:
- __sshd_test_backup is defined
@ -16,7 +20,7 @@
file:
path: "{{ __sshd_test_backup.path }}"
state: absent
changed_when: False
changed_when: false
when:
- __sshd_test_backup is defined
- __sshd_test_backup.path is defined
@ -25,7 +29,7 @@
service:
name: sshd
state: reloaded
changed_when: False
changed_when: false
when:
- __sshd_test_backup is defined
- ansible_virtualization_type|default(None) != 'docker'

View file

@ -54,11 +54,13 @@
src: "{{ main_sshd_config }}"
register: config
- stat:
- name: Get stat of private key
stat:
path: /tmp/ssh_host_rsa_key2
register: privkey
- stat:
- name: Get stat of public key
stat:
path: /tmp/ssh_host_rsa_key2.pub
register: pubkey

View file

@ -11,18 +11,24 @@
include_tasks: tasks/backup.yml
- name: Show effective configuration before running role (system defaults)
shell: >
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test ! -f /etc/ssh/ssh_host_rsa_key; then
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
fi;
fi
sshd -T
register: runtime_before
changed_when: false
- name: Configure sshd
include_role:
name: ansible-sshd
- name: Show effective configuration after running role (role defaults)
shell: sshd -T
command: sshd -T
register: runtime_after
changed_when: false
- debug:
var: ansible_facts['distribution']
- debug:

View file

@ -25,12 +25,17 @@
register: config
- name: Print effective configuration
shell: >
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
if test ! -f /etc/ssh/ssh_host_rsa_key; then
ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
fi;
fi
sshd -T
register: runtime
changed_when: false
- name: Check the options were not applied
# note, the options are in lower-case here

View file

@ -28,18 +28,28 @@
- name: Evaluate sysconfig similarly as systemd
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
source /etc/sysconfig/sshd
echo "CP=|$CRYPTO_POLICY|"
echo "RNG=|$SSH_USE_STRONG_RNG|"
echo "CP=|${CRYPTO_POLICY:-}|"
echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation
changed_when: false
- name: Evaluate sysconfig similarly as systemd on RHEL 8
shell: |
set -eu
if set -o | grep pipefail 2>&1 /dev/null ; then
set -o pipefail
fi
source /etc/crypto-policies/back-ends/opensshserver.config
source /etc/sysconfig/sshd
echo "CP=|$CRYPTO_POLICY|"
echo "RNG=|$SSH_USE_STRONG_RNG|"
echo "CP=|${CRYPTO_POLICY:-}|"
echo "RNG=|${SSH_USE_STRONG_RNG:-}|"
register: evaluation8
changed_when: false
when:
- ansible_facts['os_family'] == "RedHat"
- ansible_facts['distribution_major_version'] == "8"