feat: Ubuntu noble (#290)

* feat: Add support for Ubuntu Nobel/24.04 LTS
* fix: Add missing PrintMotd to Ubuntu 22.04
* fix(tests): Various linting fixes

---------
Co-authored-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Matt Willsher 2024-06-21 09:12:02 +01:00 committed by GitHub
parent 7c76e9d6ce
commit d4eae954c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
20 changed files with 76 additions and 17 deletions

View file

@ -5,6 +5,7 @@ exclude_paths:
- .markdownlint.yaml - .markdownlint.yaml
skip_list: skip_list:
- var-naming[no-role-prefix] - var-naming[no-role-prefix]
- meta-runtime[unsupported-version]
mock_roles: mock_roles:
- willshersystems.sshd.ansible-sshd - willshersystems.sshd.ansible-sshd
mock_modules: mock_modules:

View file

@ -1,14 +1,14 @@
--- ---
repos: repos:
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.27.1 rev: 81e9f98ffd059efe8aa9c1b1a42e5cce61b640c6 # frozen: v1.35.1
hooks: hooks:
- id: yamllint - id: yamllint
files: \.(yaml|yml)$ files: \.(yaml|yml)$
types: [file, yaml] types: [file, yaml]
entry: yamllint --strict entry: yamllint --strict
- repo: https://github.com/ansible/ansible-lint.git - repo: https://github.com/ansible/ansible-lint.git
rev: v6.5.2 rev: 2d9f1ed1e6d08e1f6a18e50f789ab1580220c7db # frozen: v24.6.0
hooks: hooks:
- id: ansible-lint - id: ansible-lint
files: \.(yaml|yml)$ files: \.(yaml|yml)$

View file

@ -4,6 +4,12 @@ ignore: |
/.tox/ /.tox/
/.github/ /.github/
/tests/roles/ /tests/roles/
# skip checking line length
rules: rules:
comments-indentation: false
document-start: disable
line-length: disable line-length: disable
braces:
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

View file

@ -6,7 +6,7 @@ In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression, size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal level of experience, education, socioeconomic status, nationality, personal
appearance, race, religion, or sexual identity and orientation. appearance, race, religion, or sexual identity and orientation.
## Our Standards ## Our Standards

View file

@ -27,7 +27,7 @@ via simple password. If you need this functionality, be sure to set
Tested on: Tested on:
* Ubuntu precise, trusty, xenial, bionic, focal, jammy * Ubuntu precise, trusty, xenial, bionic, focal, jammy, noble
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml) * [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
* Debian wheezy, jessie, stretch, buster, bullseye, bookworm * Debian wheezy, jessie, stretch, buster, bullseye, bookworm
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml) * [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)

View file

@ -10,7 +10,7 @@
- ansible_connection != 'chroot' - ansible_connection != 'chroot'
- ansible_facts['os_family'] != 'AIX' - ansible_facts['os_family'] != 'AIX'
- ansible_facts['os_family'] != 'OpenWrt' - ansible_facts['os_family'] != 'OpenWrt'
listen: reload_sshd listen: Reload_sshd
# sshd on AIX cannot be 'reloaded', it must be Stopped+Started. # sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it. # It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
@ -25,7 +25,7 @@
stopsrc -s sshd stopsrc -s sshd
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
startsrc -s sshd startsrc -s sshd
listen: reload_sshd listen: Reload_sshd
changed_when: false changed_when: false
when: when:
- sshd_allow_reload|bool - sshd_allow_reload|bool
@ -39,4 +39,4 @@
when: when:
- sshd_allow_reload|bool - sshd_allow_reload|bool
- ansible_facts['os_family'] == 'OpenWrt' - ansible_facts['os_family'] == 'OpenWrt'
listen: reload_sshd listen: Reload_sshd

View file

@ -24,8 +24,9 @@ galaxy_info:
- bionic - bionic
- focal - focal
- jammy - jammy
- noble
- name: FreeBSD - name: FreeBSD
version: versions:
- "10.1" - "10.1"
- name: EL - name: EL
versions: versions:

2
meta/runtime.yml Normal file
View file

@ -0,0 +1,2 @@
---
requires_ansible: ">=2.15.0"

View file

@ -22,7 +22,7 @@
when: when:
- sshd_sysconfig | bool - sshd_sysconfig | bool
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy - __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
notify: reload_sshd notify: Reload_sshd
- name: Check FIPS mode - name: Check FIPS mode
ansible.builtin.include_tasks: check_fips.yml ansible.builtin.include_tasks: check_fips.yml

View file

@ -24,7 +24,7 @@
{{ sshd_binary }} -t -f %s {{ sshd_binary }} -t -f %s
{% endif %} {% endif %}
backup: "{{ sshd_backup }}" backup: "{{ sshd_backup }}"
notify: reload_sshd notify: Reload_sshd
- name: Make sure the include path is present in the main sshd_config - name: Make sure the include path is present in the main sshd_config
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -43,7 +43,7 @@
{{ sshd_binary }} -t -f %s {{ sshd_binary }} -t -f %s
{% endif %} {% endif %}
backup: "{{ sshd_backup }}" backup: "{{ sshd_backup }}"
notify: reload_sshd notify: Reload_sshd
when: when:
- sshd_main_config_file is not none - sshd_main_config_file is not none
- sshd_config_file | dirname == sshd_main_config_file ~ '.d' - sshd_config_file | dirname == sshd_main_config_file ~ '.d'

View file

@ -21,4 +21,4 @@
{{ sshd_binary }} -t -f %s {{ sshd_binary }} -t -f %s
{% endif %} {% endif %}
backup: "{{ sshd_backup }}" backup: "{{ sshd_backup }}"
notify: reload_sshd notify: Reload_sshd

View file

@ -12,7 +12,7 @@
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
notify: reload_sshd notify: Reload_sshd
- name: Install instanced service unit file - name: Install instanced service unit file
ansible.builtin.template: ansible.builtin.template:
@ -21,7 +21,7 @@
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
notify: reload_sshd notify: Reload_sshd
when: when:
- __sshd_socket_accept | bool - __sshd_socket_accept | bool
@ -32,7 +32,7 @@
owner: root owner: root
group: root group: root
mode: "0644" mode: "0644"
notify: reload_sshd notify: Reload_sshd
- name: Service enabled and running - name: Service enabled and running
ansible.builtin.service: ansible.builtin.service:

View file

@ -14,6 +14,12 @@ Accept=yes
{% else %} {% else %}
Accept=no Accept=no
{% endif %} {% endif %}
{% if __sshd_socket_freebind is not none %}
FreeBind={{ 'yes' if __sshd_socket_freebind else 'no' }}
{% endif %}
[Install] [Install]
WantedBy=sockets.target WantedBy=sockets.target
{% if __sshd_socket_required_by is not none %}
RequiredBy={{ __sshd_socket_required_by }}
{% endif %}

View file

@ -93,7 +93,7 @@
| grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \ | grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \ | grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
| awk '{ print $1 }' \ | awk '{ print $1 }' \
| grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\)$" | grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\|Tatu\|Aaron\|Each\)$"
args: args:
executable: /bin/bash executable: /bin/bash
register: sshd_options register: sshd_options

View file

@ -94,6 +94,7 @@
- ansible_facts['service_mgr'] == 'systemd' or - ansible_facts['service_mgr'] == 'systemd' or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7') (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12 - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
block: block:
- name: Read the created instantiated service file - name: Read the created instantiated service file
ansible.builtin.slurp: ansible.builtin.slurp:

View file

@ -106,6 +106,7 @@
when: when:
- ansible_facts['service_mgr'] == 'systemd' - ansible_facts['service_mgr'] == 'systemd'
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12 - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
block: block:
- name: Read the created instantiated service file - name: Read the created instantiated service file
ansible.builtin.slurp: ansible.builtin.slurp:

View file

@ -118,6 +118,7 @@
- ansible_facts['service_mgr'] == 'systemd' or - ansible_facts['service_mgr'] == 'systemd' or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7') (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12 - ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>='))
block: block:
- name: Read the distribution instantiated service file - name: Read the distribution instantiated service file
ansible.builtin.slurp: ansible.builtin.slurp:

View file

@ -14,6 +14,7 @@ __sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: false KbdInteractiveAuthentication: false
UsePAM: true UsePAM: true
PrintMotd: false
AcceptEnv: LANG LC_* AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server" Subsystem: "sftp /usr/lib/openssh/sftp-server"

33
vars/Ubuntu_24.yml Normal file
View file

@ -0,0 +1,33 @@
---
__sshd_os_supported: true
__sshd_service: ssh
__sshd_packages:
- openssh-server
- openssh-sftp-server
# Ubuntu 22.04 shipped with drop-in directory support so we touch
# just included file with highest priority by default
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_config_mode: "0644"
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: false
UsePAM: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"
__sshd_runtime_directory: sshd
__sshd_drop_in_dir_mode: '0755'
__sshd_main_config_file: /etc/ssh/sshd_config
__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd
__sshd_socket_accept: false
__sshd_socket_freebind: true
__sshd_socket_required_by: ssh.service

View file

@ -87,3 +87,9 @@ __sshd_service_restart_timeout: ~
# The systemd socket file does not accept the connection # The systemd socket file does not accept the connection
__sshd_socket_accept: true __sshd_socket_accept: true
# Boolean to control if the systemd socket can be bound to non-local IP addresses
__sshd_socket_freebind: ~
# Space separated list of service names that this socket is required by
__sshd_socket_required_by: ~