The documentation says there is only one global scope for handlers:
> There is only one global scope for handlers (handler names and listen topics)
> regardless of where the handlers are defined. This also includes handlers
> defined in roles.
So following the naming convention as we do in all the other variables
sounds like a good idea.
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_handlers.html
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* robustness: quote test backup/restore file names
This avoids issues if file names are not safepaths.
* security: use quote with command, shell and validate with variable
Skip quotation only if variable is checked.
Add test suit to excercise some quote use cases.
* robustness: fail if systemd.unit could have something in need of quote
Ensure systemd.unit contents is robust. This disables possibility to
have something that needs to be quoted there. But as ansible lacks
proper way to quote systemd unit files (see man systemd.syntax, rules
are not shell rules), it is better to fail such configs. If you are
trying to do that, you are doing it wrong anyway or have malicious
intent.
Also ensure similar issue with sysctl.conf.
Issue can be seen with `tests_hostkeys_unsafe_path.yml`, when adding
following to role params:
sshd_install_service: true
sshd_config_file: "{{ ansible_facts.env.TMPDIR }}/sshd.d/foo.conf"
sshd_binary: "{{ ansible_facts.env.TMPDIR }}/sshd"
__sshd_runtime_directory: "{{ ansible_facts.env.TMPDIR }}/run"
* tests: Quote also the source filename
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Add more negative test cases
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* tests: Skip the test with unsafe TMPDIR as it does not work on CentOS8
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* Move the variable checks to separate file ...
... and explain better why this is problematic
Drops also the check for internal variables as the user should not
bother with these.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---------
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Co-authored-by: Markus Linnala <Markus.Linnala@knowit.fi>
* feat: Add support for Ubuntu Nobel/24.04 LTS
* fix: Add missing PrintMotd to Ubuntu 22.04
* fix(tests): Various linting fixes
---------
Co-authored-by: Jakub Jelen <jjelen@redhat.com>
Feature: Allow running and testing the role with ostree managed nodes.
Reason: We have users who want to use the role to manage ostree
systems.
Result: Users can use the role to manage ostree managed nodes.
Signed-off-by: Rich Megginson <rmeggins@redhat.com>
* Role configured to accept SSH connection via SSH certificates
* Works with or without principals and ansible-lint updated
* add test for SSH certificates authentication with principals
* Add configuration to run tests for SSH certificates authentication with principals
* tasks to use SSH certificates grouped into one file
* Update README.md
Use facts via ansible_facts only.
Made using:
git ls-files -z|grep -z yml|xargs -0r sed --follow-symlinks -Ei \
"s/ansible_(virtualization_type|os_family|distribution\w*)/ansible_facts['\1']/g"
Previously no hostkeys were checked if they were not present
in the generated configuration file. When the drop-in directory is
used, usually, there are no hostkeys in that file and no sanity
check for hostkeys was executed.
This amends the "auto" value for the hostkeys check to allow checking
for default hostkeys that are read by OpenSSH by default.
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Cleaning up yamllint errors.
- Use .yamllint.yml and .yamllint_defaults.yml instead of
.yamllint.yaml.
- Fix the invalid indentations.
Cleaning up ansible-lint errors.
- Add "name" to every task.
- Use command rather than shell
- Add "changed_when: false".
- Use '|' instead of '>' for the shell module.
- Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
- Add "set -eu" and "set -o pipefail" if pipefail is available.
Note: "pipefail" is not available in "sh" and "dash".
- Add "- '306' # Shells that use pipes should set the pipefail option"
to .ansible-lint since ansible-lint does not recognize it if it's set
in "if set -o | grep pipefail".
RHELPLAN-73804
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.
This is also helpful when running this role in containers, where
is no service running either.
The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.
This should fix#111
