Commit graph

63 commits

Author SHA1 Message Date
Noriko Hosoi
6887864d2c Fix issues found by linters - enable all tests on all repos - remove suppressions
Cleaning up yamllint errors.
  - Use .yamllint.yml and .yamllint_defaults.yml instead of
    .yamllint.yaml.
  - Fix the invalid indentations.

Cleaning up ansible-lint errors.
  - Add "name" to every task.
  - Use command rather than shell
  - Add "changed_when: false".
  - Use '|' instead of '>' for the shell module.
  - Fix '/bin/sh: line 3: CRYPTO_POLICY: unbound variable'.
  - Add "set -eu" and "set -o pipefail" if pipefail is available.
    Note: "pipefail" is not available in "sh" and "dash".
  - Add "- '306'  # Shells that use pipes should set the pipefail option"
    to .ansible-lint since ansible-lint does not recognize it if it's set
    in "if set -o | grep pipefail".

RHELPLAN-73804
2021-04-09 10:27:42 -07:00
Jakub Jelen
c9015f37c3 variables: Use more specific vars file first 2020-12-11 13:25:19 +01:00
Jakub Jelen
425400d521 Do not attempt to create and verify sysconfig on unrelated systems 2020-12-11 13:25:19 +01:00
Jakub Jelen
48dc56b2d2 Recognize podman container runtime and ignore services there 2020-12-11 13:25:19 +01:00
Jakub Jelen
6b36488299 Check runtime directory for running CI in Debian and Ubuntu 2020-12-11 13:25:19 +01:00
Jakub Jelen
f12b322aae Accept single hostkey as a string too 2020-12-11 13:25:19 +01:00
Jakub Jelen
a1ee1c0f77 Hide changes to temporary files 2020-11-16 11:20:56 +01:00
Jakub Jelen
94553a887e Create temporary hostkeys for test if there are none
and if we are not writing the main configuration file
2020-11-16 11:10:16 +01:00
Jakub Jelen
dd820d1c24 Implement hostkey checks
This is useful during provisioning, when the keys were not generated
by sshd-keygen service or similar principles depending on operating
system.

This is also helpful when running this role in containers, where
is no service running either.

The keys are generally readable only by root, but in RHEL and Fedora,
they are readable also by group ssh_keys, which is used for hostbased
authentication.

This should fix #111
2020-11-16 11:10:16 +01:00
Jakub Jelen
f32003f051 Remove set_facts tasks not to polute global namespace
The usage of set_facts inside of roles is not recommended if
it is used for internal variables used only inside of the role.
It is recommended to use variables with smaller scope to avoid
inter-dependencies between different invocations of the same
role as demonstrated in the tests_alternative_file.yml later
in the patch series

ttps://github.com/oasis-roles/meta_standards#ansible-best-practices
2020-11-06 12:04:41 +01:00
Jakub Jelen
634d87490e Exclude service commands in Github Action CI 2020-11-06 11:35:10 +01:00
Jakub Jelen
71b3f87308 Add support for sysconfig on Fedora/RHEL
This is useful for opting out from system-wide cryto policy for SSH
or configuring advanced use case (strong RNG seed).

Fixes: #141
2020-10-06 21:11:39 +02:00
Jakub Jelen
9e7eae712d Reformat yaml files to avoid wrong indentation, trailing spaces and long lines 2020-09-23 14:49:42 +02:00
Dmitriy Rabotyagov
065812b345 Use ansible_distribution_major_version in variables
In order to collect variables, it's worth using
ansible_distribution_major_version as ansible_distribution_version
changes behaviour between ansible releases, ie [1]

This causes CentOS jobs fail with 2.8.13, as
ansible_distribution_version there is '7.8' [2]

[1] https://github.com/ansible/ansible/issues/57463
[2] https://zuul.opendev.org/t/openstack/build/e5ae88e08ac546ccb0e7ab99f8f0a051/log/zuul-info/host-info.centos-7.yaml#141
2020-09-21 18:11:28 +03:00
Matt Willsher
8815689d72
Merge branch 'master' into master 2020-09-18 21:53:45 +01:00
Matt Willsher
4a2dc9a381
Merge branch 'master' into master 2020-09-18 21:42:16 +01:00
Matt Willsher
2ebe1c6917
Update install.yml 2020-09-18 21:37:55 +01:00
Matt Willsher
31ee885d57
Merge branch 'master' into master 2020-09-18 21:28:57 +01:00
Matt Willsher
78c56e2129 Add pre-commit, fix issues 2020-09-18 20:49:22 +01:00
ahmadali shafiee
a3bac673f0 use end_host for ansible >= 2.8 2020-03-29 13:51:27 +00:00
Matt Willsher
2d0bf44cdc
Revert "End_host for unsupported hosts" 2020-03-29 14:19:41 +01:00
Spreadcat
5b04f74614
End_host for unsupported hosts
This change will allow the play to continue without error if unsupported hosts are in the lists of targed host.
The play will continue with the supported hosts end the play for the ones which are not supported.
2020-02-14 12:04:57 +01:00
Alexander Christoph Bihlmaier
cca93d5c6d variable ansible_distribution_major_version is not present on OpenBSD
and throws an error because it can't resolve it
2019-10-18 18:06:04 +02:00
Alexander Christoph Bihlmaier
63095094fc extending yaml file lookup with "ansible_distribution_version" 2019-10-03 15:07:16 +02:00
thalunil
9fedd23cf0 * OpenBSD 6.5 no longer provides ansible fact "ansible_distribution_major_version" therefore it it set to "ansible_distribution_version".
* ansible fact ansible_distribution_lts_version only makes sense on Ubuntu so set it only on Ubuntu -> otherwise "ansible_distribution_version"
2019-09-30 19:57:15 +02:00
Nikolaos Kakouros
b81977c659 Merge branch 'master' into syntax 2019-06-04 11:48:02 +02:00
yurihs
efc868edc2 Ignore ansible-lint E303, usage of systemctl command is unavoidable 2019-05-23 14:50:24 -03:00
yurihs
53218db597 Use bool filter instead of bare variables or comparison to literal True (ansible-lint E601, ansible/ansible#51030) 2019-05-23 14:50:24 -03:00
yurihs
43d65fb63a Add names to all tasks (ansible-lint E502) 2019-05-23 14:31:30 -03:00
BenGig
7a84821b8f
Backup of sshd_config dependent on variable
Propagates setting sshd_backup to template installation task
2019-03-22 11:51:39 +01:00
Robert A Vincent II
4a0f7d935a Specify search path for os vars; support odd-numbered Ubuntu releases. 2019-02-25 16:10:34 -05:00
Janne Blomqvist
d438f096a7 Make role work with chroot connections on EL 7.
For chroot connection (e.g. when building images instead of working on
live hosts) one cannot restart services etc.

Also due to Ansible bug 21026 one must run systemctl instead of using
the service module, limiting support to EL 7 for the time being.
2018-09-11 16:10:58 +03:00
Nikolaos Kakouros
da2c91d93a Adds forgotten conditional 2018-09-08 10:46:57 +02:00
Nikolaos Kakouros
10f94a1f05 Updates syntax to Ansible 2.7 era 2018-09-08 10:13:51 +02:00
Nikolaos Kakouros
a6a21a9565 Adds on/off toggle 2018-09-08 09:14:39 +02:00
Nikolaos Kakouros
5774f7f44f Adds ability to install a systemd service 2018-08-25 23:39:06 +02:00
Dan Čermák
a257ae7317 Fix for ansible_virtualization_type not defined in Ansible > 2.5
ansible_virtualization_type is undefined in Ansible > 2.5 when no virtualization
is used. A jinja2 filter has been added that provides a default value (None) so
that the check does not fail
2018-04-24 11:32:55 +02:00
Matt Willsher
f2ba8183b8 Merge branch 'master' into no-tags 2017-10-19 20:44:00 +01:00
Nikolaos Kakouros
8142c8b768 Removes tags 2017-09-06 16:17:18 +02:00
jamatute
0ec2446cae
* change ansible_pkg_mgr for package 2017-08-16 11:28:15 +02:00
Matt Willsher
43ed7c19a2 Fix Ansible 2.3 warnings 2017-05-04 14:31:26 +01:00
Matt Willsher
b2ce732450 Don't manage /var/run 2017-05-04 14:27:37 +01:00
Hoai Le
f225804f64 Fix sshd service state 2017-03-16 15:06:16 +02:00
Sergey Korolev
6d0d043bab Don't fail without package manager
Atomic Host uses unsupported package manager `rpm-ostree`. So, `ansible_pkg_mgr` is `unknown` and this task will fail. `sshd` is already in base system images. Apart from this, sshd configuration is standard for Fedora/CentOS.

I'm not sure it's the right solution. May be it's better to create new boolean variable like `sshd_manage_install` and use it here in `when`.
2016-12-22 16:48:27 +03:00
Harald Koch
f68fb55dad fix deprecation warning for sshd_packages (fixes issue #38) 2016-03-08 12:00:56 -05:00
Aleksandr Kostyrev
445261a297 Do not manage /var/run/sshd on CentOS7 fixes #27 2015-08-12 18:41:46 +03:00
Matt Willsher
812a1e1267 Fix issues raised in #22 2015-06-28 10:18:45 +01:00
jitakirin
d0b2b029a1 Verify SSHd config early
This uses the validate option to check the config file early, which
avoids putting bad settings in place at all, and also enables a
fail-fast behaviour (errors out when processing the template module).
2015-06-26 11:38:09 +01:00
jitakirin
951df8c65b Ensure run directory exists
This is usually also done in service scripts during startup but those
aren't always used in containers.  Doesn't hurt ensuring it here.
2015-06-25 15:13:10 +01:00
jitakirin
bcd864fea4 Add sshd_manage_service option
Allows disabling management of SSHd service completely, which is handy
when used in a container (where ansible is usually used during build
phase).
2015-06-25 14:54:24 +01:00