diff --git a/.gitignore b/.gitignore index 5bce807..50e375e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,19 +1,23 @@ -SOURCES/ansible-sshd-1c5c48835e01adc176febf945e1fd36b7d9af7fd.tar.gz -SOURCES/auto-maintenance-2dd50c8a16af647e4c7a768c481335e97735958a.tar.gz -SOURCES/certificate-1.1.0.tar.gz -SOURCES/crypto_policies-1.2.0.tar.gz -SOURCES/ha_cluster-1.3.0.tar.gz -SOURCES/kdump-1.1.0.tar.gz -SOURCES/kernel_settings-1.1.0.tar.gz -SOURCES/logging-1.5.1.tar.gz -SOURCES/metrics-1.3.1.tar.gz -SOURCES/nbde_client-1.1.0.tar.gz -SOURCES/nbde_server-1.1.0.tar.gz -SOURCES/network-1.4.0.tar.gz -SOURCES/postfix-1.1.0.tar.gz -SOURCES/selinux-1.3.0.tar.gz -SOURCES/ssh-1.1.0.tar.gz -SOURCES/storage-1.6.1.tar.gz -SOURCES/timesync-1.6.0.tar.gz -SOURCES/tlog-1.2.0.tar.gz -SOURCES/vpn-1.2.0.tar.gz +SOURCES/ansible-posix-1.3.0.tar.gz +SOURCES/ansible-sshd-214df35c0bee77b5d69f49c2da269251d451b28f.tar.gz +SOURCES/auto-maintenance-5e7bb389fc5e93184871b3907e75ba896874dc21.tar.gz +SOURCES/certificate-1.1.3.tar.gz +SOURCES/cockpit-1.2.1.tar.gz +SOURCES/community-general-4.6.0.tar.gz +SOURCES/crypto_policies-1.2.3.tar.gz +SOURCES/firewall-1.1.0.tar.gz +SOURCES/ha_cluster-1.4.1.tar.gz +SOURCES/kdump-1.2.2.tar.gz +SOURCES/kernel_settings-1.1.6.tar.gz +SOURCES/logging-1.8.1.tar.gz +SOURCES/metrics-1.5.1.tar.gz +SOURCES/nbde_client-1.2.2.tar.gz +SOURCES/nbde_server-1.1.2.tar.gz +SOURCES/network-1.7.1.tar.gz +SOURCES/postfix-1.2.0.tar.gz +SOURCES/selinux-1.3.4.tar.gz +SOURCES/ssh-1.1.4.tar.gz +SOURCES/storage-1.7.0.tar.gz +SOURCES/timesync-1.6.6.tar.gz +SOURCES/tlog-1.2.6.tar.gz +SOURCES/vpn-1.3.2.tar.gz diff --git a/.rhel-system-roles.metadata b/.rhel-system-roles.metadata index 0348be1..c7602f8 100644 --- a/.rhel-system-roles.metadata +++ b/.rhel-system-roles.metadata @@ -1,19 +1,23 @@ -81dc493a73559dc310a806c8dad6c310f2456512 SOURCES/ansible-sshd-1c5c48835e01adc176febf945e1fd36b7d9af7fd.tar.gz -88baab8db9cba232b8deb8c690dccf2d3ef77b31 SOURCES/auto-maintenance-2dd50c8a16af647e4c7a768c481335e97735958a.tar.gz -b677782b53c4ffe790528b4b2c12f31b07523b4c SOURCES/certificate-1.1.0.tar.gz -1dea114d52dd032bde01a2a64a9b8233daeaa8dc SOURCES/crypto_policies-1.2.0.tar.gz -d3c6ec22b1e60ad3b53b07009ac54e946355aa75 SOURCES/ha_cluster-1.3.0.tar.gz -3e3e61b4a8fecc8fb649ab32a3751bd3a3930281 SOURCES/kdump-1.1.0.tar.gz -90ea8d850a2c46988e4128df36c1254b787d2fb7 SOURCES/kernel_settings-1.1.0.tar.gz -61127d1b542bf7501ca16834c1716cb01883abfa SOURCES/logging-1.5.1.tar.gz -170825f78241811a16095f795a93cc9144c39a98 SOURCES/metrics-1.3.1.tar.gz -f3298859354c92921a3b68fa76f877d4596915d6 SOURCES/nbde_client-1.1.0.tar.gz -a2c85f6a850285c8afb8635de0cbbb7eb2b46530 SOURCES/nbde_server-1.1.0.tar.gz -73207015b9e48cd2bdf86fab68f8f34e2181a94b SOURCES/network-1.4.0.tar.gz -8f10d7be6d7ea3d855cf5d22f32b5ba7bb8302be SOURCES/postfix-1.1.0.tar.gz -0f6894033fc2110eac6b81b5e6b4ca9ca0af6632 SOURCES/selinux-1.3.0.tar.gz -b5e0786216e22508435c13b4da7b6fcce4ad82fe SOURCES/ssh-1.1.0.tar.gz -5820c668d774e9a267011376138cca5a64fb23dd SOURCES/storage-1.6.1.tar.gz -7bf364246b52dd8df3de6b6c9bf4553410983439 SOURCES/timesync-1.6.0.tar.gz -ad38181af7223caa21b602e91d0feeb9085451e0 SOURCES/tlog-1.2.0.tar.gz -9f91e40a6657e262893f85158706934954bcbcb2 SOURCES/vpn-1.2.0.tar.gz +d2d2382c38eaf34d2295aba2aa4652d75ebbaeef SOURCES/ansible-posix-1.3.0.tar.gz +a4d4556cf6628e87fa62dec6c46099338b499930 SOURCES/ansible-sshd-214df35c0bee77b5d69f49c2da269251d451b28f.tar.gz +a2ec14498a7fd213f08dd24ca139039c958b07fd SOURCES/auto-maintenance-5e7bb389fc5e93184871b3907e75ba896874dc21.tar.gz +cee41b5fd6359e9ddeb83c5af7b8057fef6b2334 SOURCES/certificate-1.1.3.tar.gz +004064268df0e7dd154331b7799272d3277388d4 SOURCES/cockpit-1.2.1.tar.gz +ad8684050c86bad7ce4882a84e14be6867a56d8d SOURCES/community-general-4.6.0.tar.gz +0684c1335923ba8ebbb05afbd507e5ff31f874d6 SOURCES/crypto_policies-1.2.3.tar.gz +fcb8d48ccaeba886859ce6afd3d14bbb3f8a5667 SOURCES/firewall-1.1.0.tar.gz +9a990a4908bdf3269bce4f214907623780a5e221 SOURCES/ha_cluster-1.4.1.tar.gz +a1c9c89dea1dbe2410465c29ad0e1d3637ac5f52 SOURCES/kdump-1.2.2.tar.gz +0a681d1e3b236c4750d663f2a833e786a5e958ab SOURCES/kernel_settings-1.1.6.tar.gz +e530528ba5f9478cc8604aa6612388ea8e5078af SOURCES/logging-1.8.1.tar.gz +430ce63a7b45b97305e4f8591192fa7e58af8292 SOURCES/metrics-1.5.1.tar.gz +0424321322eb4d80560a8d2d9fee406296728463 SOURCES/nbde_client-1.2.2.tar.gz +33f0a3ea008021e69b2bbd7b25f6536f91e7613d SOURCES/nbde_server-1.1.2.tar.gz +dcd2261fe6b6a998aca3eb6c968204152e2ffd51 SOURCES/network-1.7.1.tar.gz +95c54da9ef5acaae9553f2c4ed250452502ab9e0 SOURCES/postfix-1.2.0.tar.gz +4e5c5216814577ee55304721e5c811ed8857efbc SOURCES/selinux-1.3.4.tar.gz +f38972c4b22a9f226b58725c7e9ba8fac692bba2 SOURCES/ssh-1.1.4.tar.gz +0728b4e01261f84ce470431a4ea21907db75f26a SOURCES/storage-1.7.0.tar.gz +0bd118c9df9bf556a76d42c92bde11fde5553eba SOURCES/timesync-1.6.6.tar.gz +d10a0dd866c1ce982d2ba22500718df3fb2ab766 SOURCES/tlog-1.2.6.tar.gz +d1bb00636c04bc1b2d94ce0e491afe9ef921cd56 SOURCES/vpn-1.3.2.tar.gz diff --git a/SOURCES/Bug-2098226-storage-role-raid_level-striped-is-not-supported.patch b/SOURCES/Bug-2098226-storage-role-raid_level-striped-is-not-supported.patch new file mode 100644 index 0000000..a57114b --- /dev/null +++ b/SOURCES/Bug-2098226-storage-role-raid_level-striped-is-not-supported.patch @@ -0,0 +1,151 @@ +From acb99e74a24fa07863c596fe59d2999adc28c249 Mon Sep 17 00:00:00 2001 +From: Vojtech Trefny +Date: Thu, 2 Jun 2022 15:18:19 +0200 +Subject: [PATCH] LVM RAID raid0 level support (#272) + +* Add workaround for missing LVM raid0 support in blivet + +Blivet supports creating LVs with segment type "raid0" but it is +not in the list of supported RAID levels. This will be fixed in +blivet, see https://github.com/storaged-project/blivet/pull/1047 + +* Add a test for LVM RAID raid0 level + +* README: Remove "striped" from the list of supported RAID for pools + +We use MD RAID for RAIDs on the pool level which doesn't support +"striped" level. + +* README: Clarify supported volume RAID levels + +We support different levels for LVM RAID and MD RAID. + +(cherry picked from commit 8b868a348155b08479743945aba88271121ad4b0) +--- + README.md | 7 ++- + library/blivet.py | 7 +++ + tests/tests_create_raid_pool_then_remove.yml | 54 ++++++++++++++++++++ + 3 files changed, 66 insertions(+), 2 deletions(-) + +diff --git a/README.md b/README.md +index f8e3daa..bd123d7 100644 +--- a/README.md ++++ b/README.md +@@ -54,7 +54,7 @@ device node basename (like `sda` or `mpathb`), /dev/disk/ symlink + ##### `raid_level` + When used with `type: lvm` it manages a volume group with a mdraid array of given level + on it. Input `disks` are in this case used as RAID members. +-Accepted values are: `linear`, `striped`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10` ++Accepted values are: `linear`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10` + + ##### `volumes` + This is a list of volumes that belong to the current pool. It follows the +@@ -136,7 +136,10 @@ Specifies RAID level. LVM RAID can be created as well. + "Regular" RAID volume requires type to be `raid`. + LVM RAID needs that volume has `storage_pools` parent with type `lvm`, + `raid_disks` need to be specified as well. +-Accepted values are: `linear` (N/A for LVM RAID), `striped`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10` ++Accepted values are: ++* for LVM RAID volume: `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10`, `striped`, `mirror` ++* for RAID volume: `linear`, `raid0`, `raid1`, `raid4`, `raid5`, `raid6`, `raid10` ++ + __WARNING__: Changing `raid_level` for a volume is a destructive operation, meaning + all data on that volume will be lost as part of the process of + removing old and adding new RAID. RAID reshaping is currently not +diff --git a/library/blivet.py b/library/blivet.py +index 29552fa..33c93b2 100644 +--- a/library/blivet.py ++++ b/library/blivet.py +@@ -118,6 +118,7 @@ LIB_IMP_ERR = "" + try: + from blivet3 import Blivet + from blivet3.callbacks import callbacks ++ from blivet3 import devicelibs + from blivet3 import devices + from blivet3.deviceaction import ActionConfigureFormat + from blivet3.flags import flags as blivet_flags +@@ -132,6 +133,7 @@ except ImportError: + try: + from blivet import Blivet + from blivet.callbacks import callbacks ++ from blivet import devicelibs + from blivet import devices + from blivet.deviceaction import ActionConfigureFormat + from blivet.flags import flags as blivet_flags +@@ -152,6 +154,11 @@ if BLIVET_PACKAGE: + set_up_logging() + log = logging.getLogger(BLIVET_PACKAGE + ".ansible") + ++ # XXX add support for LVM RAID raid0 level ++ devicelibs.lvm.raid_levels.add_raid_level(devicelibs.raid.RAID0) ++ if "raid0" not in devicelibs.lvm.raid_seg_types: ++ devicelibs.lvm.raid_seg_types.append("raid0") ++ + + MAX_TRIM_PERCENT = 2 + +diff --git a/tests/tests_create_raid_pool_then_remove.yml b/tests/tests_create_raid_pool_then_remove.yml +index d81680d..1fb4e15 100644 +--- a/tests/tests_create_raid_pool_then_remove.yml ++++ b/tests/tests_create_raid_pool_then_remove.yml +@@ -150,3 +150,57 @@ + raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}" + + - include_tasks: verify-role-results.yml ++ ++ - name: Create a RAID0 lvm raid device ++ include_role: ++ name: linux-system-roles.storage ++ vars: ++ storage_pools: ++ - name: vg1 ++ disks: "{{ unused_disks }}" ++ type: lvm ++ state: present ++ volumes: ++ - name: lv1 ++ size: "{{ volume1_size }}" ++ mount_point: "{{ mount_location1 }}" ++ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}" ++ raid_level: raid0 ++ ++ - include_tasks: verify-role-results.yml ++ ++ - name: Repeat the previous invocation to verify idempotence ++ include_role: ++ name: linux-system-roles.storage ++ vars: ++ storage_pools: ++ - name: vg1 ++ disks: "{{ unused_disks }}" ++ type: lvm ++ state: present ++ volumes: ++ - name: lv1 ++ size: "{{ volume1_size }}" ++ mount_point: "{{ mount_location1 }}" ++ raid_level: raid0 ++ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}" ++ ++ - include_tasks: verify-role-results.yml ++ ++ - name: Remove the device created above ++ include_role: ++ name: linux-system-roles.storage ++ vars: ++ storage_pools: ++ - name: vg1 ++ disks: "{{ unused_disks }}" ++ type: lvm ++ state: absent ++ volumes: ++ - name: lv1 ++ size: "{{ volume1_size }}" ++ mount_point: "{{ mount_location1 }}" ++ raid_level: raid0 ++ raid_disks: "{{ [unused_disks[0], unused_disks[1]] }}" ++ ++ - include_tasks: verify-role-results.yml +-- +2.35.3 + diff --git a/SOURCES/Bug-2098227-storage-role-cannot-set-mount_options-for-volumes.patch b/SOURCES/Bug-2098227-storage-role-cannot-set-mount_options-for-volumes.patch new file mode 100644 index 0000000..3d5baed --- /dev/null +++ b/SOURCES/Bug-2098227-storage-role-cannot-set-mount_options-for-volumes.patch @@ -0,0 +1,192 @@ +From ba8a97039805f488c26b4d857f0137a349359c23 Mon Sep 17 00:00:00 2001 +From: Richard Megginson +Date: Mon, 16 May 2022 07:51:43 -0600 +Subject: [PATCH] add support for mount_options (#270) + +* add support for mount_options + +When support for argument validation was added, that support did not +include the `mount_options` parameter. This fix adds back that +parameter. In addition, the volume module arguments are refactored +so that the common volume parameters such as `mount_options` can be +specified in one place. + +This adds a test for the `mount_options` parameter, and adds +verification for that parameter. + +* only checkout mount_options if requested + +(cherry picked from commit ecf3d04bb704db5c1a095aaef40c2372fd45d4d6) +--- + library/blivet.py | 78 ++++++++++++++---------------- + tests/test-verify-volume-fstab.yml | 22 ++++++++- + tests/tests_misc.yml | 3 ++ + 3 files changed, 60 insertions(+), 43 deletions(-) + +diff --git a/library/blivet.py b/library/blivet.py +index 80575bb..29552fa 100644 +--- a/library/blivet.py ++++ b/library/blivet.py +@@ -105,6 +105,7 @@ volumes: + elements: dict + ''' + ++import copy + import logging + import os + import traceback +@@ -1500,6 +1501,39 @@ def activate_swaps(b, pools, volumes): + + def run_module(): + # available arguments/parameters that a user can pass ++ common_volume_opts = dict(encryption=dict(type='bool'), ++ encryption_cipher=dict(type='str'), ++ encryption_key=dict(type='str'), ++ encryption_key_size=dict(type='int'), ++ encryption_luks_version=dict(type='str'), ++ encryption_password=dict(type='str'), ++ fs_create_options=dict(type='str'), ++ fs_label=dict(type='str', default=''), ++ fs_type=dict(type='str'), ++ mount_options=dict(type='str'), ++ mount_point=dict(type='str'), ++ name=dict(type='str'), ++ raid_level=dict(type='str'), ++ size=dict(type='str'), ++ state=dict(type='str', default='present', choices=['present', 'absent']), ++ type=dict(type='str')) ++ volume_opts = copy.deepcopy(common_volume_opts) ++ volume_opts.update( ++ dict(disks=dict(type='list'), ++ raid_device_count=dict(type='int'), ++ raid_spare_count=dict(type='int'), ++ raid_metadata_version=dict(type='str'))) ++ pool_volume_opts = copy.deepcopy(common_volume_opts) ++ pool_volume_opts.update( ++ dict(cached=dict(type='bool'), ++ cache_devices=dict(type='list', elements='str', default=list()), ++ cache_mode=dict(type='str'), ++ cache_size=dict(type='str'), ++ compression=dict(type='bool'), ++ deduplication=dict(type='bool'), ++ raid_disks=dict(type='list', elements='str', default=list()), ++ vdo_pool_size=dict(type='str'))) ++ + module_args = dict( + pools=dict(type='list', elements='dict', + options=dict(disks=dict(type='list', elements='str', default=list()), +@@ -1517,49 +1551,9 @@ def run_module(): + state=dict(type='str', default='present', choices=['present', 'absent']), + type=dict(type='str'), + volumes=dict(type='list', elements='dict', default=list(), +- options=dict(cached=dict(type='bool'), +- cache_devices=dict(type='list', elements='str', default=list()), +- cache_mode=dict(type='str'), +- cache_size=dict(type='str'), +- compression=dict(type='bool'), +- deduplication=dict(type='bool'), +- encryption=dict(type='bool'), +- encryption_cipher=dict(type='str'), +- encryption_key=dict(type='str'), +- encryption_key_size=dict(type='int'), +- encryption_luks_version=dict(type='str'), +- encryption_password=dict(type='str'), +- fs_create_options=dict(type='str'), +- fs_label=dict(type='str', default=''), +- fs_type=dict(type='str'), +- mount_point=dict(type='str'), +- name=dict(type='str'), +- raid_disks=dict(type='list', elements='str', default=list()), +- raid_level=dict(type='str'), +- size=dict(type='str'), +- state=dict(type='str', default='present', choices=['present', 'absent']), +- type=dict(type='str'), +- vdo_pool_size=dict(type='str'))))), ++ options=pool_volume_opts))), + volumes=dict(type='list', elements='dict', +- options=dict(disks=dict(type='list'), +- encryption=dict(type='bool'), +- encryption_cipher=dict(type='str'), +- encryption_key=dict(type='str'), +- encryption_key_size=dict(type='int'), +- encryption_luks_version=dict(type='str'), +- encryption_password=dict(type='str'), +- fs_create_options=dict(type='str'), +- fs_label=dict(type='str', default=''), +- fs_type=dict(type='str'), +- mount_point=dict(type='str'), +- name=dict(type='str'), +- raid_level=dict(type='str'), +- raid_device_count=dict(type='int'), +- raid_spare_count=dict(type='int'), +- raid_metadata_version=dict(type='str'), +- size=dict(type='str'), +- state=dict(type='str', default='present', choices=['present', 'absent']), +- type=dict(type='str'))), ++ options=volume_opts), + packages_only=dict(type='bool', required=False, default=False), + disklabel_type=dict(type='str', required=False, default=None), + safe_mode=dict(type='bool', required=False, default=True), +diff --git a/tests/test-verify-volume-fstab.yml b/tests/test-verify-volume-fstab.yml +index 80d78f0..0091084 100644 +--- a/tests/test-verify-volume-fstab.yml ++++ b/tests/test-verify-volume-fstab.yml +@@ -11,6 +11,15 @@ + storage_test_fstab_expected_mount_point_matches: "{{ 1 + if (_storage_test_volume_present and storage_test_volume.mount_point and storage_test_volume.mount_point.startswith('/')) + else 0 }}" ++ storage_test_fstab_mount_options_matches: "{{ storage_test_fstab.stdout_lines | ++ map('regex_search', ' ' + storage_test_volume.mount_point + ' .* ' + storage_test_volume.mount_options + ' +') | ++ select('string')|list if ( ++ storage_test_volume.mount_options|d('none',true) != 'none' ++ and storage_test_volume.mount_point|d('none',true) != 'none' ++ ) else [] }}" ++ storage_test_fstab_expected_mount_options_matches: "{{ 1 ++ if (_storage_test_volume_present and storage_test_volume.mount_options) ++ else 0 }}" + + # device id + - name: Verify that the device identifier appears in /etc/fstab +@@ -26,7 +35,16 @@ + msg: "Expected number ({{ storage_test_fstab_expected_mount_point_matches }}) of + entries with volume '{{ storage_test_volume.name }}' mount point not found in /etc/fstab." + +-# todo: options ++# mount options ++- name: Verify mount_options ++ assert: ++ that: storage_test_fstab_mount_options_matches|length == storage_test_fstab_expected_mount_options_matches|int ++ msg: "Expected number ({{ storage_test_fstab_expected_mount_options_matches }}) of ++ entries with volume '{{ storage_test_volume.name }}' mount options not found in /etc/fstab." ++ when: ++ - __storage_verify_mount_options | d(false) ++ - "'mount_options' in storage_test_volume" ++ - "'mount_point' in storage_test_volume" + + - name: Clean up variables + set_fact: +@@ -34,3 +52,5 @@ + storage_test_fstab_mount_point_matches: null + storage_test_fstab_expected_id_matches: null + storage_test_fstab_expected_mount_point_matches: null ++ storage_test_fstab_mount_options_matches: null ++ storage_test_fstab_expected_mount_options_matches: null +diff --git a/tests/tests_misc.yml b/tests/tests_misc.yml +index 159c959..97c1627 100644 +--- a/tests/tests_misc.yml ++++ b/tests/tests_misc.yml +@@ -189,8 +189,11 @@ + fs_type: 'ext4' + fs_create_options: '-F' + mount_point: "{{ mount_location }}" ++ mount_options: rw,noatime,defaults + + - include_tasks: verify-role-results.yml ++ vars: ++ __storage_verify_mount_options: true + + - name: Remove the disk volume created above + include_role: +-- +2.35.3 + diff --git a/SOURCES/ansible-sshd.patch b/SOURCES/ansible-sshd.patch new file mode 100644 index 0000000..8d6817d --- /dev/null +++ b/SOURCES/ansible-sshd.patch @@ -0,0 +1,428 @@ +From e3004a25d680a17852ade20fa7438b5d4acfc470 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 10:42:17 +0200 +Subject: [PATCH 1/7] Update templates to apply FIPS hostkeys filter + +This fixes up the commit 7f69d1e6 + +Signed-off-by: Jakub Jelen +--- + templates/sshd_config.j2 | 6 +++++- + templates/sshd_config_snippet.j2 | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/templates/sshd_config.j2 b/templates/sshd_config.j2 +index 15ee668..8c7f322 100644 +--- a/templates/sshd_config.j2 ++++ b/templates/sshd_config.j2 +@@ -22,7 +22,11 @@ + {% elif sshd[key] is defined %} + {% set value = sshd[key] %} + {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} +-{% set value = __sshd_defaults[key] %} ++{% if key == 'HostKey' and __sshd_fips_mode %} ++{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} ++{% else %} ++{% set value = __sshd_defaults[key] %} ++{% endif %} + {% endif %} + {{ render_option(key,value) -}} + {% endmacro %} +diff --git a/templates/sshd_config_snippet.j2 b/templates/sshd_config_snippet.j2 +index 6766e09..6b23c76 100644 +--- a/templates/sshd_config_snippet.j2 ++++ b/templates/sshd_config_snippet.j2 +@@ -21,7 +21,11 @@ + {% elif sshd[key] is defined %} + {% set value = sshd[key] %} + {% elif __sshd_defaults[key] is defined and not sshd_skip_defaults %} +-{% set value = __sshd_defaults[key] %} ++{% if key == 'HostKey' and __sshd_fips_mode %} ++{% set value = __sshd_defaults[key] | difference(__sshd_hostkeys_nofips) %} ++{% else %} ++{% set value = __sshd_defaults[key] %} ++{% endif %} + {% endif %} + {{ render_option(key,value) -}} + {% endmacro %} +-- +2.34.1 + + +From 8ee135cbd9ea63e4345a5ec618d64d14f6b03eee Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:10:27 +0200 +Subject: [PATCH 2/7] Set explicit path to the main configuration file to work + well with the drop-in directory + +Signed-off-by: Jakub Jelen +--- + tests/tests_alternative_file.yml | 2 ++ + tests/tests_alternative_file_role.yml | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml +index 0a8ccaf..215c726 100644 +--- a/tests/tests_alternative_file.yml ++++ b/tests/tests_alternative_file.yml +@@ -6,6 +6,7 @@ + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + - /etc/ssh/sshd_config_custom + - /etc/ssh/sshd_config_custom_second ++ - /tmp/ssh_host_ecdsa_key + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml +@@ -52,6 +53,7 @@ + include_role: + name: ansible-sshd + vars: ++ sshd_config_file: /etc/ssh/sshd_config + sshd: + Banner: /etc/issue + Ciphers: aes192-ctr +diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml +index 9177709..3e7c7ea 100644 +--- a/tests/tests_alternative_file_role.yml ++++ b/tests/tests_alternative_file_role.yml +@@ -6,6 +6,7 @@ + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf + - /etc/ssh/sshd_config_custom + - /etc/ssh/sshd_config_custom_second ++ - /tmp/ssh_host_ecdsa_key + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml +@@ -57,6 +58,7 @@ + roles: + - ansible-sshd + vars: ++ sshd_config_file: /etc/ssh/sshd_config + sshd: + Banner: /etc/issue + Ciphers: aes192-ctr +-- +2.34.1 + + +From 041e86952d14b5c90795fb553e7ba942d541a6b3 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:17:12 +0200 +Subject: [PATCH 3/7] tests: Fix OS detection to match also CentOS 9 + +Signed-off-by: Jakub Jelen +--- + tests/tasks/setup.yml | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml +index 90a3f00..a0e9324 100644 +--- a/tests/tasks/setup.yml ++++ b/tests/tasks/setup.yml +@@ -26,6 +26,5 @@ + main_sshd_config_name: 00-ansible_system_role.conf + main_sshd_config_path: /etc/ssh/sshd_config.d/ + when: > +- ansible_facts['distribution'] == 'Fedora' or +- (ansible_facts['distribution'] == 'RedHat' and +- ansible_facts['distribution_major_version']|int > 8) ++ ansible_facts['os_family'] == 'RedHat' and ++ ansible_facts['distribution_major_version']|int > 8 +-- +2.34.1 + + +From e33f2f5bb874aa786ac0c81e8ef63509033f6644 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 11:20:34 +0200 +Subject: [PATCH 4/7] tests: Slurp the correct file when writing main config + +Signed-off-by: Jakub Jelen +--- + tests/tests_alternative_file.yml | 2 +- + tests/tests_alternative_file_role.yml | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tests/tests_alternative_file.yml b/tests/tests_alternative_file.yml +index 215c726..172c73a 100644 +--- a/tests/tests_alternative_file.yml ++++ b/tests/tests_alternative_file.yml +@@ -82,7 +82,7 @@ + + - name: Print the main configuration file + slurp: +- src: "{{ main_sshd_config }}" ++ src: /etc/ssh/sshd_config + register: config3 + + - name: Check content of first configuration file +diff --git a/tests/tests_alternative_file_role.yml b/tests/tests_alternative_file_role.yml +index 3e7c7ea..09fbce4 100644 +--- a/tests/tests_alternative_file_role.yml ++++ b/tests/tests_alternative_file_role.yml +@@ -98,7 +98,7 @@ + + - name: Print the main configuration file + slurp: +- src: "{{ main_sshd_config }}" ++ src: /etc/ssh/sshd_config + register: config3 + + - name: Check content of first configuration file +-- +2.34.1 + + +From 8d91dcecd000e7843ad9e827c3d2e6e04ce05e8d Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 6 Apr 2022 20:28:32 +0200 +Subject: [PATCH 5/7] Unbreak FIPS detection and hostkey filtering + +Signed-off-by: Jakub Jelen +--- + tasks/install.yml | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/tasks/install.yml b/tasks/install.yml +index f1d8455..571281c 100644 +--- a/tasks/install.yml ++++ b/tasks/install.yml +@@ -40,10 +40,11 @@ + + - name: Make sure hostkeys are available and have expected permissions + vars: &share_vars ++ # 'MAo=' evaluates to '0\n' in base 64 encoding, which is default + __sshd_fips_mode: >- +- - __sshd_hostkeys_nofips | d([]) +- - __sshd_kernel_fips_mode.content | b64decode == "1" | bool or \ +- __sshd_userspace_fips_mode.content | b64decode != "0" | bool ++ {{ __sshd_hostkeys_nofips | d([]) and ++ (__sshd_kernel_fips_mode.content | d('MAo=') | b64decode | trim == '1' or ++ __sshd_userspace_fips_mode.content | d('MAo=') | b64decode | trim != '0') }} + # This mimics the macro body_option() in sshd_config.j2 + # The explicit to_json filter is needed for Python 2 compatibility + __sshd_hostkeys_from_config: >- +@@ -58,14 +59,14 @@ + {{ __sshd_defaults['HostKey'] | to_json }} + {% endif %} + {% else %} +- [] ++ {{ [] | to_json }} + {% endif %} + __sshd_verify_hostkeys: >- + {% if not sshd_verify_hostkeys %} +- [] ++ {{ [] | to_json }} + {% elif sshd_verify_hostkeys == 'auto' %} +- {% if sshd_HostKey is string %} +- [ {{ __sshd_hostkeys_from_config }} ] ++ {% if __sshd_hostkeys_from_config | from_json is string %} ++ {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} + {% else %} + {{ __sshd_hostkeys_from_config }} + {% endif %} +-- +2.34.1 + + +From d839fb207e29cbbbc1d256260190f113c332ecba Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 11 Apr 2022 13:06:24 +0200 +Subject: [PATCH 6/7] tests: Add negative test for FIPS mode + +This fixes also a typo that was overlooked previously + +Signed-off-by: Jakub Jelen +--- + tests/tests_hostkeys_fips.yml | 53 ++++++++++++++++++++++++++++++----- + 1 file changed, 46 insertions(+), 7 deletions(-) + +diff --git a/tests/tests_hostkeys_fips.yml b/tests/tests_hostkeys_fips.yml +index 65cc765..7cf3767 100644 +--- a/tests/tests_hostkeys_fips.yml ++++ b/tests/tests_hostkeys_fips.yml +@@ -4,13 +4,52 @@ + __sshd_test_backup_files: + - /etc/ssh/sshd_config + - /etc/ssh/sshd_config.d/00-ansible_system_role.conf +- - /etc/ssh/ssh_host_ed255519_key +- - /etc/ssh/ssh_host_ed255519_key.pub ++ - /etc/ssh/ssh_host_ed25519_key ++ - /etc/ssh/ssh_host_ed25519_key.pub + - /etc/system-fips + tasks: + - name: "Backup configuration files" + include_tasks: tasks/backup.yml + ++ - name: Run the role with default parameters without FIPS mode ++ include_role: ++ name: ansible-sshd ++ ++ - name: Verify the options are correctly set ++ block: ++ - meta: flush_handlers ++ ++ - name: Print current configuration file ++ slurp: ++ src: "{{ main_sshd_config }}" ++ register: config ++ ++ - name: Get stat of private key ++ stat: ++ path: /etc/ssh/ssh_host_ed25519_key ++ register: privkey ++ ++ - name: Get stat of public key ++ stat: ++ path: /etc/ssh/ssh_host_ed25519_key.pub ++ register: pubkey ++ ++ - name: Check the key is in configuration file (without include) ++ assert: ++ that: ++ - "'HostKey /etc/ssh/ssh_host_ed25519_key' in config.content | b64decode" ++ when: ++ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int < 9 ++ ++ - name: Check host key was generated ++ assert: ++ that: ++ - privkey.stat.exists ++ - pubkey.stat.exists ++ when: ++ - ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version']|int > 6 ++ tags: tests::verify ++ + - name: Fake FIPS mode + block: + - name: Create temporary directory +@@ -40,13 +79,13 @@ + - name: Remove the Ed25519 hostkey + file: + path: +- /etc/ssh/ssh_host_ed255519_key ++ /etc/ssh/ssh_host_ed25519_key + state: absent + + - name: Remove the Ed25519 pubkey + file: + path: +- /etc/ssh/ssh_host_ed255519_key.pub ++ /etc/ssh/ssh_host_ed25519_key.pub + state: absent + + - name: Run the role with default parameters +@@ -64,18 +103,18 @@ + + - name: Get stat of private key + stat: +- path: /etc/ssh/ssh_host_ed255519_key ++ path: /etc/ssh/ssh_host_ed25519_key + register: privkey + + - name: Get stat of public key + stat: +- path: /etc/ssh/ssh_host_ed255519_key.pub ++ path: /etc/ssh/ssh_host_ed25519_key.pub + register: pubkey + + - name: Check the key is not in configuration file + assert: + that: +- - "'HostKey /etc/ssh/ssh_host_ed255519_key' not in config.content | b64decode" ++ - "'HostKey /etc/ssh/ssh_host_ed25519_key' not in config.content | b64decode" + + - name: Check no host key was generated + assert: +-- +2.34.1 + + +From 2a49697fa4bb6281796e76a4b7ee34c356f802cc Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 11 Apr 2022 13:07:44 +0200 +Subject: [PATCH 7/7] Introduce default hostkeys to check when using drop-in + directory + +Previously no hostkeys were checked if they were not present +in the generated configuration file. When the drop-in directory is +used, usually, there are no hostkeys in that file and no sanity +check for hostkeys was executed. + +This amends the "auto" value for the hostkeys check to allow checking +for default hostkeys that are read by OpenSSH by default. + +Signed-off-by: Jakub Jelen +--- + defaults/main.yml | 1 + + tasks/install.yml | 8 +++++++- + vars/Fedora.yml | 6 ++++++ + vars/RedHat_9.yml | 6 ++++++ + 4 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/defaults/main.yml b/defaults/main.yml +index 18d6114..7e40e51 100644 +--- a/defaults/main.yml ++++ b/defaults/main.yml +@@ -61,6 +61,7 @@ sshd_sftp_server: /usr/lib/openssh/sftp-server + # configuration or restarting), we make sure the keys exist and have correct + # permissions. To disable this check, set sshd_verify_hostkeys to false + sshd_verify_hostkeys: "auto" ++__sshd_verify_hostkeys_default: [] + sshd_hostkey_owner: "{{ __sshd_hostkey_owner }}" + sshd_hostkey_group: "{{ __sshd_hostkey_group }}" + sshd_hostkey_mode: "{{ __sshd_hostkey_mode }}" +diff --git a/tasks/install.yml b/tasks/install.yml +index 571281c..fa7d3c3 100644 +--- a/tasks/install.yml ++++ b/tasks/install.yml +@@ -65,7 +65,13 @@ + {% if not sshd_verify_hostkeys %} + {{ [] | to_json }} + {% elif sshd_verify_hostkeys == 'auto' %} +- {% if __sshd_hostkeys_from_config | from_json is string %} ++ {% if not __sshd_hostkeys_from_config | from_json %} ++ {% if __sshd_fips_mode %} ++ {{ __sshd_verify_hostkeys_default | difference(__sshd_hostkeys_nofips) | to_json }} ++ {% else %} ++ {{ __sshd_verify_hostkeys_default | to_json }} ++ {% endif %} ++ {% elif __sshd_hostkeys_from_config | from_json is string %} + {{ [ __sshd_hostkeys_from_config | from_json ] | to_json }} + {% else %} + {{ __sshd_hostkeys_from_config }} +diff --git a/vars/Fedora.yml b/vars/Fedora.yml +index 77bf172..cf2b081 100644 +--- a/vars/Fedora.yml ++++ b/vars/Fedora.yml +@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server + __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf + __sshd_defaults: + __sshd_os_supported: yes ++__sshd_verify_hostkeys_default: ++ - /etc/ssh/ssh_host_rsa_key ++ - /etc/ssh/ssh_host_ecdsa_key ++ - /etc/ssh/ssh_host_ed25519_key ++__sshd_hostkeys_nofips: ++ - /etc/ssh/ssh_host_ed25519_key + __sshd_hostkey_group: ssh_keys + __sshd_hostkey_mode: "0640" +diff --git a/vars/RedHat_9.yml b/vars/RedHat_9.yml +index 33df26a..55239f4 100644 +--- a/vars/RedHat_9.yml ++++ b/vars/RedHat_9.yml +@@ -9,5 +9,11 @@ sshd_sftp_server: /usr/libexec/openssh/sftp-server + __sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf + __sshd_defaults: + __sshd_os_supported: yes ++__sshd_verify_hostkeys_default: ++ - /etc/ssh/ssh_host_rsa_key ++ - /etc/ssh/ssh_host_ecdsa_key ++ - /etc/ssh/ssh_host_ed25519_key ++__sshd_hostkeys_nofips: ++ - /etc/ssh/ssh_host_ed25519_key + __sshd_hostkey_group: ssh_keys + __sshd_hostkey_mode: "0640" +-- +2.34.1 + diff --git a/SOURCES/certificate-cryptography.diff b/SOURCES/certificate-cryptography.diff deleted file mode 100644 index d536364..0000000 --- a/SOURCES/certificate-cryptography.diff +++ /dev/null @@ -1,37 +0,0 @@ -From 61be8c698734950611a123609dd6fe795f17873e Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Tue, 19 Oct 2021 16:32:37 -0300 -Subject: [PATCH 01/12] Fix parser fail on certificate verification. - -Due to a change in Python's cryptography version 35.0.0 certificate -parser, and a difference in the ASN.1 certificate spec interpretation, -the certificates generated by certmonger fail to be validated. - -This patch forces the version for the 'cryptography' package installed -to ignore the affected version, and should allow the tests for this -role to be executed. - -certmonger already has a fix for the issue, but it might not be -available for every release supported by certificate role. ---- - tests/tasks/assert_certificate_parameters.yml | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/tests/tasks/assert_certificate_parameters.yml b/tests/tasks/assert_certificate_parameters.yml -index 19c3843..e042f83 100644 ---- a/tests/tasks/assert_certificate_parameters.yml -+++ b/tests/tasks/assert_certificate_parameters.yml -@@ -17,7 +17,9 @@ - - - name: Install certreader - pip: -- name: certreader>=0.1.1 -+ name: -+ - cryptography<35 -+ - certreader>=0.1.1 - virtualenv: "{{ __virtualenv_path }}" - virtualenv_command: /usr/bin/python3 -m venv - --- -2.34.1 - diff --git a/SOURCES/network-switch-provider-tests.diff b/SOURCES/network-switch-provider-tests.diff deleted file mode 100644 index 46fec40..0000000 --- a/SOURCES/network-switch-provider-tests.diff +++ /dev/null @@ -1,225 +0,0 @@ -From 2b881a6c3fac68457711be598523f625ded16565 Mon Sep 17 00:00:00 2001 -From: Fernando Fernandez Mancera -Date: Fri, 28 Jan 2022 10:00:16 +0100 -Subject: [PATCH 2/2] tests: use down_profile+delete_interface instead of - down_profile - -The files must be named so that it explain what happens. In addition, -`down_profile+delete_interface` must use `changed_when` to match the -content of `delete_interface`. - -Signed-off-by: Fernando Fernandez Mancera ---- - examples/down_profile+delete_interface.yml | 1 + - .../down_profile+delete_interface.yml | 2 +- - tests/playbooks/tests_bridge.yml | 9 ++++---- - tests/playbooks/tests_eth_dns_support.yml | 9 ++++---- - tests/playbooks/tests_ethernet.yml | 9 ++++---- - tests/playbooks/tests_ipv6_disabled.yml | 9 ++++---- - tests/playbooks/tests_states.yml | 7 +----- - tests/playbooks/tests_switch_provider.yml | 22 +++++-------------- - 9 files changed, 28 insertions(+), 49 deletions(-) - create mode 120000 examples/down_profile+delete_interface.yml - -diff --git a/examples/down_profile+delete_interface.yml b/examples/down_profile+delete_interface.yml -new file mode 120000 -index 0000000..cbd4da1 ---- /dev/null -+++ b/examples/down_profile+delete_interface.yml -@@ -0,0 +1 @@ -+../tests/playbooks/down_profile+delete_interface.yml -\ No newline at end of file -diff --git a/tests/playbooks/down_profile+delete_interface.yml b/tests/playbooks/down_profile+delete_interface.yml -index 1f5b5d3..64b862f 100644 ---- a/tests/playbooks/down_profile+delete_interface.yml -+++ b/tests/playbooks/down_profile+delete_interface.yml -@@ -1,7 +1,7 @@ - # SPDX-License-Identifier: BSD-3-Clause - --- - - import_playbook: down_profile.yml --- name: Delete the interface when the network provider is initscripts -+- name: Delete the interface - hosts: all - tasks: - - include_tasks: tasks/delete_interface.yml -diff --git a/tests/playbooks/tests_bridge.yml b/tests/playbooks/tests_bridge.yml -index d79d6ad..0d76264 100644 ---- a/tests/playbooks/tests_bridge.yml -+++ b/tests/playbooks/tests_bridge.yml -@@ -35,7 +35,7 @@ - profile: "{{ interface }}" - task: tasks/assert_profile_present.yml - --- import_playbook: down_profile.yml -+- import_playbook: down_profile+delete_interface.yml - vars: - profile: "{{ interface }}" - # FIXME: assert profile/device down -@@ -49,7 +49,6 @@ - profile: "{{ interface }}" - task: tasks/assert_profile_absent.yml - --# FIXME: Devices might still be left when profile is absent --# - import_playbook: run_tasks.yml --# vars: --# task: tasks/assert_device_absent.yml -+- import_playbook: run_tasks.yml -+ vars: -+ task: tasks/assert_device_absent.yml -diff --git a/tests/playbooks/tests_eth_dns_support.yml b/tests/playbooks/tests_eth_dns_support.yml -index 107ff34..7ab72be 100644 ---- a/tests/playbooks/tests_eth_dns_support.yml -+++ b/tests/playbooks/tests_eth_dns_support.yml -@@ -108,19 +108,18 @@ - - "'timeout:1' in ipv6_dns.stdout" - msg: "DNS options are configured incorrectly" - --- import_playbook: down_profile.yml -+- import_playbook: down_profile+delete_interface.yml - vars: - profile: "{{ interface }}" - # FIXME: assert profile/device down - - import_playbook: remove_profile.yml - vars: - profile: "{{ interface }}" --# FIXME: assert profile away --- name: Remove interfaces -+- name: Assert profile and device are absent - hosts: all - tasks: -- - include_tasks: tasks/manage_test_interface.yml -+ - include_tasks: tasks/assert_profile_absent.yml - vars: -- state: absent -+ profile: "{{ interface }}" - - include_tasks: tasks/assert_device_absent.yml - ... -diff --git a/tests/playbooks/tests_ethernet.yml b/tests/playbooks/tests_ethernet.yml -index 1b48147..84c7ef5 100644 ---- a/tests/playbooks/tests_ethernet.yml -+++ b/tests/playbooks/tests_ethernet.yml -@@ -50,18 +50,17 @@ - - # FIXME: assert profile present - # FIXME: assert profile/device up + IP address --- import_playbook: down_profile.yml -+- import_playbook: down_profile+delete_interface.yml - vars: - profile: "{{ interface }}" - # FIXME: assert profile/device down - - import_playbook: remove_profile.yml - vars: - profile: "{{ interface }}" --# FIXME: assert profile away --- name: Remove interfaces -+- name: Assert device and profile are absent - hosts: all - tasks: -- - include_tasks: tasks/manage_test_interface.yml -+ - include_tasks: tasks/assert_profile_absent.yml - vars: -- state: absent -+ profile: "{{ interface }}" - - include_tasks: tasks/assert_device_absent.yml -diff --git a/tests/playbooks/tests_ipv6_disabled.yml b/tests/playbooks/tests_ipv6_disabled.yml -index 09e46e3..7e82ed5 100644 ---- a/tests/playbooks/tests_ipv6_disabled.yml -+++ b/tests/playbooks/tests_ipv6_disabled.yml -@@ -44,19 +44,18 @@ - - "'disabled' in ipv6_method.stdout" - msg: "ipv6.method disabled is configured incorrectly" - --- import_playbook: down_profile.yml -+- import_playbook: down_profile+delete_interface.yml - vars: - profile: "{{ interface }}" - # FIXME: assert profile/device down - - import_playbook: remove_profile.yml - vars: - profile: "{{ interface }}" --# FIXME: assert profile away --- name: Remove interfaces -+- name: Assert device and profile are absent - hosts: all - tasks: -- - include_tasks: tasks/manage_test_interface.yml -+ - include_tasks: tasks/assert_profile_absent.yml - vars: -- state: absent -+ profile: "{{ interface }}" - - include_tasks: tasks/assert_device_absent.yml - ... -diff --git a/tests/playbooks/tests_states.yml b/tests/playbooks/tests_states.yml -index 426aebf..76759e8 100644 ---- a/tests/playbooks/tests_states.yml -+++ b/tests/playbooks/tests_states.yml -@@ -126,12 +126,7 @@ - - tasks/get_NetworkManager_NVR.yml - lsr_assert_when: - - what: tasks/assert_device_absent.yml -- # NetworkManager 1.18.4 from CentOS does not seem to remove the -- # virtual interface in this case but it seems to work with -- # 1:NetworkManager-1.27.0-26129.d0a2eb8f05.el7 -- when: "{{ network_provider == 'nm' and -- NetworkManager_NVR != 'NetworkManager-1.18.4-3.el7' -- }}" -+ when: "{{ network_provider == 'nm' }}" - lsr_cleanup: - - tasks/cleanup_profile+device.yml - tags: -diff --git a/tests/playbooks/tests_switch_provider.yml b/tests/playbooks/tests_switch_provider.yml -index f2d165c..8645134 100644 ---- a/tests/playbooks/tests_switch_provider.yml -+++ b/tests/playbooks/tests_switch_provider.yml -@@ -4,12 +4,11 @@ - # set network provider and gather facts - - hosts: all - name: Switch initscripts provider to nm -- vars: -- interface: LSR-TST-br34 - tasks: - - name: set fact to use initscripts network_provider - set_fact: - network_provider: initscripts -+ interface: LST-TST-br34 - tags: - - always - - name: "Create test bridge {{ interface }} via initscripts provider" -@@ -24,15 +23,9 @@ - dhcp4: false - auto6: false - - include_tasks: tasks/assert_device_present.yml -- - name: "Take the profile {{ interface }} down via initscripts provider" -- include_role: -- name: linux-system-roles.network -+ - include_tasks: tasks/remove+down_profile.yml - vars: -- network_connections: -- - name: "{{ interface }}" -- persistent_state: absent -- state: down -- type: bridge -+ profile: "{{ interface }}" - # The initscripts should not remove the interface for down/absent - - include_tasks: tasks/assert_device_present.yml - - name: set fact to use nm network_provider -@@ -52,14 +45,9 @@ - dhcp4: false - auto6: false - - include_tasks: tasks/assert_device_present.yml -- - name: "Remove bridge {{ interface }} via nm provider" -- include_role: -- name: linux-system-roles.network -+ - include_tasks: tasks/remove+down_profile.yml - vars: -- network_connections: -- - name: "{{ interface }}" -- state: down -- type: bridge -+ profile: "{{ interface }}" - # NetworkManager should not remove pre-exist interface for down/absent - - include_tasks: tasks/assert_device_present.yml - - include_tasks: tasks/delete_interface.yml --- -2.34.1 - diff --git a/SOURCES/network-switch-provider.diff b/SOURCES/network-switch-provider.diff deleted file mode 100644 index 0758835..0000000 --- a/SOURCES/network-switch-provider.diff +++ /dev/null @@ -1,221 +0,0 @@ -From c98c17a236f7db1aabd2b67fad8fff772667ab39 Mon Sep 17 00:00:00 2001 -From: Gris Ge -Date: Fri, 21 Jan 2022 18:24:54 +0800 -Subject: [PATCH 1/2] Fix problem when switch provider from initscript to nm - -Problem: - -After `tests_bridge_initscripts.yml` passed, the `tests_bridge_nm.yml` -will fail with NetworkManager 1.18. - -Root cause: - - 1. The `absent` and `down` action of initscript provider will not - remove the bridge interface which fail the assertion in - `tests_bridge_nm.yml`. - 2. In initscript mode, network role will create ifcfg file with - `NM_CONTROLLED=no` instructing NetworkManager to mark the bridge as - unmanaged. The follow up `down` and `absent` action of initscript - provider will not change the NetworkManager's understanding on - unmanaged state of this interface. - -Fixes: - 1. We cannot change existing behaviour of initscript on not deleting - interface in `down` and `absent` action. So we change the test - function `tests/playbooks/down_profile.yml` to delete the interface - manually via `ip link del ` command. - - 2. Use `NM.Client.reload_connections_async()` to reload the - configuration for nm provider on NetworkManager 1.18. - -Previous test infrastructure is running each test file in a brand new VM -or container which cause this problem not been found before. - -Dedicate test case `tests/tests_switch_provider.yml` included. - -Signed-off-by: Gris Ge ---- - library/network_connections.py | 10 +++ - module_utils/network_lsr/nm/provider.py | 28 ++++++++ - tests/ensure_provider_tests.py | 1 + - .../down_profile+delete_interface.yml | 7 ++ - tests/playbooks/tests_switch_provider.yml | 66 +++++++++++++++++++ - tests/tests_switch_provider.yml | 10 +++ - 7 files changed, 126 insertions(+) - create mode 100644 tests/playbooks/down_profile+delete_interface.yml - create mode 100644 tests/playbooks/tests_switch_provider.yml - create mode 100644 tests/tests_switch_provider.yml - -diff --git a/library/network_connections.py b/library/network_connections.py -index c810b4b..706b198 100644 ---- a/library/network_connections.py -+++ b/library/network_connections.py -@@ -2055,6 +2055,16 @@ class Cmd_nm(Cmd): - len(self.connections) * DEFAULT_ACTIVATION_TIMEOUT - ) - -+ # On NetworkManger 1.18, If user switch from initscripts provider where -+ # NM_CONTROLLED=no defined in ifcfg-ethX file, NetworkManager daemon will treat -+ # that interface as strictly unmanaged, even the follow up deletion of -+ # ifcfg-ethX file cannot change the NetworManager's unmanaged state of this -+ # interface. This will prevent any follow up "nm" provider action on this -+ # interface. To solve that, we instruct NetworkManager to reload the -+ # configuration. -+ if self._nm_provider.get_client_version().startswith("1.18."): -+ self._nm_provider.reload_configuration() -+ - def rollback_transaction(self, idx, action, error): - Cmd.rollback_transaction(self, idx, action, error) - self.on_failure() -diff --git a/module_utils/network_lsr/nm/provider.py b/module_utils/network_lsr/nm/provider.py -index 567c9d1..9d3d491 100644 ---- a/module_utils/network_lsr/nm/provider.py -+++ b/module_utils/network_lsr/nm/provider.py -@@ -60,3 +60,31 @@ class NetworkManagerProvider: - def get_connections(self): - nm_client = client.get_client() - return nm_client.get_connections() -+ -+ def get_client_version(self): -+ nm_client = client.get_client() -+ return nm_client.get_version() -+ -+ def reload_configuration(self): -+ timeout = 10 -+ nm_client = client.get_client() -+ main_loop = client.get_mainloop(timeout) -+ logging.debug("Reloading configuration with timeout %s", timeout) -+ nm_client.reload_connections_async( -+ main_loop.cancellable, _reload_config_callback, main_loop -+ ) -+ main_loop.run() -+ -+ -+def _reload_config_callback(nm_client, result, main_loop): -+ try: -+ success = nm_client.reload_connections_finish(result) -+ except client.GLib.Error as e: -+ logging.warn("Failed to reload configuration: %s", e) -+ main_loop.quit() -+ return -+ if success: -+ logging.debug("Reloading configuration finished") -+ else: -+ logging.warn("Failed to reload configuration, no error message") -+ main_loop.quit() -diff --git a/tests/ensure_provider_tests.py b/tests/ensure_provider_tests.py -index e989eed..02844e9 100755 ---- a/tests/ensure_provider_tests.py -+++ b/tests/ensure_provider_tests.py -@@ -132,6 +132,7 @@ NM_CONDITIONAL_TESTS = { - IGNORE = [ - # checked by tests_regression_nm.yml - "playbooks/tests_checkpoint_cleanup.yml", -+ "playbooks/tests_switch_provider.yml", - ] - - RUN_PLAYBOOK_WITH_INITSCRIPTS = """# SPDX-License-Identifier: BSD-3-Clause -diff --git a/tests/playbooks/down_profile+delete_interface.yml b/tests/playbooks/down_profile+delete_interface.yml -new file mode 100644 -index 0000000..1f5b5d3 ---- /dev/null -+++ b/tests/playbooks/down_profile+delete_interface.yml -@@ -0,0 +1,7 @@ -+# SPDX-License-Identifier: BSD-3-Clause -+--- -+- import_playbook: down_profile.yml -+- name: Delete the interface when the network provider is initscripts -+ hosts: all -+ tasks: -+ - include_tasks: tasks/delete_interface.yml -diff --git a/tests/playbooks/tests_switch_provider.yml b/tests/playbooks/tests_switch_provider.yml -new file mode 100644 -index 0000000..f2d165c ---- /dev/null -+++ b/tests/playbooks/tests_switch_provider.yml -@@ -0,0 +1,66 @@ -+# SPDX-License-Identifier: BSD-3-Clause -+# This file was generated by ensure_provider_tests.py -+--- -+# set network provider and gather facts -+- hosts: all -+ name: Switch initscripts provider to nm -+ vars: -+ interface: LSR-TST-br34 -+ tasks: -+ - name: set fact to use initscripts network_provider -+ set_fact: -+ network_provider: initscripts -+ tags: -+ - always -+ - name: "Create test bridge {{ interface }} via initscripts provider" -+ include_role: -+ name: linux-system-roles.network -+ vars: -+ network_connections: -+ - name: "{{ interface }}" -+ state: up -+ type: bridge -+ ip: -+ dhcp4: false -+ auto6: false -+ - include_tasks: tasks/assert_device_present.yml -+ - name: "Take the profile {{ interface }} down via initscripts provider" -+ include_role: -+ name: linux-system-roles.network -+ vars: -+ network_connections: -+ - name: "{{ interface }}" -+ persistent_state: absent -+ state: down -+ type: bridge -+ # The initscripts should not remove the interface for down/absent -+ - include_tasks: tasks/assert_device_present.yml -+ - name: set fact to use nm network_provider -+ set_fact: -+ network_provider: nm -+ tags: -+ - always -+ - name: "Create test bridge {{ interface }} via nm provider" -+ include_role: -+ name: linux-system-roles.network -+ vars: -+ network_connections: -+ - name: "{{ interface }}" -+ state: up -+ type: bridge -+ ip: -+ dhcp4: false -+ auto6: false -+ - include_tasks: tasks/assert_device_present.yml -+ - name: "Remove bridge {{ interface }} via nm provider" -+ include_role: -+ name: linux-system-roles.network -+ vars: -+ network_connections: -+ - name: "{{ interface }}" -+ state: down -+ type: bridge -+ # NetworkManager should not remove pre-exist interface for down/absent -+ - include_tasks: tasks/assert_device_present.yml -+ - include_tasks: tasks/delete_interface.yml -+ - include_tasks: tasks/assert_device_absent.yml -diff --git a/tests/tests_switch_provider.yml b/tests/tests_switch_provider.yml -new file mode 100644 -index 0000000..562fbf2 ---- /dev/null -+++ b/tests/tests_switch_provider.yml -@@ -0,0 +1,10 @@ -+# SPDX-License-Identifier: BSD-3-Clause -+--- -+- hosts: all -+ name: Run playbook 'playbooks/tests_switch_provider.yml' -+ -+- import_playbook: playbooks/tests_switch_provider.yml -+ when: -+ # The test requires or should run with NetworkManager, therefore it cannot -+ # run on RHEL/CentOS 6 -+ - ansible_distribution_major_version != '6' --- -2.34.1 - diff --git a/SOURCES/network-tier1-tags.diff b/SOURCES/network-tier1-tags.diff deleted file mode 100644 index f6e3d2a..0000000 --- a/SOURCES/network-tier1-tags.diff +++ /dev/null @@ -1,25 +0,0 @@ -From 4b1a8a87e7d297fd6669d653af7308dd9c1a513a Mon Sep 17 00:00:00 2001 -From: Rich Megginson -Date: Thu, 6 May 2021 13:52:38 -0600 -Subject: [PATCH] tag 802-1x test as expfail - properly - -The 802-1x test will fail on platforms where `hostapd` is not available, -so tag that test to make it skippable. ---- - tests/playbooks/tests_802_1x.yml | 2 ++ - 2 files changed, 12 insertions(+) - -diff --git a/tests/playbooks/tests_802_1x.yml b/tests/playbooks/tests_802_1x.yml -index 9cce1ae..4ceebb1 100644 ---- a/tests/playbooks/tests_802_1x.yml -+++ b/tests/playbooks/tests_802_1x.yml -@@ -3,6 +3,8 @@ - - hosts: all - vars: - interface: 802-1x-test -+ tags: -+ - tests::expfail - tasks: - - name: "INIT: 802.1x tests" - debug: diff --git a/SPECS/rhel-system-roles.spec b/SPECS/rhel-system-roles.spec index 6616138..72675dc 100644 --- a/SPECS/rhel-system-roles.spec +++ b/SPECS/rhel-system-roles.spec @@ -1,7 +1,16 @@ +# NOTE: Even though ansible-core is in 8.6, it is only available +# at *runtime*, not at *buildtime* - so we can't have +# ansible-core as a build_dep on RHEL8 +%if 0%{?fedora} || 0%{?rhel} >= 9 +%bcond_without ansible +%global ansible_build_dep ansible-core >= 2.11.0 +%else %if 0%{?rhel} && ! 0%{?epel} %bcond_with ansible %else %bcond_without ansible +%global ansible_build_dep ansible >= 2.9.10 +%endif %endif %bcond_with collection_artifact @@ -21,11 +30,11 @@ Name: linux-system-roles %endif Url: https://github.com/linux-system-roles Summary: Set of interfaces for unified system management -Version: 1.7.3 -Release: 4%{?dist} +Version: 1.16.2 +Release: 1%{?dist}.3 #Group: Development/Libraries -License: GPLv3+ and MIT and BSD +License: GPLv3+ and MIT and BSD and Python %global installbase %{_datadir}/linux-system-roles %global _pkglicensedir %{_licensedir}/%{name} %global rolealtprefix linux-system-roles. @@ -45,7 +54,6 @@ License: GPLv3+ and MIT and BSD %global collection_namespace fedora %global collection_name linux_system_roles %endif -%global subrole_prefix "private_${role}_subrole_" %global collection_version %{version} @@ -64,9 +72,19 @@ License: GPLv3+ and MIT and BSD %endif %endif +# ansible-core is in rhel 8.6 and later - default to ansible-core, but allow +# the use of ansible if present - we may revisit this if the automatic dependency +# generator is added to ansible-core in RHEL +# Fedora - the automatic generator will add this - no need to explicit declare +# it in the spec file +# EL7 - no dependency on ansible because there is no ansible in el7 - user is +# responsible for knowing they have to install ansible +%if 0%{?rhel} >= 8 +Requires: (ansible-core >= 2.11.0 or ansible >= 2.9.0) +%endif %if %{with ansible} -BuildRequires: ansible >= 2.9.10 +BuildRequires: %{ansible_build_dep} %endif %if %{without ansible} @@ -109,79 +127,85 @@ BuildRequires: ansible >= 2.9.10 #%%defcommit 1 14314822b529520ac12964e0d2938c4bb18ab895 %global rolename1 postfix -%deftag 1 1.1.0 +%deftag 1 1.2.0 #%%defcommit 2 9fe6eb36772e83b53dcfb8ceb73608fd4f72eeda %global rolename2 selinux -%deftag 2 1.3.0 +%deftag 2 1.3.4 -#%%defcommit 3 8db8f9ed9088432bac7abf68f1b284475a3baa38 +#%%defcommit 3 cbe4bf262bffae3bf53e531662237741954c4182 %global rolename3 timesync -%deftag 3 1.6.0 +%deftag 3 1.6.6 #%%defcommit 4 02fc72b482e165472624b2f68eecd2ddce1d93b1 %global rolename4 kdump -%deftag 4 1.1.0 +%deftag 4 1.2.2 -#%%defcommit 5 b08a0b3748ee87aa3bdbcf1f0b7e41ef4971bbee +#%%defcommit 5 61423ed36fc6da6dbe8321912e896c59a2d8e2f6 %global rolename5 network -%deftag 5 1.4.0 +%deftag 5 1.7.1 -#%%defcommit 6 b3b456183edb7b8aa6ceff7ce667d8e22009ef6a +#%%defcommit 6 50d2b8ccc98a8f4cb9d1d550d21adc227181e9fa %global rolename6 storage -%deftag 6 1.6.1 +%deftag 6 1.7.0 -#%%defcommit 7 0673d842fb32c437501e2aada2e38921da98e115 +#%%defcommit 7 d57caa8ca506d8cbc7ca0f96f7cb62b7e965f163 %global rolename7 metrics -%deftag 7 1.3.1 +%deftag 7 1.5.1 #%%defcommit 8 2b9e53233ee3a68bdb532e62f289733e436a6106 %global rolename8 tlog -%deftag 8 1.2.0 +%deftag 8 1.2.6 #%%defcommit 9 9373303b98e09ef38df7afc8d06e5e55812096c7 %global rolename9 kernel_settings -%deftag 9 1.1.0 +%deftag 9 1.1.6 #%%defcommit 10 20dd3e5520ca06dcccaa9b3f1fb428d055e0c23f %global rolename10 logging -%deftag 10 1.5.1 +%deftag 10 1.8.1 #%%defcommit 11 c57d0b1f3384c525738fa26ba4bdca485e162567 %global rolename11 nbde_server -%deftag 11 1.1.0 +%deftag 11 1.1.2 #%%defcommit 12 bef2fad5e365712d1f40e53662490ba2550a253f %global rolename12 nbde_client -%deftag 12 1.1.0 +%deftag 12 1.2.2 #%%defcommit 13 310fc53db04e8d3134524afb7a89b0477a2ffb83 %global rolename13 certificate -%deftag 13 1.1.0 +%deftag 13 1.1.3 #%%defcommit 14 b2a9857ac661fa32e66666e444b73bfdb34cdf95 %global rolename14 crypto_policies -%deftag 14 1.2.0 +%deftag 14 1.2.3 %global forgeorg15 https://github.com/willshersystems %global repo15 ansible-sshd %global rolename15 sshd -%defcommit 15 1c5c48835e01adc176febf945e1fd36b7d9af7fd -#%%deftag 15 v0.13.1 +%defcommit 15 214df35c0bee77b5d69f49c2da269251d451b28f +#%%deftag 15 v0.14.1 #%%defcommit 16 59b9fd7b25607d8bd33bdb082748955f2652846a %global rolename16 ssh -%deftag 16 1.1.0 +%deftag 16 1.1.4 #%%defcommit 17 f901239cb91878719c9e7461760ef8d4789d626d %global rolename17 ha_cluster -%deftag 17 1.3.0 +%deftag 17 1.4.1 #%%defcommit 18 5f6cb73e6753fbdbb219b7d3079f0378b2d3bdb3 %global rolename18 vpn -%deftag 18 1.2.0 +%deftag 18 1.3.2 + +%global rolename19 firewall +%deftag 19 1.1.0 -%global mainid 2dd50c8a16af647e4c7a768c481335e97735958a +%global rolename20 cockpit +%deftag 20 1.2.1 + +%global mainid 5e7bb389fc5e93184871b3907e75ba896874dc21 Source: %{url}/auto-maintenance/archive/%{mainid}/auto-maintenance-%{mainid}.tar.gz Source1: %{archiveurl1} Source2: %{archiveurl2} @@ -201,18 +225,27 @@ Source15: %{archiveurl15} Source16: %{archiveurl16} Source17: %{archiveurl17} Source18: %{archiveurl18} +Source19: %{archiveurl19} +Source20: %{archiveurl20} + +# Collection tarballs from Automation Hub +# Not used on Fedora. +Source801: ansible-posix-1.3.0.tar.gz + +# Collection tarballs from Galaxy +# Not used on Fedora. +Source901: community-general-4.6.0.tar.gz # Script to convert the collection README to Automation Hub. # Not used on Fedora. Source998: collection_readme.sh -Patch51: network-tier1-tags.diff -Patch52: network-disable-bondtests.diff -# Patch53 and 54 to be deleted when network role is rebased. -Patch53: network-switch-provider.diff -Patch54: network-switch-provider-tests.diff -# Patch131 to be deleted when certificate role is rebased. -Patch131: certificate-cryptography.diff +Patch51: network-disable-bondtests.diff + +Patch61: Bug-2098227-storage-role-cannot-set-mount_options-for-volumes.patch +Patch62: Bug-2098226-storage-role-raid_level-striped-is-not-supported.patch + +Patch1501: ansible-sshd.patch BuildArch: noarch @@ -230,15 +263,9 @@ BuildRequires: highlight # Requirements for galaxy_transform.py BuildRequires: python3 %if 0%{?fedora} || 0%{?rhel} >= 8 -BuildRequires: python3dist(ruamel.yaml) - -Requires: python3-jmespath -Requires: python3-netaddr +BuildRequires: %{py3_dist ruamel.yaml} %else BuildRequires: python3-ruamel-yaml - -Requires: python-jmespath -Requires: python-netaddr %endif Obsoletes: rhel-system-roles-techpreview < 1.0-3 @@ -272,7 +299,19 @@ Collection artifact for %{name}. This package contains %{collection_namespace}-% %endif %prep -%setup -q -a1 -a2 -a3 -a4 -a5 -a6 -a7 -a8 -a9 -a10 -a11 -a12 -a13 -a14 -a15 -a16 -a17 -a18 -n %{getarchivedir 0} +%setup -q -a1 -a2 -a3 -a4 -a5 -a6 -a7 -a8 -a9 -a10 -a11 -a12 -a13 -a14 -a15 -a16 -a17 -a18 -a19 -a20 -n %{getarchivedir 0} + +for file in %_sourcedir/*.tar.gz; do + if [[ "$file" =~ %_sourcedir/([^-]+)-([^-]+)-(.+).tar.gz ]]; then + ns=${BASH_REMATCH[1]} + name=${BASH_REMATCH[2]} + ver=${BASH_REMATCH[3]} + mkdir -p .external/$ns/$name + pushd .external/$ns/$name > /dev/null + tar xfz "$file" + popd > /dev/null + fi +done declare -A ROLESTODIR=(%{rolestodir}) for rolename in %{rolenames}; do @@ -298,19 +337,76 @@ cd ../.. cd %{rolename5} %patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 cd .. -cd %{rolename13} -%patch131 -p1 +cd %{rolename6} +%patch61 -p1 +%patch62 -p1 cd .. cd %{rolename15} +%patch1501 -p1 sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml sed -r -i -e "s/ willshersystems.sshd/ linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md sed -r -i -e "s/min_ansible_version: 2.8/min_ansible_version: 2.9/" meta/main.yml cd .. +cd %{rolename7} +# metrics roles dir is a symlink to the vendored dir. +# rpm upgrade doesn't like the symlink. Replace the +# symlink with the real dir +rolesdir=$(pwd)/roles +realrolesdir=$(realpath "$rolesdir") +if [ "$rolesdir" != "$realrolesdir" ]; then + rm -rf roles + mv "$realrolesdir" . + rm -rf vendor +fi +cd .. + +%if 0%{?rhel} +# Unpack tar.gz to retrieve to be vendored modules and place them in the roles library. +# ansible.posix: +# - library: +# - Module selinux and seboolean for the selinux role +# - Module mount for the storage role +declare -A module_map=( ["selinux.py"]="selinux" ["seboolean.py"]="selinux" ["mount.py"]="storage" ) +for module in "${!module_map[@]}"; do + role="${module_map[${module}]}" + if [ ! -d $role/library ]; then + mkdir $role/library + fi + cp -pL .external/ansible/posix/plugins/modules/$module $role/library/$module + sed -i -e ':a;N;$!ba;s/description:\n\( *\)/description:\n\1- WARNING: Do not use this module directly! It is only for role internal use.\n\1/' -e "s/ansible_collections.ansible.posix.plugins.module_utils/ansible.module_utils.${role}_lsr/" $role/library/$module +done + +# ansible.posix: +# - module_utils: +# - Module_util mount for the storage role +module_map=( ["mount.py"]="storage" ) +for module in "${!module_map[@]}"; do + role="${module_map[${module}]}" + if [ ! -d $role/module_utils/${role}_lsr ]; then + mkdir -p $role/module_utils/${role}_lsr + fi + cp -pL .external/ansible/posix/plugins/module_utils/$module $role/module_utils/${role}_lsr/$module + sed -i -e ':a;N;$!ba;s/description:\n\( *\)/description:\n\1- WARNING: Do not use this module directly! It is only for role internal use.\n\1/' $role/library/$module +done + +# community.general: +# - library: +# - Module seport, sefcontext and selogin for the selinux role rolename2 +# - Module ini_file for role tlog +module_map=( ["seport.py"]="selinux" ["sefcontext.py"]="selinux" ["selogin.py"]="selinux" ["ini_file.py"]="tlog" ) +for module in "${!module_map[@]}"; do + role="${module_map[${module}]}" + if [ ! -d $role/library ]; then + mkdir $role/library + fi + cp -pL .external/community/general/plugins/modules/$module $role/library/$module + ls -alrtF $role/library/$module + sed -i -e ':a;N;$!ba;s/description:\n\( *\)/description:\n\1- WARNING: Do not use this module directly! It is only for role internal use.\n\1/' $role/library/$module +done +%endif + # Replacing "linux-system-roles.rolename" with "rhel-system-roles.rolename" in each role %if "%{roleprefix}" != "linux-system-roles." for rolename in %{rolenames}; do @@ -356,44 +452,35 @@ mkdir .collections %if 0%{?rhel} # Convert the upstream collection readme to the downstream one %{SOURCE998} lsr_role2collection/collection_readme.md +./galaxy_transform.py "%{collection_namespace}" "%{collection_name}" "%{collection_version}" \ + "Red Hat Enterprise Linux System Roles Ansible Collection" \ + "https://linux-system-roles.github.io" \ + "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/administration_and_configuration_tasks_using_system_roles_in_rhel" \ + "https://access.redhat.com/articles/3050101" \ + "https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%208&component=rhel-system-roles" \ + > galaxy.yml.tmp +# we vendor-in all of the dependencies on rhel, so remove them +rm -f lsr_role2collection/collection_requirements.txt +# but leave bindep.txt +%else +./galaxy_transform.py "%{collection_namespace}" "%{collection_name}" "%{collection_version}" \ + "Linux System Roles Ansible Collection" \ + > galaxy.yml.tmp %endif -./galaxy_transform.py "%{collection_namespace}" "%{collection_name}" "%{collection_version}" "Red Hat Enterprise Linux System Roles Ansible Collection" > galaxy.yml.tmp mv galaxy.yml.tmp galaxy.yml +includes="" for role in %{rolenames}; do - python3 lsr_role2collection.py --role "$role" --src-path "$role" \ - --src-owner %{name} --subrole-prefix %{subrole_prefix} --dest-path .collections \ - --readme lsr_role2collection/collection_readme.md \ - --namespace %{collection_namespace} --collection %{collection_name} -done - -# copy requirements.txt and bindep.txt from auto-maintenance/lsr_role2collection -if [ -f lsr_role2collection/collection_requirements.txt ]; then - cp lsr_role2collection/collection_requirements.txt \ - .collections/ansible_collections/%{collection_namespace}/%{collection_name}/requirements.txt -fi -if [ -f lsr_role2collection/collection_bindep.txt ]; then - cp lsr_role2collection/collection_bindep.txt \ - .collections/ansible_collections/%{collection_namespace}/%{collection_name}/bindep.txt -fi - -rm -f .collections/ansible_collections/%{collection_namespace}/%{collection_name}/tests/sanity/ignore-2.9.txt -# Merge .sanity-ansible-ignore-2.9-ROLENAME.txt into tests/sanity/ignore-2.9.txt -mkdir -p .collections/ansible_collections/%{collection_namespace}/%{collection_name}/tests/sanity -for role in %{rolenames}; do - if [ -f .collections/ansible_collections/%{collection_namespace}/%{collection_name}/.sanity-ansible-ignore-2.9-"$role".txt ]; - then - cat .collections/ansible_collections/%{collection_namespace}/%{collection_name}/.sanity-ansible-ignore-2.9-"$role".txt \ - >> .collections/ansible_collections/%{collection_namespace}/%{collection_name}/tests/sanity/ignore-2.9.txt - rm -f .collections/ansible_collections/%{collection_namespace}/%{collection_name}/.sanity-ansible-ignore-*-"$role".txt - fi + includes="$includes --include $role" +%if 0%{?rhel} + # we vendor-in all of the dependencies on rhel, so remove them + rm -f "$role/meta/requirements.yml" +%endif done -# removing dot files/dirs -rm -r .collections/ansible_collections/%{collection_namespace}/%{collection_name}/.[A-Za-z]* - -cp -p galaxy.yml lsr_role2collection/.ansible-lint \ - .collections/ansible_collections/%{collection_namespace}/%{collection_name} +LANG=en_US.utf-8 LC_ALL=en_US.utf-8 python3 release_collection.py --galaxy-yml galaxy.yml \ + --src-path $(pwd) --dest-path $(pwd)/.collections $includes --force --no-update \ + --src-owner %{name} --skip-git --skip-check --debug # Remove table of contents from logging README.md # It is not needed for html and AH/Galaxy @@ -633,13 +720,238 @@ fi %endif %changelog -* Tue Feb 8 2022 Noriko Hosoi - 1.7.3-4 -- certificate - certificate: error traceback /tmp/certificate-tests-venv/bin/certreader2json - Resolves: rhbz#2051758 - -* Fri Jan 28 2022 Noriko Hosoi - 1.7.3-3 -- network - Fix problem when switch provider from initscript to nm - Resolves: rhbz#2038956 +* Fri Jun 17 2022 Rich Megginson - 1.16.2-1.3 +- storage role cannot set mount_options for volumes + Resolves: rhbz#2098227 +- storage role raid_level "striped" is not supported + Resolves: rhbz#2098226 + +* Wed Apr 20 2022 Rich Megginson - 1.16.2-1.2 +- sshd - FIPS mode detection in SSHD role is wrong + Resolves rhbz#2075536 (EL8) + +* Thu Apr 14 2022 Rich Megginson - 1.16.2-1.1 +- Tlog role - Enabling session recording configuration does not work due to RHEL9 SSSD files provider default + Resolves rhbz#2074653 (EL8) + +* Tue Mar 29 2022 Rich Megginson - 1.16.2-1 +- nbde_client - NBDE client system role does not support servers with static IP addresses + previous fix did not handle some cases + Resolves rhbz#1985022 (EL8) + Resolves rhbz#2031555 (EL9) + +* Fri Mar 18 2022 Rich Megginson - 1.16.1-1 +- network - pytest failed when running with nm providers in the rhel-8.5 beaker machine + Resolves rhbz#2064396 (EL8) + Resolves rhbz#2064401 (EL9) +- network - bond: fix typo in supporting the infiniband ports in active-backup modekernel_settings error configobj not found on RHEL 8.6 managed hosts + Resolves rhbz#2064388 (EL8) + Resolves rhbz#2064391 (EL9) +- network - consistently use ansible_managed in configuration files managed by role + Resolves rhbz#2057656 (EL8) + Resolves rhbz#2057657 (EL9) + +* Thu Mar 17 2022 Rich Megginson - 1.16.0-3 +- remove unneeded metrics patch due to rebase + +* Thu Mar 17 2022 Rich Megginson - 1.16.0-2 +- remove unneeded metrics patch due to rebase +- fix bogus date in changelog + +* Tue Mar 15 2022 Rich Megginson - 1.16.0-1 +- metrics - consistently use ansible_managed in configuration files managed by role + Resolves rhbz#2057645 (EL8) + Resolves rhbz#2057647 (EL9) +- postfix - consistently use ansible_managed in configuration files managed by role + Resolves rhbz#2057661 (EL8) + Resolves rhbz#2057662 (EL9) +- postfix - provide the ability to replace config and reset configuration back to default + Resolves rhbz#2044657 (EL8) + Resolves rhbz#2058780 (EL9) +- new tags required in galaxy.yml for Automation Hub + +* Thu Mar 3 2022 Rich Megginson - 1.15.1-1 +- kernel_settings error configobj not found on RHEL 8.6 managed hosts + Resolves rhbz#2058772 (EL8) + Resolves rhbz#2058756 (EL9) +- timesync: basic-smoke test failure in timesync/tests_ntp.yml + Resolves rhbz#2059293 (EL8) + Resolves rhbz#2058645 (EL9) + +* Tue Mar 1 2022 Noriko Hosoi - 1.15.0-2 +- metrics - follow symlinks for the mssql and elasticsearch configuration paths + Resolves rhbz#2058655 (EL8) + Resolves rhbz#2058777 (EL9) + +* Tue Feb 22 2022 Rich Megginson - 1.15.0-1 +- firewall - ensure target changes take effect immediately + Resolves rhbz#2057172 (EL8) + Resolves rhbz#2057164 (EL9) +- firewall - Firewall RHEL System Role should be able to set default zone + Resolves rhbz#2022458 (EL8) + Resolves rhbz#2022461 (EL9) +- network - tests_802_1x_nm, tests_802_1x_updated_nm fails because of missing hostapd in EPEL + Resolves rhbz#2053862 (EL8) + Resolves rhbz#2053861 (EL9) + +* Mon Feb 14 2022 Rich Megginson - 1.14.0-1 +- ha_cluster - set permissions for haclient group + Resolves rhbz#2049747 (EL8) + Resolves rhbz#2049754 (EL9) +- network - Add more bonding options to rhel-system-roles.network + Resolves rhbz#2008931 (EL8) + Resolves rhbz#2054435 (EL9) +- certificate - should consistently use ansible_managed in hook scripts + Resolves rhbz#2054364 (EL8) + Resolves rhbz#2054368 (EL9) +- tlog - consistently use ansible_managed in configuration files managed by role + Resolves rhbz#2054363 (EL8) + Resolves rhbz#2054367 (EL9) +- vpn - consistently use ansible_managed in configuration files managed by role + Resolves rhbz#2054365 (EL8) + Resolves rhbz#2054369 (EL9) + +* Tue Feb 8 2022 Rich Megginson - 1.13.1-1 +- vpn - template error while templating string: no filter named 'vpn_ipaddr' + Resolves rhbz#2052103 (EL8) + Resolves rhbz#2050341 (EL9) +- kdump - Unable to start service kdump: Job for kdump.service failed because the control process exited with error code. + Resolves rhbz#2052105 (EL8) + Resolves rhbz#2050419 (EL9) +- remove collection dependencies on rhel because we vendor them in + +* Tue Feb 1 2022 Rich Megginson - 1.13.0-1 +- storage - RFE: Add support for RAID volumes (lvm-only) + Resolves rhbz#2016514 (EL8) + Resolves rhbz#2016518 (EL9) +- storage - RFE: Add support for cached volumes (lvm-only) + Resolves rhbz#2016511 (EL8) + Resolves rhbz#2016517 (EL9) +- metrics - metrics role can't be re-run if the Grafana admin password has been changed + Resolves rhbz#1967321 (EL8) + Resolves rhbz#2041632 (EL9) +- nbde_client - NBDE client system role does not support servers with static IP addresses + Resolves rhbz#1985022 (EL8) + Resolves rhbz#2031555 (EL9) +- ha_cluster - [RFE] ha_cluster - Support for creating resource constraints (Location, Ordering, etc.) + Resolves rhbz#2041635 (EL8) + Resolves rhbz#2041634 (EL9) +- firewall - ensure zone exists and can be used in subsequent operations + Resolves rhbz#2042541 (EL8) + Resolves rhbz#2024775 (EL9) +- network - RFE: Support Routing Tables in static routes in Network Role + Resolves rhbz#2031521 (EL8) + Resolves rhbz#2049798 (EL9) +- network - Failure to activate connection: nm-manager-error-quark: No suitable device found for this connection + Resolves rhbz#2034908 (EL8) + Resolves rhbz#2038957 (EL9) +- network - Set DNS search setting only for enabled IP protocols + Resolves rhbz#2041627 (EL8) + Resolves rhbz#2004899 (EL9) + +* Thu Jan 27 2022 Rich Megginson - 1.12.0-1 +- vpn - use custom vpn_ipaddr filter to make role work on RHEL 8.6 with ansible-core + this is covered by "make roles work with ansible-core on all platforms" BZ +- logging - Logging role "logging_purge_confs" option not properly working + Resolves rhbz#2040812 (EL8) + Resolves rhbz#2039106 (EL9) +- kernel_settings role should use ansible_managed in its configuration file + Resolves rhbz#2047504 (EL8) + Resolves rhbz#2047506 (EL9) + +* Thu Jan 20 2022 Fedora Release Engineering - 1.11.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Dec 14 2021 Rich Megginson - 1.11.0-2 +- RHEL8.6, 9 - add "Requires: ansible-core or ansible" + +* Thu Dec 2 2021 Rich Megginson - 1.11.0-1 +- timesync - fix ansible 2.12 issues, service_facts issues + Resolves rhbz#2012316 (EL8) + Resolves rhbz#2012298 (EL9) +- timesync - Failure related to missing ntp/ntpd package/service on RHEL-9 host + Resolves rhbz#2029463 (EL9) +- logging - add test case for immark quoting issue + Resolves rhbz#2021678 (EL8) + Resolves rhbz#2021676 (EL9) +- cockpit - use existing cert - cockpit_cert, cockpit_private_key + Resolves rhbz#2021661 (EL8) + Resolves rhbz#2021028 (EL9) +- storage - fix ansible 2.12 issues, service_facts issues; workaround lvm, udev issues in tests + Resolves rhbz#2012316 (EL8) + Resolves rhbz#2012298 (EL9) +- ssh - tests_all_options.yml: "assertion": "'StdinNull yes' in config.content | b64decode ", failure + Resolves rhbz#2029614 (EL8) + Resolves rhbz#2029427 (EL9) +- kdump - support reboot required and reboot ok + Resolves rhbz#2029605 (EL8) + Resolves rhbz#2029602 (EL9) +- metrics - sync with latest ansible-pcp + Resolves rhbz#2012316 (EL8) + Resolves rhbz#2012298 (EL9) +- sshd - should detect FIPS mode and handle tasks correctly in FIPS mode + Resolves rhbz#1979714 (EL8) + Resolves rhbz#2029634 (EL9) + +* Mon Nov 8 2021 Rich Megginson - 1.10.0-1 +- add cockpit role + Resolves rhbz#2021661 (EL8) + Resolves rhbz#2021028 (EL9) +- add firewall role + Resolves rhbz#1854988 (EL8) + Resolves rhbz#2021665 (EL9) +- firewall - add ability to add-source + Resolves rhbz#1932678 (EL8) + Resolves rhbz#2021667 (EL9) +- firewall - allow user defined zones + Resolves rhbz#1850768 (EL8) + Resolves rhbz#2021669 (EL9) +- firewall - allow specifying the zone + Resolves rhbz#1850753 (EL8) + Resolves rhbz#2021670 (EL9) +- updates for ansible 2.12 support + Resolves rhbz#2012316 (EL8) + Resolves rhbz#2012298 (EL9) +- update community.general to 4.0.1 + Resolves rhbz#2006081 (EL8) + Resolves rhbz#2006076 (EL9) +- network - Allow to specify PCI address to configure profiles + Resolves rhbz#1695634 (EL8) + Resolves rhbz#1999162 (EL9) +- network - support wifi Enhanced Open (OWE) + Resolves rhbz#1993379 (EL8) + Resolves rhbz#1993377 (EL9) +- network - support WPA3 Simultaneous Authentication of Equals(SAE) + Resolves rhbz#1993311 (EL8) + Resolves rhbz#1993304 (EL9) +- network - RFE: Support ignoring default gateway retrieved by DHCP/IPv6-RA + Resolves rhbz#1897565 (EL8) + Resolves rhbz#1978773 (EL9) +- network - Update network system role to reflect that network teaming is deprecated in RHEL 9 + Resolves rhbz#1897565 (EL8) + Resolves rhbz#1999770 (EL9) +- selinux - fails linit rules role-name and unnamed-task + Resolves rhbz#1974000 (EL8) + Resolves rhbz#2021675 (EL9) +- kernel_settings - ansible_managed | comment BZs: + Resolves rhbz#2006230 (EL9) + Resolves rhbz#2006231 (EL8) + Resolves rhbz#2006233 (EL7) +- logging - logging role missing quotes for immark module interval value + Resolves rhbz#2021678 (EL8) + Resolves rhbz#2021676 (EL9) +- logging - Add user and password + Resolves rhbz#2010327 (EL8) + Resolves rhbz#1990490 (EL9) +- logging - Performance improvement + Resolves rhbz#2005727 (EL8) + Resolves rhbz#2004303 (EL9) +- nbde_client - add regenerate-all to the dracut command + Resolves rhbz#2021682 (EL8) + Resolves rhbz#2021681 (EL9) +- certificate - Fix certificate permissions with "group" option + Resolves rhbz#2021683 (EL8) + Resolves rhbz#2021025 (EL9) * Tue Aug 31 2021 Rich Megginson - 1.7.3-2 - selinux - tag tests_selinux_disabled.yml with tests::avc