diff --git a/.gitignore b/.gitignore index c60ecba..6d19139 100644 --- a/.gitignore +++ b/.gitignore @@ -1,13 +1,15 @@ -SOURCES/certificate-fedef6e.tar.gz -SOURCES/kdump-0c2bb28.tar.gz -SOURCES/kernel_settings-901a73a.tar.gz -SOURCES/logging-fe3f658.tar.gz -SOURCES/metrics-7f94b49.tar.gz -SOURCES/nbde_client-6306def.tar.gz -SOURCES/nbde_server-4b6cfca.tar.gz -SOURCES/network-bf4501b.tar.gz +SOURCES/ansible-sshd-e1de59b3c54e9d48a010eeca73755df339c7e628.tar.gz +SOURCES/certificate-1.0.1.tar.gz +SOURCES/crypto_policies-76b2d5b0460dba22c5d290c1af96e4fdb3434cb9.tar.gz +SOURCES/kdump-77596fdd976c6160d6152c200a5432c609725a14.tar.gz +SOURCES/kernel_settings-1.0.1.tar.gz +SOURCES/logging-fe3f658e72b2883d2a1460d453105c7a53dd70e8.tar.gz +SOURCES/metrics-7f94b49688902eb507e0ebeda1fbf08621bc3c6b.tar.gz +SOURCES/nbde_client-1.0.1.tar.gz +SOURCES/nbde_server-1.0.1.tar.gz +SOURCES/network-bf4501bb8770d3ef761e1684011c905f99a9752f.tar.gz SOURCES/postfix-0.1.tar.gz -SOURCES/selinux-6cd1ec8.tar.gz -SOURCES/storage-81f30ab.tar.gz -SOURCES/timesync-924650d.tar.gz -SOURCES/tlog-cfa70b6.tar.gz +SOURCES/selinux-1.1.1.tar.gz +SOURCES/storage-1.2.2.tar.gz +SOURCES/timesync-924650d0cd4117f73a7f0413ab745a8632bc5cec.tar.gz +SOURCES/tlog-1.1.0.tar.gz diff --git a/.rhel-system-roles.metadata b/.rhel-system-roles.metadata index a34a76e..6e424d3 100644 --- a/.rhel-system-roles.metadata +++ b/.rhel-system-roles.metadata @@ -1,13 +1,15 @@ -5aa98ec9e109c5ebfae327718e5cad1d3c837e4f SOURCES/certificate-fedef6e.tar.gz -36b200d1c6a8d1cb1ea87e3e9aa8c4f6bbd8155d SOURCES/kdump-0c2bb28.tar.gz -263a6bbe7b25fbbc13c60b6b30861b63ec2648cd SOURCES/kernel_settings-901a73a.tar.gz -9f365ee569d0d6e542983842ffd7c81c82e2c3ca SOURCES/logging-fe3f658.tar.gz -3c25f49356e9325ba694d14ece036c8ea3aa16f6 SOURCES/metrics-7f94b49.tar.gz -435fed277e03b6c409ebbfa421c15f97ba15e8c8 SOURCES/nbde_client-6306def.tar.gz -e936390ddc7440e25190d6ff98cf5e5b3bf1fc3b SOURCES/nbde_server-4b6cfca.tar.gz -d1e3e5cd724e7a61a9b3f4eb2bf669d6ed6f9cde SOURCES/network-bf4501b.tar.gz +77e952b62e634c69e36115845b4f24ee3bfe76b7 SOURCES/ansible-sshd-e1de59b3c54e9d48a010eeca73755df339c7e628.tar.gz +a24d2a8ae03d3f92f8564494fd8f464dec7e45ed SOURCES/certificate-1.0.1.tar.gz +513057251590e81b629a69a4ed704b0976b1bc44 SOURCES/crypto_policies-76b2d5b0460dba22c5d290c1af96e4fdb3434cb9.tar.gz +fa3d5daf6cf1ceeaa87f58c16e11153cf250e2fa SOURCES/kdump-77596fdd976c6160d6152c200a5432c609725a14.tar.gz +61be37db19fe593f418e5b69798152f4c5e84cc7 SOURCES/kernel_settings-1.0.1.tar.gz +9f365ee569d0d6e542983842ffd7c81c82e2c3ca SOURCES/logging-fe3f658e72b2883d2a1460d453105c7a53dd70e8.tar.gz +3c25f49356e9325ba694d14ece036c8ea3aa16f6 SOURCES/metrics-7f94b49688902eb507e0ebeda1fbf08621bc3c6b.tar.gz +2acad85c458a08a36ca2f2e6b6c12b9b63c42dae SOURCES/nbde_client-1.0.1.tar.gz +c55d45d134042b00ece17f2a21bb945c571310b3 SOURCES/nbde_server-1.0.1.tar.gz +d1e3e5cd724e7a61a9b3f4eb2bf669d6ed6f9cde SOURCES/network-bf4501bb8770d3ef761e1684011c905f99a9752f.tar.gz 66c82331f4ac9598c506c3999965b4d07dbfe49d SOURCES/postfix-0.1.tar.gz -246383bd6823533ed3a51a0501b75e38ba852908 SOURCES/selinux-6cd1ec8.tar.gz -d1ba125b693ac5b8705e79d92b13f24c01c51a86 SOURCES/storage-81f30ab.tar.gz -ffd2a706e4e3007684aa9874c8457ad5c8920050 SOURCES/timesync-924650d.tar.gz -66538d3279cb5972f73a70960a4407d2abe56883 SOURCES/tlog-cfa70b6.tar.gz +f2ad38bd93487962de511b1f4bc9dc6607a5ab36 SOURCES/selinux-1.1.1.tar.gz +b2c6c16da768d379c72f6ed313440bd7fa20c469 SOURCES/storage-1.2.2.tar.gz +ffd2a706e4e3007684aa9874c8457ad5c8920050 SOURCES/timesync-924650d0cd4117f73a7f0413ab745a8632bc5cec.tar.gz +486d7b845348755e7f189afd95f32bbe97c74661 SOURCES/tlog-1.1.0.tar.gz diff --git a/SOURCES/kdump-tier1-tags.diff b/SOURCES/kdump-tier1-tags.diff index 22c0684..f80af83 100644 --- a/SOURCES/kdump-tier1-tags.diff +++ b/SOURCES/kdump-tier1-tags.diff @@ -45,13 +45,13 @@ index 0000000..2035dfc + with_items: "{{ restore_services }}" + tags: tests::cleanup diff --git a/tests/tests_default.yml b/tests/tests_default.yml -index 4c93830..9e7743a 100644 +index af0b2a0..6ce5241 100644 --- a/tests/tests_default.yml +++ b/tests/tests_default.yml -@@ -4,3 +4,13 @@ +@@ -3,3 +3,13 @@ roles: - - kdump + - linux-system-roles.kdump + + pre_tasks: + - name: Import tasks @@ -63,7 +63,7 @@ index 4c93830..9e7743a 100644 +# tags: tests::tier1::cleanup + import_tasks: restore_services_state.yml diff --git a/tests/tests_default_wrapper.yml b/tests/tests_default_wrapper.yml -index 2763fbd..95b3886 100644 +index eba31a0..857aab8 100644 --- a/tests/tests_default_wrapper.yml +++ b/tests/tests_default_wrapper.yml @@ -1,6 +1,9 @@ @@ -92,12 +92,12 @@ index 2763fbd..95b3886 100644 + - 'tests::slow' tasks: - name: Run ansible-playbook with tests_default.yml in check mode - command: ansible-playbook -vvv -i {{ tempinventory.path }} --check tests_default.yml + command: > diff --git a/tests/tests_ssh.yml b/tests/tests_ssh.yml -index 14a59d9..23bc7eb 100644 +index d12e884..6d3699c 100644 --- a/tests/tests_ssh.yml +++ b/tests/tests_ssh.yml -@@ -11,6 +11,13 @@ +@@ -10,6 +10,13 @@ # this is the address at which the ssh dump server can be reached # from the managed host. Dumps will be uploaded there. kdump_ssh_server_inside: "{{ kdump_ssh_source if kdump_ssh_source in hostvars[kdump_ssh_server_outside]['ansible_all_ipv4_addresses'] + hostvars[kdump_ssh_server_outside]['ansible_all_ipv6_addresses'] else hostvars[kdump_ssh_server_outside]['ansible_default_ipv4']['address'] }}" @@ -112,7 +112,7 @@ index 14a59d9..23bc7eb 100644 tasks: - name: gather facts from {{ kdump_ssh_server_outside }} diff --git a/tests/tests_ssh_wrapper.yml b/tests/tests_ssh_wrapper.yml -index 9a8ecfd..1a6db73 100644 +index 2203f3f..96a764e 100644 --- a/tests/tests_ssh_wrapper.yml +++ b/tests/tests_ssh_wrapper.yml @@ -1,6 +1,8 @@ @@ -139,4 +139,4 @@ index 9a8ecfd..1a6db73 100644 + - 'tests::multihost_localhost' tasks: - name: Run ansible-playbook with tests_ssh.yml in check mode - command: ansible-playbook -vvv -i {{ tempinventory.path }} --check tests_ssh.yml + command: | diff --git a/SOURCES/logging-0001-test-playbooks-enhancement.diff b/SOURCES/logging-0001-test-playbooks-enhancement.diff deleted file mode 100644 index 69bf819..0000000 --- a/SOURCES/logging-0001-test-playbooks-enhancement.diff +++ /dev/null @@ -1,136 +0,0 @@ -From 90952a1bb7ddbba45ed8cbd62e6a8e0edb6f6148 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 25 Aug 2020 09:05:03 -0700 -Subject: [PATCH 1/7] Test playbooks enhancement - -In the code to check the log message is successfully logged or not -in the /var/log/messages file, adding "until: __result is success" -and waiting up to 5 seconds. ---- - tests/tests_basics_files.yml | 4 ++++ - tests/tests_basics_files2.yml | 4 ++++ - tests/tests_basics_files_forwards.yml | 4 ++++ - tests/tests_basics_files_log_dir.yml | 4 ++++ - tests/tests_basics_forwards_implicit_files.yml | 4 ++++ - tests/tests_combination.yml | 4 ++++ - tests/tests_combination2.yml | 4 ++++ - tests/tests_imuxsock_files.yml | 4 ++++ - 8 files changed, 32 insertions(+) - -diff --git a/tests/tests_basics_files.yml b/tests/tests_basics_files.yml -index 080890f..87950d8 100644 ---- a/tests/tests_basics_files.yml -+++ b/tests/tests_basics_files.yml -@@ -74,4 +74,8 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 {{ __default_system_log }} -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false -diff --git a/tests/tests_basics_files2.yml b/tests/tests_basics_files2.yml -index ae61be2..094b125 100644 ---- a/tests/tests_basics_files2.yml -+++ b/tests/tests_basics_files2.yml -@@ -99,4 +99,8 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 "{{ __default_system_log }}" -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false -diff --git a/tests/tests_basics_files_forwards.yml b/tests/tests_basics_files_forwards.yml -index f43b8eb..d08a207 100644 ---- a/tests/tests_basics_files_forwards.yml -+++ b/tests/tests_basics_files_forwards.yml -@@ -105,6 +105,10 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 '{{ __default_system_log }}' -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false - - - name: Check if the forwarding config exists -diff --git a/tests/tests_basics_files_log_dir.yml b/tests/tests_basics_files_log_dir.yml -index ca900b8..f5ca266 100644 ---- a/tests/tests_basics_files_log_dir.yml -+++ b/tests/tests_basics_files_log_dir.yml -@@ -78,6 +78,10 @@ - - - name: Check the files output config that the path is {{ logging_system_log_dir }}/messages - command: /bin/grep '\*.info;mail.none;authpriv.none;cron.none.*{{ logging_system_log_dir }}/messages' {{ __test_files_conf }} -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false - - - name: Check the test log message in {{ logging_system_log_dir }}/messages -diff --git a/tests/tests_basics_forwards_implicit_files.yml b/tests/tests_basics_forwards_implicit_files.yml -index 6744d53..1d23911 100644 ---- a/tests/tests_basics_forwards_implicit_files.yml -+++ b/tests/tests_basics_forwards_implicit_files.yml -@@ -92,6 +92,10 @@ - - - name: Check if the test message is in {{ __default_system_log }} - command: /bin/grep testMessage0000 '{{ __default_system_log }}' -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false - - - name: Get the forwarding config stat -diff --git a/tests/tests_combination.yml b/tests/tests_combination.yml -index 99d57dc..8aae855 100644 ---- a/tests/tests_combination.yml -+++ b/tests/tests_combination.yml -@@ -129,6 +129,10 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 '{{ __default_system_log }}' -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false - - - name: Generated a file to check severity_and_facility -diff --git a/tests/tests_combination2.yml b/tests/tests_combination2.yml -index 5d49a57..5fe43cb 100644 ---- a/tests/tests_combination2.yml -+++ b/tests/tests_combination2.yml -@@ -138,6 +138,10 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 '{{ __default_system_log }}' -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false - - - name: Check the forwarding config stat -diff --git a/tests/tests_imuxsock_files.yml b/tests/tests_imuxsock_files.yml -index 2d6840d..35db253 100644 ---- a/tests/tests_imuxsock_files.yml -+++ b/tests/tests_imuxsock_files.yml -@@ -76,4 +76,8 @@ - - - name: Check the test log message in {{ __default_system_log }} - command: /bin/grep testMessage0000 "{{ __default_system_log }}" -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 - changed_when: false --- -2.26.2 - diff --git a/SOURCES/logging-0002-elasticsearch-output-template.diff b/SOURCES/logging-0002-elasticsearch-output-template.diff deleted file mode 100644 index 6bb8a3a..0000000 --- a/SOURCES/logging-0002-elasticsearch-output-template.diff +++ /dev/null @@ -1,81 +0,0 @@ -From e7f255a64a1ffe83b06e93c944c73b8079f1db3a Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 10 Sep 2020 17:15:32 -0700 -Subject: [PATCH 2/7] Fixing a logic bug in elasticsearch output template. - -When evaluated, the retryfailures value was denied by "not", which -should not have been. Removing the "not" and adding a test case to -tests_files_elasticsearch_use_local_cert.yml. - -(cherry picked from commit 108f06926f7bec929fdfc24ce2fbcfe195078ae2) ---- - roles/rsyslog/templates/output_elasticsearch.j2 | 2 +- - .../tests_files_elasticsearch_use_local_cert.yml | 16 +++++++++++++--- - 2 files changed, 14 insertions(+), 4 deletions(-) - -diff --git a/roles/rsyslog/templates/output_elasticsearch.j2 b/roles/rsyslog/templates/output_elasticsearch.j2 -index c3cd1df..c4db10f 100644 ---- a/roles/rsyslog/templates/output_elasticsearch.j2 -+++ b/roles/rsyslog/templates/output_elasticsearch.j2 -@@ -44,7 +44,7 @@ ruleset(name="{{ item.name }}") { - bulkid="{{ item.bulkid | d("id_template") }}" - dynbulkid="{{ item.dynbulkid | d('on') }}" - allowUnsignedCerts="{{ item.allowUnsignedCerts | d("off") }}" --{% if not item.retryfailures | d(true) %} -+{% if item.retryfailures | d(true) %} - {% if item.retryruleset | d() | length > 0 %} - retryfailures="on" - retryruleset="{{ item.retryruleset }}" -diff --git a/tests/tests_files_elasticsearch_use_local_cert.yml b/tests/tests_files_elasticsearch_use_local_cert.yml -index 2559ce7..8b1eaa4 100644 ---- a/tests/tests_files_elasticsearch_use_local_cert.yml -+++ b/tests/tests_files_elasticsearch_use_local_cert.yml -@@ -44,6 +44,7 @@ - __test_ca_cert: /tmp/es-ca.crt - __test_cert: /tmp/es-cert.pem - __test_key: /tmp/es-key.pem -+ __test_el: elasticsearch_output - - tasks: - - name: Generate fake key/certs files. -@@ -60,13 +61,13 @@ - - name: deploy config to send to elasticsearch - vars: - logging_outputs: -- - name: elasticsearch_output -+ - name: "{{ __test_el }}" - type: elasticsearch - server_host: logging-es - server_port: 9200 - index_prefix: project. - input_type: ovirt -- retryfailures: false -+ retryfailures: on - ca_cert_src: "{{ __test_ca_cert }}" - cert_src: "{{ __test_cert }}" - private_key_src: "{{ __test_key }}" -@@ -77,7 +78,7 @@ - logging_flows: - - name: flow_0 - inputs: [files_input] -- outputs: [elasticsearch_output, elasticsearch_output_ops] -+ outputs: "[{{ __test_el }}]" - include_role: - name: linux-system-roles.logging - -@@ -119,3 +120,12 @@ - - mycert: "{{ __test_cert }}" - - myprivkey: "{{ __test_key }}" - changed_when: false -+ -+ - name: Check retryfailures in {{ __test_outputfiles_conf }} -+ command: /bin/grep 'retryfailures="on"' {{ __test_outputfiles_conf }} -+ changed_when: false -+ -+ - name: Check retryruleset in {{ __test_outputfiles_conf }} -+ command: /bin/grep 'retryruleset="{{ __test_el }}"' {{ __test_outputfiles_conf }} -+ changed_when: false -+ --- -2.26.2 - diff --git a/SOURCES/logging-0003-README.diff b/SOURCES/logging-0003-README.diff deleted file mode 100644 index 8f7fcdd..0000000 --- a/SOURCES/logging-0003-README.diff +++ /dev/null @@ -1,55 +0,0 @@ -From 76b4418f937fd1dbaa1061fa5f83f11ea046dc40 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 10 Sep 2020 16:35:43 -0700 -Subject: [PATCH 3/7] Adding "Port and SELinux" section to README. - -(cherry picked from commit 5f144bc74edbcd80a53a2fe84aa464f7ea9f44ef) ---- - README.md | 16 +++++++++++++--- - 1 file changed, 13 insertions(+), 3 deletions(-) - -diff --git a/README.md b/README.md -index 0eafde8..db29dc5 100644 ---- a/README.md -+++ b/README.md -@@ -19,6 +19,7 @@ - * [Standalone configuration](#standalone-configuration) - * [Client configuration](#client-configuration) - * [Server configuration](#server-configuration) -+ * [Port and SELinux](#port-and-selinux) - * [Providers](#providers) - * [Tests](#tests) - * [Implementation Details](#implementation-details) -@@ -111,10 +112,10 @@ This is a schematic logging configuration to show log messages from input_nameA - - `ovirt` type - `ovirt` input supports oVirt specific inputs.
- For the details, visit [oVirt Support](../../design_docs/rsyslog_ovirt_support.md). - --- `remote` type - `remote` input supports receiving logs from the remote logging system over the network. This input type makes rsyslog a server.
-+- `remote` type - `remote` input supports receiving logs from the remote logging system over the network.
- **available options** -- - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. -- - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item. -+ - `udp_ports`: List of UDP port numbers to listen. If set, the `remote` input listens on the UDP ports. No defaults. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. See also [Port and SELinux](#port-and-selinux). -+ - `tcp_ports`: List of TCP port numbers to listen. If set, the `remote` input listens on the TCP ports. Default to `[514]`. If both `udp_ports` and `tcp_ports` are set in a `remote` input item, `udp_ports` is used and `tcp_ports` is dropped. If both `udp_ports` and `tcp_ports` are not set in a `remote` input item, `tcp_ports: [514]` is added to the item. See also [Port and SELinux](#port-and-selinux). - - `tls`: Set to `true` to encrypt the connection using the default TLS implementation used by the provider. Default to `false`. - - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`. - - `permitted_clients`: List of hostnames, IP addresses, fingerprints(sha1), and wildcard DNS domains which will be allowed by the `logging` server to connect and send logs over TLS. Default to `['*.{{ logging_domain }}']` -@@ -591,6 +592,15 @@ The following playbook generates the same logging configuration files. - outputs: [remote_files_output0, remote_files_output1] - ``` - -+### Port and SELinux -+ -+SELinux is only configured to allow sending and receiving on the following ports by default: -+``` -+syslogd_port_t tcp 514, 20514 -+syslogd_port_t udp 514, 20514 -+``` -+If other ports need to be configured, you can use [linux-system-roles/selinux](https://github.com/linux-system-roles/selinux) to manage SELinux contexts. -+ - ## Providers - - [Rsyslog](roles/rsyslog) - This documentation contains rsyslog specific information. --- -2.26.2 - diff --git a/SOURCES/logging-0004-yamllint-errors.diff b/SOURCES/logging-0004-yamllint-errors.diff deleted file mode 100644 index 8adf0e1..0000000 --- a/SOURCES/logging-0004-yamllint-errors.diff +++ /dev/null @@ -1,31 +0,0 @@ -From 6ef1f1020abb074525724e9060ddada526ad0102 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 29 Sep 2020 15:50:03 -0700 -Subject: [PATCH 4/7] Fixing yamllint errors. - -(cherry picked from commit b131f9e26b3fd74d759b237d7b3b26b6732371d2) ---- - tests/tests_files_elasticsearch_use_local_cert.yml | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/tests/tests_files_elasticsearch_use_local_cert.yml b/tests/tests_files_elasticsearch_use_local_cert.yml -index 8b1eaa4..90b12af 100644 ---- a/tests/tests_files_elasticsearch_use_local_cert.yml -+++ b/tests/tests_files_elasticsearch_use_local_cert.yml -@@ -67,7 +67,7 @@ - server_port: 9200 - index_prefix: project. - input_type: ovirt -- retryfailures: on -+ retryfailures: true - ca_cert_src: "{{ __test_ca_cert }}" - cert_src: "{{ __test_cert }}" - private_key_src: "{{ __test_key }}" -@@ -128,4 +128,3 @@ - - name: Check retryruleset in {{ __test_outputfiles_conf }} - command: /bin/grep 'retryruleset="{{ __test_el }}"' {{ __test_outputfiles_conf }} - changed_when: false -- --- -2.26.2 - diff --git a/SOURCES/logging-0005-property-based-filters.diff b/SOURCES/logging-0005-property-based-filters.diff deleted file mode 100644 index 1158774..0000000 --- a/SOURCES/logging-0005-property-based-filters.diff +++ /dev/null @@ -1,324 +0,0 @@ -From b72e8a48be07a1cebce8b2237d7344220678c2ec Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Fri, 16 Oct 2020 08:15:11 -0700 -Subject: [PATCH 5/7] Logging - support property-based filters in the files and - forwards outputs - -Adding property-based filter options to files, forwards and remote_files output. -A test case is added to tests_basics_files2.yml. - -In addition, fixing a bug caused by a left over file from the previous tests. - -Issue - https://github.com/linux-system-roles/logging/issues/179 - -(cherry picked from commit 6ac8f9ff680a4b0230446062f5927f5921829f80) ---- - README.md | 68 ++++++++++++------- - roles/rsyslog/templates/output_files.j2 | 4 +- - roles/rsyslog/templates/output_forwards.j2 | 4 +- - .../rsyslog/templates/output_remote_files.j2 | 4 +- - tests/tests_basics_files2.yml | 40 +++++++++-- - tests/tests_basics_forwards_cert.yml | 8 +++ - tests/tests_basics_forwards_cert_missing.yml | 4 ++ - tests/tests_server_conflict.yml | 8 +++ - 8 files changed, 108 insertions(+), 32 deletions(-) - -diff --git a/README.md b/README.md -index db29dc5..4352ee7 100644 ---- a/README.md -+++ b/README.md -@@ -180,11 +180,16 @@ This is a schematic logging configuration to show log messages from input_nameA - - - `files` type - `files` output supports storing logs in the local files usually in /var/log.
- **available options** -- - `facility`: Facility; default to `*`. -- - `severity`: Severity; default to `*`. -- - `exclude`: Exclude list; default to none. -+ - `facility`: Facility in selector; default to `*`. -+ - `severity`: Severity in selector; default to `*`. -+ - `exclude`: Exclude list used in selector; default to none. -+ - `property`: Property in property-based filter; no default -+ - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -+ - `prop_value`: Value in property-based filter; default to `error` - - `path`: Path to the output file. - -+ Selector options and property-based filter options are exclusive. If Property-based filter options are defined, selector options will be ignored. -+ - Unless the above options are given, these local file outputs are configured. - ``` - kern.* /dev/console -@@ -199,8 +204,12 @@ This is a schematic logging configuration to show log messages from input_nameA - - - `forwards` type - `forwards` output sends logs to the remote logging system over the network. This is for the client rsyslog.
- **available options** -- - `facility`: Facility; default to `*`. -- - `severity`: Severity; default to `*`. -+ - `facility`: Facility in selector; default to `*`. -+ - `severity`: Severity in selector; default to `*`. -+ - `exclude`: Exclude list used in selector; default to none. -+ - `property`: Property in property-based filter; no default -+ - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -+ - `prop_value`: Value in property-based filter; default to `error` - - `target`: Target host (fqdn). **Required**. - - `udp_port`: UDP port number. Default to `514`. - - `tcp_port`: TCP port number. Default to `514`. -@@ -208,11 +217,16 @@ This is a schematic logging configuration to show log messages from input_nameA - - `pki_authmode`: Specifying the default network driver authentication mode. `x509/name`, `x509/fingerprint`, `anon` is accepted. Default to `x509/name`. - - `permitted_server`: Hostname, IP address, fingerprint(sha1) or wildcard DNS domain of the server which this client will be allowed to connect and send logs over TLS. Default to `*.{{ logging_domain }}` - -+ Selector options and property-based filter options are exclusive. If Property-based filter options are defined, selector options will be ignored. -+ - - `remote_files` type - `remote_files` output stores logs to the local files per remote host and program name originated the logs.
- **available options** -- - `facility`: Facility; default to `*`. -- - `severity`: Severity; default to `*`. -- - `exclude`: Exclude list; default to none. -+ - `facility`: Facility in selector; default to `*`. -+ - `severity`: Severity in selector; default to `*`. -+ - `exclude`: Exclude list used in selector; default to none. -+ - `property`: Property in property-based filter; no default -+ - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -+ - `prop_value`: Value in property-based filter; default to `error` - - `async_writing`: If set to `true`, the files are written asynchronously. Allowed value is `true` or `false`. Default to `false`. - - `client_count`: Count of client logging system supported this rsyslog server. Default to `10`. - - `io_buffer_size`: Buffer size used to write output data. Default to `65536` bytes. -@@ -221,6 +235,8 @@ This is a schematic logging configuration to show log messages from input_nameA - `/path/to/output/dir/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log` - - `remote_sub_path`: Relative path to logging_system_log_dir to store the filtered logs. - -+ Selector options and property-based filter options are exclusive. If Property-based filter options are defined, selector options will be ignored. -+ - if both `remote_log_path` and `remote_sub_path` are _not_ specified, the remote_file output configured with the following settings. - ``` - template( -@@ -446,32 +462,38 @@ The following playbook generates the same logging configuration files. - outputs: [files_output0, files_output1] - ``` - --5. Deploying `files input` reading logs from a local file and `elasticsearch output` to store the logs. Assuming the ca_cert, cert and key to connect to Elasticsearch are prepared. -+5. Deploying `files input` reading logs from local files and `files output` to write to the local files based on the property-based filters. - ```yaml - --- --- name: Deploying basic input and elasticsearch output -+- name: Deploying files input and configured files output - hosts: all - roles: - - linux-system-roles.logging - vars: - logging_inputs: -- - name: files_input -+ - name: files_input0 - type: files -- input_log_path: /var/log/containers/*.log -+ input_log_path: /var/log/containerA/*.log -+ - name: files_input1 -+ type: files -+ input_log_path: /var/log/containerB/*.log - logging_outputs: -- - name: elasticsearch_output -- type: elasticsearch -- server_host: your_target_host -- server_port: 9200 -- index_prefix: project. -- input_type: ovirt -- ca_cert_src: /local/path/to/ca_cert -- cert_src: /local/path/to/cert -- private_key_src: /local/path/to/key -+ - name: files_output0 -+ type: files -+ property: msg -+ prop_op: contains -+ prop_value: error -+ path: /var/log/errors.log -+ - name: files_output1 -+ type: files -+ property: msg -+ prop_op: "!contains" -+ prop_value: error -+ path: /var/log/others.log - logging_flows: - - name: flow0 -- inputs: [files_input] -- outputs: [elasticsearch_output] -+ inputs: [files_input0, files_input1] -+ outputs: [files_output0, files_output1] - ``` - - ### Client configuration -diff --git a/roles/rsyslog/templates/output_files.j2 b/roles/rsyslog/templates/output_files.j2 -index d994414..e15e4cd 100644 ---- a/roles/rsyslog/templates/output_files.j2 -+++ b/roles/rsyslog/templates/output_files.j2 -@@ -1,6 +1,8 @@ - {% if item.path is defined %} - ruleset(name="{{ item.name }}") { --{% if item.exclude | d([]) %} -+{% if item.property | d() %} -+ :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" {{ item.path }} -+{% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} {{ item.path }} - {% else %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }} {{ item.path }} -diff --git a/roles/rsyslog/templates/output_forwards.j2 b/roles/rsyslog/templates/output_forwards.j2 -index 61254ee..35030b4 100644 ---- a/roles/rsyslog/templates/output_forwards.j2 -+++ b/roles/rsyslog/templates/output_forwards.j2 -@@ -9,7 +9,9 @@ - {% set __forwards_protocol = '' %} - {% endif %} - ruleset(name="{{ item.name }}") { --{% if item.exclude | d([]) %} -+{% if item.property | d() %} -+ :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" action(name="{{ item.name }}" -+{% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} action(name="{{ item.name }}" - {% else %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }} action(name="{{ item.name }}" -diff --git a/roles/rsyslog/templates/output_remote_files.j2 b/roles/rsyslog/templates/output_remote_files.j2 -index 3c9339f..aaf547e 100644 ---- a/roles/rsyslog/templates/output_remote_files.j2 -+++ b/roles/rsyslog/templates/output_remote_files.j2 -@@ -17,7 +17,9 @@ ruleset(name="{{ item.name }}" - queue.size="{{ logging_server_queue_size }}" - queue.workerThreads="{{ logging_server_threads }}") { - # Store remote logs in separate logfiles --{% if item.exclude | d([]) %} -+{% if item.property | d() %} -+ :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") -+{% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") - {% else %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }} action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") -diff --git a/tests/tests_basics_files2.yml b/tests/tests_basics_files2.yml -index 094b125..b1a0f62 100644 ---- a/tests/tests_basics_files2.yml -+++ b/tests/tests_basics_files2.yml -@@ -10,9 +10,9 @@ - # If logging role is executed, the file size is about 100 bytes. - # Thus, assert the size is less than 1000. - # 2. Check file count in /etc/rsyslog.d. --# If logging role is executed, 8 config files are generated. -+# If logging role is executed, 9 config files are generated. - # By setting logging_purge_confs, pre-existing config files are deleted. --# Thus, assert the the count is equal to 8. -+# Thus, assert the the count is equal to 9. - # 3. Check systemctl status of rsyslog as well as error or specific message in the output. - # 4. To verify the generated filename is correct, check the config file of files output exists. - # 4.1 Check the config file contains the expected filter and the output file as configured. -@@ -24,6 +24,8 @@ - vars: - __test_files_conf: /etc/rsyslog.d/30-output-files-files_output1.conf - __default_system_log: /var/log/messages -+ __prop_based_log0: /var/log/property_based_filter_in.log -+ __prop_based_log1: /var/log/property_based_filter_out.log - - tasks: - - name: deploy config to output into local files -@@ -49,15 +51,23 @@ - path: :omusrmsg:* - - name: files_output3 - type: files -- facility: local7 -- path: /var/log/boot.log -+ property: msg -+ prop_op: contains -+ prop_value: property_based_filter_test -+ path: "{{ __prop_based_log0 }}" -+ - name: files_output4 -+ type: files -+ property: msg -+ prop_op: "!contains" -+ prop_value: property_based_filter_test -+ path: "{{ __prop_based_log1 }}" - logging_inputs: - - name: basic_input - type: basics - logging_flows: - - name: flow_0 - inputs: [basic_input] -- outputs: [files_output0, files_output1, files_output2, files_output3] -+ outputs: [files_output0, files_output1, files_output2, files_output3, files_output4] - include_role: - name: linux-system-roles.logging - -@@ -74,7 +84,7 @@ - - - name: Check file counts in rsyslog.d - assert: -- that: rsyslog_d_file_count.matched == 8 -+ that: rsyslog_d_file_count.matched == 9 - - # Checking 'error' in stdout from systemctl status is for detecting the case in which rsyslog is running, - # but some functionality is disabled due to some error, e.g., error: 'tls.cacert' file couldn't be accessed. -@@ -104,3 +114,21 @@ - retries: 5 - delay: 1 - changed_when: false -+ -+ - name: Run logger to generate a test log message containing property_based_filter_test -+ command: /bin/logger -i -p local6.info -t testTag1 property_based_filter_test -+ changed_when: false -+ -+ - name: Check the test log message in {{ __prop_based_log0 }} -+ command: /bin/grep property_based_filter_test "{{ __prop_based_log0 }}" -+ register: __result -+ until: __result is success -+ retries: 5 -+ delay: 1 -+ changed_when: false -+ -+ - name: Check the test log message not in {{ __prop_based_log1 }} -+ command: /bin/grep property_based_filter_test "{{ __prop_based_log1 }}" -+ register: __result -+ changed_when: false -+ failed_when: "__result is not failed" -diff --git a/tests/tests_basics_forwards_cert.yml b/tests/tests_basics_forwards_cert.yml -index e27e016..48263ae 100644 ---- a/tests/tests_basics_forwards_cert.yml -+++ b/tests/tests_basics_forwards_cert.yml -@@ -139,3 +139,11 @@ - - /etc/pki/tls/certs/{{ __test_ca_cert_name }} - - /etc/pki/tls/certs/{{ __test_cert_name }} - - /etc/pki/tls/private/{{ __test_key_name }} -+ -+ - name: clean up test files -+ file: path="{{ item }}" state=absent -+ loop: -+ - "{{ __test_ca_cert }}" -+ - "{{ __test_cert }}" -+ - "{{ __test_key }}" -+ delegate_to: localhost -diff --git a/tests/tests_basics_forwards_cert_missing.yml b/tests/tests_basics_forwards_cert_missing.yml -index 3e82856..0ad0569 100644 ---- a/tests/tests_basics_forwards_cert_missing.yml -+++ b/tests/tests_basics_forwards_cert_missing.yml -@@ -63,6 +63,10 @@ - assert: - that: "'{{ ansible_failed_result.results.0.msg }}' is match('{{ __expected_error }}')" - -+ - name: clean up test files -+ file: path="{{ __test_key }}" state=absent -+ delegate_to: localhost -+ - - name: default run for cleanup - vars: - logging_inputs: -diff --git a/tests/tests_server_conflict.yml b/tests/tests_server_conflict.yml -index 36eeeb7..8c182f6 100644 ---- a/tests/tests_server_conflict.yml -+++ b/tests/tests_server_conflict.yml -@@ -76,3 +76,11 @@ - - assert: - that: item.msg is not defined or item.msg is defined and item.msg == __expected_error - loop: "{{ ansible_failed_result.results }}" -+ -+ - name: clean up test files -+ file: path="{{ item }}" state=absent -+ loop: -+ - "{{ __test_ca_cert }}" -+ - "{{ __test_cert }}" -+ - "{{ __test_key }}" -+ delegate_to: localhost --- -2.26.2 - diff --git a/SOURCES/logging-0006-property_op.diff b/SOURCES/logging-0006-property_op.diff deleted file mode 100644 index 1f1ed57..0000000 --- a/SOURCES/logging-0006-property_op.diff +++ /dev/null @@ -1,136 +0,0 @@ -From ca2baffbfc14fba077c7c70d849c02b9c69c9e1f Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Fri, 16 Oct 2020 11:08:00 -0700 -Subject: [PATCH 6/7] Replacing prop_op with property_op and prop_value with - property_value. - -(cherry picked from commit 1c951e6acef886548029151dbca9d002f20ef425) ---- - README.md | 20 +++++++++---------- - roles/rsyslog/templates/output_files.j2 | 2 +- - roles/rsyslog/templates/output_forwards.j2 | 2 +- - .../rsyslog/templates/output_remote_files.j2 | 2 +- - tests/tests_basics_files2.yml | 8 ++++---- - 5 files changed, 17 insertions(+), 17 deletions(-) - -diff --git a/README.md b/README.md -index 4352ee7..d94ec04 100644 ---- a/README.md -+++ b/README.md -@@ -184,8 +184,8 @@ This is a schematic logging configuration to show log messages from input_nameA - - `severity`: Severity in selector; default to `*`. - - `exclude`: Exclude list used in selector; default to none. - - `property`: Property in property-based filter; no default -- - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -- - `prop_value`: Value in property-based filter; default to `error` -+ - `property_op`: Operation in property-based filter; In case of not `!`, put the `property_op` value in quotes; default to `contains` -+ - `property_value`: Value in property-based filter; default to `error` - - `path`: Path to the output file. - - Selector options and property-based filter options are exclusive. If Property-based filter options are defined, selector options will be ignored. -@@ -208,8 +208,8 @@ This is a schematic logging configuration to show log messages from input_nameA - - `severity`: Severity in selector; default to `*`. - - `exclude`: Exclude list used in selector; default to none. - - `property`: Property in property-based filter; no default -- - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -- - `prop_value`: Value in property-based filter; default to `error` -+ - `property_op`: Operation in property-based filter; In case of not `!`, put the `property_op` value in quotes; default to `contains` -+ - `property_value`: Value in property-based filter; default to `error` - - `target`: Target host (fqdn). **Required**. - - `udp_port`: UDP port number. Default to `514`. - - `tcp_port`: TCP port number. Default to `514`. -@@ -225,8 +225,8 @@ This is a schematic logging configuration to show log messages from input_nameA - - `severity`: Severity in selector; default to `*`. - - `exclude`: Exclude list used in selector; default to none. - - `property`: Property in property-based filter; no default -- - `prop_op`: Operation in property-based filter; In case of not `!`, put the `prop_op` value in quotes; default to `contains` -- - `prop_value`: Value in property-based filter; default to `error` -+ - `property_op`: Operation in property-based filter; In case of not `!`, put the `property_op` value in quotes; default to `contains` -+ - `property_value`: Value in property-based filter; default to `error` - - `async_writing`: If set to `true`, the files are written asynchronously. Allowed value is `true` or `false`. Default to `false`. - - `client_count`: Count of client logging system supported this rsyslog server. Default to `10`. - - `io_buffer_size`: Buffer size used to write output data. Default to `65536` bytes. -@@ -481,14 +481,14 @@ The following playbook generates the same logging configuration files. - - name: files_output0 - type: files - property: msg -- prop_op: contains -- prop_value: error -+ property_op: contains -+ property_value: error - path: /var/log/errors.log - - name: files_output1 - type: files - property: msg -- prop_op: "!contains" -- prop_value: error -+ property_op: "!contains" -+ property_value: error - path: /var/log/others.log - logging_flows: - - name: flow0 -diff --git a/roles/rsyslog/templates/output_files.j2 b/roles/rsyslog/templates/output_files.j2 -index e15e4cd..40f5b90 100644 ---- a/roles/rsyslog/templates/output_files.j2 -+++ b/roles/rsyslog/templates/output_files.j2 -@@ -1,7 +1,7 @@ - {% if item.path is defined %} - ruleset(name="{{ item.name }}") { - {% if item.property | d() %} -- :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" {{ item.path }} -+ :{{ item.property }}, {{ item.property_op | d('contains') }}, "{{ item.property_value | d('error') }}" {{ item.path }} - {% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} {{ item.path }} - {% else %} -diff --git a/roles/rsyslog/templates/output_forwards.j2 b/roles/rsyslog/templates/output_forwards.j2 -index 35030b4..87d7a09 100644 ---- a/roles/rsyslog/templates/output_forwards.j2 -+++ b/roles/rsyslog/templates/output_forwards.j2 -@@ -10,7 +10,7 @@ - {% endif %} - ruleset(name="{{ item.name }}") { - {% if item.property | d() %} -- :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" action(name="{{ item.name }}" -+ :{{ item.property }}, {{ item.property_op | d('contains') }}, "{{ item.property_value | d('error') }}" action(name="{{ item.name }}" - {% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} action(name="{{ item.name }}" - {% else %} -diff --git a/roles/rsyslog/templates/output_remote_files.j2 b/roles/rsyslog/templates/output_remote_files.j2 -index aaf547e..84317f2 100644 ---- a/roles/rsyslog/templates/output_remote_files.j2 -+++ b/roles/rsyslog/templates/output_remote_files.j2 -@@ -18,7 +18,7 @@ ruleset(name="{{ item.name }}" - queue.workerThreads="{{ logging_server_threads }}") { - # Store remote logs in separate logfiles - {% if item.property | d() %} -- :{{ item.property }}, {{ item.prop_op | d('contains') }}, "{{ item.prop_value | d('error') }}" action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") -+ :{{ item.property }}, {{ item.property_op | d('contains') }}, "{{ item.property_value | d('error') }}" action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") - {% elif item.exclude | d([]) %} - {{ item.facility | d('*') }}.{{ item.severity | d('*') }};{{ item.exclude | join(';') }} action(name="{{ item.name }}" type="omfile" DynaFile="{{ item.name }}_template" DynaFileCacheSize="{{ item.client_count | d(10) }}" ioBufferSize="{{ item.io_buffer_size | d('65536') }}" asyncWriting="{{ 'on' if item.async_writing | d(false) | bool else 'off' }}") - {% else %} -diff --git a/tests/tests_basics_files2.yml b/tests/tests_basics_files2.yml -index b1a0f62..9f69ed5 100644 ---- a/tests/tests_basics_files2.yml -+++ b/tests/tests_basics_files2.yml -@@ -52,14 +52,14 @@ - - name: files_output3 - type: files - property: msg -- prop_op: contains -- prop_value: property_based_filter_test -+ property_op: contains -+ property_value: property_based_filter_test - path: "{{ __prop_based_log0 }}" - - name: files_output4 - type: files - property: msg -- prop_op: "!contains" -- prop_value: property_based_filter_test -+ property_op: "!contains" -+ property_value: property_based_filter_test - path: "{{ __prop_based_log1 }}" - logging_inputs: - - name: basic_input --- -2.26.2 - diff --git a/SOURCES/logging-0007-RHELPLAN-56807.diff b/SOURCES/logging-0007-RHELPLAN-56807.diff deleted file mode 100644 index e3db3f5..0000000 --- a/SOURCES/logging-0007-RHELPLAN-56807.diff +++ /dev/null @@ -1,114 +0,0 @@ -From 3967a2b0e7e61dfb6317296a4cf15d0fe91a1638 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 15 Oct 2020 10:52:29 -0700 -Subject: [PATCH 7/7] RHELPLAN-56807 - Logging - elasticsearch - need to adjust - jinja2 boolean values to the rsyslog config values - -Resetting the values of the following params as rsyslog expects. - dynSearchIndex, bulkmode, dynbulkid, allowUnsignedCerts, usehttps - -Adding test cases to tests_ovirt_elasticsearch_params.yml - -(cherry picked from commit c98aabd864f6d07c11d6db991bf0af0aaee7f123) ---- - .../rsyslog/templates/output_elasticsearch.j2 | 13 ++++----- - tests/tests_ovirt_elasticsearch_params.yml | 29 +++++++++++++++++-- - 2 files changed, 33 insertions(+), 9 deletions(-) - -diff --git a/roles/rsyslog/templates/output_elasticsearch.j2 b/roles/rsyslog/templates/output_elasticsearch.j2 -index c4db10f..6c6255b 100644 ---- a/roles/rsyslog/templates/output_elasticsearch.j2 -+++ b/roles/rsyslog/templates/output_elasticsearch.j2 -@@ -37,25 +37,24 @@ ruleset(name="{{ item.name }}") { - serverport="{{ item.server_port | d(9200) | int }}" - template="{{ item.template | d("es_template") }}" - searchIndex="{{ item.searchIndex | d("index_template") }}" -- dynSearchIndex="{{ item.dynSearchIndex | d("on") }}" -+ dynSearchIndex="{{ item.dynSearchIndex | d(true) | ternary('on', 'off') }}" - searchType="{{ item.searchType | d("com.redhat.viaq.common") }}" -- bulkmode="{{ item.bulkmode | d("on") }}" -+ bulkmode="{{ item.bulkmode | d(true) | ternary('on', 'off') }}" - writeoperation="{{ item.writeoperation | d("create") }}" - bulkid="{{ item.bulkid | d("id_template") }}" -- dynbulkid="{{ item.dynbulkid | d('on') }}" -- allowUnsignedCerts="{{ item.allowUnsignedCerts | d("off") }}" -+ dynbulkid="{{ item.dynbulkid | d(true) | ternary('on', 'off') }}" -+ allowUnsignedCerts="{{ item.allowUnsignedCerts | d(false) | ternary('on', 'off') }}" - {% if item.retryfailures | d(true) %} --{% if item.retryruleset | d() | length > 0 %} - retryfailures="on" -+{% if item.retryruleset | d() | length > 0 %} - retryruleset="{{ item.retryruleset }}" - {% else %} -- retryfailures="on" - retryruleset="{{ item.name }}" - {% endif %} - {% else %} - retryfailures="off" - {% endif %} -- usehttps="{{ item.usehttps | default("on") }}" -+ usehttps="{{ item.usehttps | d(true) | ternary('on', 'off') }}" - {% if item.use_cert | default(true) %} - tls.cacert="{{ item.ca_cert | default('/etc/rsyslog.d/es-ca.crt') }}" - tls.mycert="{{ item.cert | default('/etc/rsyslog.d/es-cert.pem') }}" -diff --git a/tests/tests_ovirt_elasticsearch_params.yml b/tests/tests_ovirt_elasticsearch_params.yml -index 34d9e1d..4fefe59 100644 ---- a/tests/tests_ovirt_elasticsearch_params.yml -+++ b/tests/tests_ovirt_elasticsearch_params.yml -@@ -34,6 +34,8 @@ - __test_ovirt_engine_conf: /etc/rsyslog.d/90-input-ovirt-ovirt_engine_input.conf - __test_ovirt_vdsm_conf: /etc/rsyslog.d/90-input-ovirt-ovirt_vdsm_input.conf - __test_ovirt_bogus_conf: /etc/rsyslog.d/90-input-ovirt-ovirt_bogus_input.conf -+ __test_es_conf: /etc/rsyslog.d/31-output-elasticsearch-elasticsearch_output.conf -+ __test_es_ops_conf: /etc/rsyslog.d/31-output-elasticsearch-elasticsearch_output_ops.conf - __test_collectd_name: ovirt_collectd_input - __test_engine_name: ovirt_engine_input - __test_vdsm_name: ovirt_vdsm_input -@@ -56,7 +58,6 @@ - server_port: 9200 - index_prefix: project. - input_type: ovirt -- retryfailures: false - ca_cert: "/etc/rsyslog.d/es-ca.crt" - cert: "/etc/rsyslog.d/es-cert.pem" - private_key: "/etc/rsyslog.d/es-key.pem" -@@ -70,6 +71,11 @@ - ca_cert: "/etc/rsyslog.d/es-ca.crt" - cert: "/etc/rsyslog.d/es-cert.pem" - private_key: "/etc/rsyslog.d/es-key.pem" -+ dynSearchIndex: false -+ bulkmode: false -+ dynbulkid: false -+ allowUnsignedCerts: true -+ usehttps: false - logging_inputs: - - name: basic_input - type: basics -@@ -164,4 +170,23 @@ - - - name: Check index_prefix is "{{ __test_logs_index }}" in "{{ __test_ovirt_vdsm_conf }}" - command: /bin/grep 'set $.index_prefix = "{{ __test_logs_index }}"' {{ __test_ovirt_vdsm_conf }} -- changed_when: false -+ -+ - name: Check default config params in "{{ __test_es_conf }}" -+ command: /bin/grep {{ item }} {{ __test_es_conf }} -+ loop: -+ - "dynSearchIndex=.on." -+ - "bulkmode=.on." -+ - "dynbulkid=.on." -+ - "allowUnsignedCerts=.off." -+ - "usehttps=.on." -+ - "retryfailures=.on." -+ -+ - name: Check modified config params in "{{ __test_es_ops_conf }}" -+ command: /bin/grep {{ item }} {{ __test_es_ops_conf }} -+ loop: -+ - "dynSearchIndex=.off." -+ - "bulkmode=.off." -+ - "dynbulkid=.off." -+ - "allowUnsignedCerts=.on." -+ - "usehttps=.off." -+ - "retryfailures=.off." --- -2.26.2 - diff --git a/SOURCES/network-disable-bondtests.diff b/SOURCES/network-disable-bondtests.diff new file mode 100644 index 0000000..f16a980 --- /dev/null +++ b/SOURCES/network-disable-bondtests.diff @@ -0,0 +1,24 @@ +diff --git a/tests/playbooks/tests_bond.yml b/tests/playbooks/tests_bond.yml +index d646a0b..8689d59 100644 +--- a/tests/playbooks/tests_bond.yml ++++ b/tests/playbooks/tests_bond.yml +@@ -13,6 +13,8 @@ + dhcp_interface1: test1 + slave2_profile: bond0.1 + dhcp_interface2: test2 ++ tags: ++ - "tests::expfail" + tasks: + - name: "INIT Prepare setup" + debug: +diff --git a/tests/tests_bond_initscripts.yml b/tests/tests_bond_initscripts.yml +index 8fa74c5..6a231c4 100644 +--- a/tests/tests_bond_initscripts.yml ++++ b/tests/tests_bond_initscripts.yml +@@ -9,5 +9,6 @@ + network_provider: initscripts + tags: + - always ++ - "tests::expfail" + + - import_playbook: playbooks/tests_bond.yml diff --git a/SOURCES/network-pr298.diff b/SOURCES/network-pr298.diff new file mode 100644 index 0000000..67f504b --- /dev/null +++ b/SOURCES/network-pr298.diff @@ -0,0 +1,524 @@ +From 94ba2d701fa93bff69a7bfb1a033f27e53a17439 Mon Sep 17 00:00:00 2001 +From: Gris Ge +Date: Thu, 12 Nov 2020 21:42:01 +0800 +Subject: [PATCH] nm provider: Refactor the down action of network connection + +When deactivating a profile in libNM, we should: + + * Check `NM.ActionConnection` existence + * Check `NM.ActionConnection.props.state` not DEACTIVATED + * Use signal `state-changed` of `NM.ActionConnection`. + * Only invoke `NM.Client.deactivate_connection_async()` if not + in DEACTIVATING state. + * Ignore `NM.ManagerError.CONNECTIONNOTACTIVE` error. + +This patch also introduced a new class `NetworkManagerProvider` +in `module_utils/network_lsr/nm`: + + * Independent from Ansible but need to use absolute import due to + limitation of ansible 2.8. + * Provide sync function wrapping async calls of libNM. + * Use stable logging method of python. + * Only load this module when provider is nm. + +This patch also changed how logging is handling in +`Cmd_nm.run_action_down()` as initial step on isolate ansible log +mechanism from provider module. + +By moving provider codes to `module_utils` folder, we can eventually +simplify the bloated `library/network_connections.py`. + +Signed-off-by: Gris Ge +--- + library/network_connections.py | 146 ++++++------------ + module_utils/network_lsr/nm/__init__.py | 9 ++ + .../network_lsr/nm/active_connection.py | 125 +++++++++++++++ + module_utils/network_lsr/nm/client.py | 86 +++++++++++ + module_utils/network_lsr/nm/error.py | 5 + + module_utils/network_lsr/nm/provider.py | 29 ++++ + 6 files changed, 300 insertions(+), 100 deletions(-) + create mode 100644 module_utils/network_lsr/nm/__init__.py + create mode 100644 module_utils/network_lsr/nm/active_connection.py + create mode 100644 module_utils/network_lsr/nm/client.py + create mode 100644 module_utils/network_lsr/nm/error.py + create mode 100644 module_utils/network_lsr/nm/provider.py + +diff --git a/library/network_connections.py b/library/network_connections.py +index e8ee347..e693ab7 100644 +--- a/library/network_connections.py ++++ b/library/network_connections.py +@@ -11,6 +11,7 @@ import socket + import subprocess + import time + import traceback ++import logging + + # pylint: disable=import-error, no-name-in-module + from ansible.module_utils.basic import AnsibleModule +@@ -66,6 +67,17 @@ class LogLevel: + INFO = "info" + DEBUG = "debug" + ++ _LOGGING_LEVEL_MAP = { ++ logging.DEBUG: DEBUG, ++ logging.INFO: INFO, ++ logging.WARN: WARN, ++ logging.ERROR: ERROR, ++ } ++ ++ @staticmethod ++ def from_logging_level(logging_level): ++ return LogLevel._LOGGING_LEVEL_MAP.get(logging_level, LogLevel.ERROR) ++ + @staticmethod + def fmt(level): + return "<%-6s" % (str(level) + ">") +@@ -1386,61 +1398,6 @@ class NMUtil: + if failure_reason: + raise MyError("connection not activated: %s" % (failure_reason)) + +- def active_connection_deactivate(self, ac, timeout=10, wait_time=None): +- def deactivate_cb(client, result, cb_args): +- success = False +- try: +- success = client.deactivate_connection_finish(result) +- except Exception as e: +- if Util.error_is_cancelled(e): +- return +- cb_args["error"] = str(e) +- cb_args["success"] = success +- Util.GMainLoop().quit() +- +- cancellable = Util.create_cancellable() +- cb_args = {} +- self.nmclient.deactivate_connection_async( +- ac, cancellable, deactivate_cb, cb_args +- ) +- if not Util.GMainLoop_run(timeout): +- cancellable.cancel() +- raise MyError("failure to deactivate connection: %s" % (timeout)) +- if not cb_args.get("success", False): +- raise MyError( +- "failure to deactivate connection: %s" +- % (cb_args.get("error", "unknown error")) +- ) +- +- self.active_connection_deactivate_wait(ac, wait_time) +- return True +- +- def active_connection_deactivate_wait(self, ac, wait_time): +- +- if not wait_time: +- return +- +- NM = Util.NM() +- +- def check_deactivated(ac): +- return ac.get_state() >= NM.ActiveConnectionState.DEACTIVATED +- +- if not check_deactivated(ac): +- +- def check_deactivated_cb(): +- if check_deactivated(ac): +- Util.GMainLoop().quit() +- +- ac_id = ac.connect( +- "notify::state", lambda source, pspec: check_deactivated_cb() +- ) +- +- try: +- if not Util.GMainLoop_run(wait_time): +- raise MyError("connection not fully deactivated after timeout") +- finally: +- ac.handler_disconnect(ac_id) +- + def reapply(self, device, connection=None): + version_id = 0 + flags = 0 +@@ -1628,6 +1585,21 @@ class RunEnvironmentAnsible(RunEnvironment): + ############################################################################### + + ++class NmLogHandler(logging.Handler): ++ def __init__(self, log_func, idx): ++ self._log = log_func ++ self._idx = idx ++ super(NmLogHandler, self).__init__() ++ ++ def filter(self, record): ++ return True ++ ++ def emit(self, record): ++ self._log( ++ self._idx, LogLevel.from_logging_level(record.levelno), record.getMessage() ++ ) ++ ++ + class Cmd(object): + def __init__( + self, +@@ -1953,6 +1925,14 @@ class Cmd_nm(Cmd): + self._nmutil = None + self.validate_one_type = ArgValidator_ListConnections.VALIDATE_ONE_MODE_NM + self._checkpoint = None ++ # pylint: disable=import-error, no-name-in-module ++ from ansible.module_utils.network_lsr.nm import ( # noqa: E501 ++ NetworkManagerProvider, ++ ) ++ ++ # pylint: enable=import-error, no-name-in-module ++ ++ self._nm_provider = NetworkManagerProvider() + + @property + def nmutil(self): +@@ -2264,51 +2244,17 @@ class Cmd_nm(Cmd): + + def run_action_down(self, idx): + connection = self.connections[idx] +- +- cons = self.nmutil.connection_list(name=connection["name"]) +- changed = False +- if cons: +- seen = set() +- while True: +- ac = Util.first( +- self.nmutil.active_connection_list( +- connections=cons, black_list=seen +- ) +- ) +- if ac is None: +- break +- seen.add(ac) +- self.log_info( +- idx, "down connection %s: %s" % (connection["name"], ac.get_path()) +- ) +- changed = True +- self.connections_data_set_changed(idx) +- if self.check_mode == CheckMode.REAL_RUN: +- try: +- self.nmutil.active_connection_deactivate(ac) +- except MyError as e: +- self.log_error(idx, "down connection failed: %s" % (e)) +- +- wait_time = connection["wait"] +- if wait_time is None: +- wait_time = 10 +- +- try: +- self.nmutil.active_connection_deactivate_wait(ac, wait_time) +- except MyError as e: +- self.log_error( +- idx, "down connection failed while waiting: %s" % (e) +- ) +- +- cons = self.nmutil.connection_list(name=connection["name"]) +- if not changed: +- message = "down connection %s failed: connection not found" % ( +- connection["name"] +- ) +- if connection[PERSISTENT_STATE] == ABSENT_STATE: +- self.log_info(idx, message) +- else: +- self.log_error(idx, message) ++ logger = logging.getLogger() ++ log_handler = NmLogHandler(self.log, idx) ++ logger.addHandler(log_handler) ++ timeout = connection["wait"] ++ if self._nm_provider.deactivate_connection( ++ connection["name"], ++ 10 if timeout is None else timeout, ++ self.check_mode != CheckMode.REAL_RUN, ++ ): ++ self.connections_data_set_changed(idx) ++ logger.removeHandler(log_handler) + + + ############################################################################### +diff --git a/module_utils/network_lsr/nm/__init__.py b/module_utils/network_lsr/nm/__init__.py +new file mode 100644 +index 0000000..ce115f8 +--- /dev/null ++++ b/module_utils/network_lsr/nm/__init__.py +@@ -0,0 +1,9 @@ ++# Relative import is not support by ansible 2.8 yet ++# pylint: disable=import-error, no-name-in-module ++from ansible.module_utils.network_lsr.nm.provider import ( # noqa:E501 ++ NetworkManagerProvider, ++) ++ ++# pylint: enable=import-error, no-name-in-module ++ ++NetworkManagerProvider +diff --git a/module_utils/network_lsr/nm/active_connection.py b/module_utils/network_lsr/nm/active_connection.py +new file mode 100644 +index 0000000..451fa61 +--- /dev/null ++++ b/module_utils/network_lsr/nm/active_connection.py +@@ -0,0 +1,125 @@ ++# SPDX-License-Identifier: BSD-3-Clause ++ ++# Handle NM.ActiveConnection ++ ++import logging ++ ++# Relative import is not support by ansible 2.8 yet ++# pylint: disable=import-error, no-name-in-module ++from ansible.module_utils.network_lsr.nm.client import GLib # noqa:E501 ++from ansible.module_utils.network_lsr.nm.client import NM # noqa:E501 ++from ansible.module_utils.network_lsr.nm.client import get_mainloop # noqa:E501 ++from ansible.module_utils.network_lsr.nm.client import get_client # noqa:E501 ++from ansible.module_utils.network_lsr.nm.error import LsrNetworkNmError # noqa:E501 ++ ++# pylint: enable=import-error, no-name-in-module ++ ++ ++NM_AC_STATE_CHANGED_SIGNAL = "state-changed" ++ ++ ++def deactivate_active_connection(nm_ac, timeout, check_mode): ++ if not nm_ac or nm_ac.props.state == NM.ActiveConnectionState.DEACTIVATED: ++ logging.info("Connection is not active, no need to deactivate") ++ return False ++ if not check_mode: ++ main_loop = get_mainloop(timeout) ++ logging.debug( ++ "Deactivating {id} with timeout {timeout}".format( ++ id=nm_ac.get_id(), timeout=timeout ++ ) ++ ) ++ user_data = main_loop ++ handler_id = nm_ac.connect( ++ NM_AC_STATE_CHANGED_SIGNAL, _nm_ac_state_change_callback, user_data ++ ) ++ logging.debug( ++ "Registered {signal} on NM.ActiveConnection {id}".format( ++ signal=NM_AC_STATE_CHANGED_SIGNAL, id=nm_ac.get_id() ++ ) ++ ) ++ if nm_ac.props.state != NM.ActiveConnectionState.DEACTIVATING: ++ nm_client = get_client() ++ user_data = (main_loop, nm_ac, nm_ac.get_id(), handler_id) ++ nm_client.deactivate_connection_async( ++ nm_ac, ++ main_loop.cancellable, ++ _nm_ac_deactivate_call_back, ++ user_data, ++ ) ++ logging.debug("Deactivating NM.ActiveConnection {0}".format(nm_ac.get_id())) ++ main_loop.run() ++ return True ++ ++ ++def _nm_ac_state_change_callback(nm_ac, state, reason, user_data): ++ main_loop = user_data ++ if main_loop.is_cancelled: ++ return ++ logging.debug( ++ "Got NM.ActiveConnection state change: {id}: {state} {reason}".format( ++ id=nm_ac.get_id(), state=state, reason=reason ++ ) ++ ) ++ if nm_ac.props.state == NM.ActiveConnectionState.DEACTIVATED: ++ logging.debug("NM.ActiveConnection {0} is deactivated".format(nm_ac.get_id())) ++ main_loop.quit() ++ ++ ++def _nm_ac_deactivate_call_back(nm_client, result, user_data): ++ main_loop, nm_ac, nm_ac_id, handler_id = user_data ++ logging.debug("NM.ActiveConnection deactivating callback") ++ if main_loop.is_cancelled: ++ if nm_ac: ++ nm_ac.handler_disconnect(handler_id) ++ return ++ ++ try: ++ success = nm_client.deactivate_connection_finish(result) ++ except GLib.Error as e: ++ if e.matches(NM.ManagerError.quark(), NM.ManagerError.CONNECTIONNOTACTIVE): ++ logging.info( ++ "Connection is not active on {0}, no need to deactivate".format( ++ nm_ac_id ++ ) ++ ) ++ if nm_ac: ++ nm_ac.handler_disconnect(handler_id) ++ main_loop.quit() ++ return ++ else: ++ _deactivate_fail( ++ main_loop, ++ handler_id, ++ nm_ac, ++ "Failed to deactivate connection {id}, error={error}".format( ++ id=nm_ac_id, error=e ++ ), ++ ) ++ return ++ except Exception as e: ++ _deactivate_fail( ++ main_loop, ++ handler_id, ++ nm_ac, ++ "Failed to deactivate connection {id}, error={error}".format( ++ id=nm_ac_id, error=e ++ ), ++ ) ++ return ++ ++ if not success: ++ _deactivate_fail( ++ main_loop, ++ handler_id, ++ nm_ac, ++ "Failed to deactivate connection {0}, error='None " ++ "returned from deactivate_connection_finish()'".format(nm_ac_id), ++ ) ++ ++ ++def _deactivate_fail(main_loop, handler_id, nm_ac, msg): ++ if nm_ac: ++ nm_ac.handler_disconnect(handler_id) ++ logging.error(msg) ++ main_loop.fail(LsrNetworkNmError(msg)) +diff --git a/module_utils/network_lsr/nm/client.py b/module_utils/network_lsr/nm/client.py +new file mode 100644 +index 0000000..a3c4f98 +--- /dev/null ++++ b/module_utils/network_lsr/nm/client.py +@@ -0,0 +1,86 @@ ++# SPDX-License-Identifier: BSD-3-Clause ++ ++import logging ++ ++# Relative import is not support by ansible 2.8 yet ++# pylint: disable=import-error, no-name-in-module ++from ansible.module_utils.network_lsr.nm.error import LsrNetworkNmError # noqa:E501 ++ ++import gi ++ ++gi.require_version("NM", "1.0") ++ ++# It is required to state the NM version before importing it ++# But this break the flake8 rule: https://www.flake8rules.com/rules/E402.html ++# Use NOQA: E402 to suppress it. ++from gi.repository import NM # NOQA: E402 ++from gi.repository import GLib # NOQA: E402 ++from gi.repository import Gio # NOQA: E402 ++ ++# pylint: enable=import-error, no-name-in-module ++ ++NM ++GLib ++Gio ++ ++ ++def get_client(): ++ return NM.Client.new() ++ ++ ++class _NmMainLoop(object): ++ def __init__(self, timeout): ++ self._mainloop = GLib.MainLoop() ++ self._cancellable = Gio.Cancellable.new() ++ self._timeout = timeout ++ self._timeout_id = None ++ ++ def run(self): ++ logging.debug("NM mainloop running") ++ user_data = None ++ self._timeout_id = GLib.timeout_add( ++ int(self._timeout * 1000), ++ self._timeout_call_back, ++ user_data, ++ ) ++ logging.debug("Added timeout checker") ++ self._mainloop.run() ++ ++ def _timeout_call_back(self, _user_data): ++ logging.error("Timeout") ++ self.fail(LsrNetworkNmError("Timeout")) ++ ++ @property ++ def cancellable(self): ++ return self._cancellable ++ ++ @property ++ def is_cancelled(self): ++ if self._cancellable: ++ return self._cancellable.is_cancelled() ++ return True ++ ++ def _clean_up(self): ++ logging.debug("NM mainloop cleaning up") ++ if self._timeout_id: ++ logging.debug("Removing timeout checker") ++ GLib.source_remove(self._timeout_id) ++ self._timeout_id = None ++ if self._cancellable: ++ logging.debug("Canceling all pending tasks") ++ self._cancellable.cancel() ++ self._cancellable = None ++ self._mainloop = None ++ ++ def quit(self): ++ logging.debug("NM mainloop quiting") ++ self._mainloop.quit() ++ self._clean_up() ++ ++ def fail(self, exception): ++ self.quit() ++ raise exception ++ ++ ++def get_mainloop(timeout): ++ return _NmMainLoop(timeout) +diff --git a/module_utils/network_lsr/nm/error.py b/module_utils/network_lsr/nm/error.py +new file mode 100644 +index 0000000..42014ec +--- /dev/null ++++ b/module_utils/network_lsr/nm/error.py +@@ -0,0 +1,5 @@ ++# SPDX-License-Identifier: BSD-3-Clause ++ ++ ++class LsrNetworkNmError(Exception): ++ pass +diff --git a/module_utils/network_lsr/nm/provider.py b/module_utils/network_lsr/nm/provider.py +new file mode 100644 +index 0000000..cb703a4 +--- /dev/null ++++ b/module_utils/network_lsr/nm/provider.py +@@ -0,0 +1,29 @@ ++# SPDX-License-Identifier: BSD-3-Clause ++ ++import logging ++ ++# Relative import is not support by ansible 2.8 yet ++# pylint: disable=import-error, no-name-in-module ++from ansible.module_utils.network_lsr.nm.active_connection import ( # noqa:E501 ++ deactivate_active_connection, ++) ++from ansible.module_utils.network_lsr.nm.client import get_client # noqa:E501 ++ ++# pylint: enable=import-error, no-name-in-module ++ ++ ++class NetworkManagerProvider: ++ def deactivate_connection(self, connection_name, timeout, check_mode): ++ """ ++ Return True if changed. ++ """ ++ nm_client = get_client() ++ changed = False ++ for nm_ac in nm_client.get_active_connections(): ++ nm_profile = nm_ac.get_connection() ++ if nm_profile and nm_profile.get_id() == connection_name: ++ changed |= deactivate_active_connection(nm_ac, timeout, check_mode) ++ if not changed: ++ logging.info("No active connection for {0}".format(connection_name)) ++ ++ return changed +-- +2.25.4 + diff --git a/SOURCES/rhel-system-roles-kdump-pr22.diff b/SOURCES/rhel-system-roles-kdump-pr22.diff index d7d2796..342eddc 100644 --- a/SOURCES/rhel-system-roles-kdump-pr22.diff +++ b/SOURCES/rhel-system-roles-kdump-pr22.diff @@ -44,10 +44,10 @@ index bf24210..504ff34 100644 path {{ kdump_path }} {% if kdump_core_collector %} diff --git a/tests/tests_ssh.yml b/tests/tests_ssh.yml -index 679148e..14a59d9 100644 +index 1da99df..d12e884 100644 --- a/tests/tests_ssh.yml +++ b/tests/tests_ssh.yml -@@ -6,6 +6,11 @@ +@@ -5,6 +5,11 @@ # known and ansible is supposed to be configured to be able to # connect to it (via inventory). kdump_ssh_server_outside: localhost diff --git a/SOURCES/rhel-system-roles-network-prefix.diff b/SOURCES/rhel-system-roles-network-prefix.diff deleted file mode 100644 index f729eee..0000000 --- a/SOURCES/rhel-system-roles-network-prefix.diff +++ /dev/null @@ -1,148 +0,0 @@ -diff --git a/examples/bond_simple.yml b/examples/bond_simple.yml -index 4ca9811..f6f5897 100644 ---- a/examples/bond_simple.yml -+++ b/examples/bond_simple.yml -@@ -32,5 +32,5 @@ - interface_name: eth2 - master: bond0 - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network - ... -diff --git a/examples/bond_with_vlan.yml b/examples/bond_with_vlan.yml -index 2e6be23..3b7a6dc 100644 ---- a/examples/bond_with_vlan.yml -+++ b/examples/bond_with_vlan.yml -@@ -35,4 +35,4 @@ - - "192.0.2.{{ network_iphost }}/24" - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/bridge_with_vlan.yml b/examples/bridge_with_vlan.yml -index 037ff8e..83c586d 100644 ---- a/examples/bridge_with_vlan.yml -+++ b/examples/bridge_with_vlan.yml -@@ -33,4 +33,4 @@ - - "192.0.2.{{ network_iphost }}/24" - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/eth_simple_auto.yml b/examples/eth_simple_auto.yml -index 0ba168a..e4c4a54 100644 ---- a/examples/eth_simple_auto.yml -+++ b/examples/eth_simple_auto.yml -@@ -15,4 +15,4 @@ - mtu: 1450 - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/eth_with_802_1x.yml b/examples/eth_with_802_1x.yml -index 92a93a9..7731b7d 100644 ---- a/examples/eth_with_802_1x.yml -+++ b/examples/eth_with_802_1x.yml -@@ -27,4 +27,4 @@ - - client.pem - - cacert.pem - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/eth_with_vlan.yml b/examples/eth_with_vlan.yml -index 69da673..e0c2f11 100644 ---- a/examples/eth_with_vlan.yml -+++ b/examples/eth_with_vlan.yml -@@ -26,4 +26,4 @@ - - "192.0.2.{{ network_iphost }}/24" - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/ethtool_features.yml b/examples/ethtool_features.yml -index c580f89..0881316 100644 ---- a/examples/ethtool_features.yml -+++ b/examples/ethtool_features.yml -@@ -3,7 +3,7 @@ - - hosts: all - tasks: - - include_role: -- name: linux-system-roles.network -+ name: rhel-system-roles.network - vars: - network_connections: - - name: "{{ network_interface_name1 }}" -diff --git a/examples/ethtool_features_default.yml b/examples/ethtool_features_default.yml -index 78965e6..3cdd731 100644 ---- a/examples/ethtool_features_default.yml -+++ b/examples/ethtool_features_default.yml -@@ -3,7 +3,7 @@ - - hosts: all - tasks: - - include_role: -- name: linux-system-roles.network -+ name: rhel-system-roles.network - vars: - network_connections: - - name: "{{ network_interface_name1 }}" -diff --git a/examples/infiniband.yml b/examples/infiniband.yml -index 22603d9..9e7e267 100644 ---- a/examples/infiniband.yml -+++ b/examples/infiniband.yml -@@ -23,4 +23,4 @@ - - 198.51.100.133/30 - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/macvlan.yml b/examples/macvlan.yml -index 90cd09d..0064ad4 100644 ---- a/examples/macvlan.yml -+++ b/examples/macvlan.yml -@@ -26,4 +26,4 @@ - - 192.168.1.1/24 - - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/examples/remove+down_profile.yml b/examples/remove+down_profile.yml -index da2b1b8..f2d93e8 100644 ---- a/examples/remove+down_profile.yml -+++ b/examples/remove+down_profile.yml -@@ -8,5 +8,5 @@ - persistent_state: absent - state: down - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network - ... -diff --git a/examples/wireless_wpa_psk.yml b/examples/wireless_wpa_psk.yml -index eeec22f..60b0d83 100644 ---- a/examples/wireless_wpa_psk.yml -+++ b/examples/wireless_wpa_psk.yml -@@ -12,4 +12,4 @@ - # see https://docs.ansible.com/ansible/latest/user_guide/vault.html - password: "p@55w0rD" - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/tests/playbooks/down_profile.yml b/tests/playbooks/down_profile.yml -index 5087240..65e542d 100644 ---- a/tests/playbooks/down_profile.yml -+++ b/tests/playbooks/down_profile.yml -@@ -7,4 +7,4 @@ - - name: "{{ profile }}" - state: down - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network -diff --git a/tests/playbooks/remove_profile.yml b/tests/playbooks/remove_profile.yml -index a50e848..b6e6796 100644 ---- a/tests/playbooks/remove_profile.yml -+++ b/tests/playbooks/remove_profile.yml -@@ -7,4 +7,4 @@ - - name: "{{ profile }}" - persistent_state: absent - roles: -- - linux-system-roles.network -+ - rhel-system-roles.network diff --git a/SOURCES/rhel-system-roles-postfix-prefix.diff b/SOURCES/rhel-system-roles-postfix-prefix.diff deleted file mode 100644 index 65ab2a1..0000000 --- a/SOURCES/rhel-system-roles-postfix-prefix.diff +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/README.md b/README.md -index 5950215..a59d72f 100644 ---- a/README.md -+++ b/README.md -@@ -25,7 +25,7 @@ Install and enable postfix. Configure "relay_domains=$mydestination" and - relay_domains: "$mydestination" - relay_host: "example.com" - roles: -- - postfix -+ - linux-system-roles.postfix - ``` - - Install and enable postfix. Do not run 'postfix check' before restarting -@@ -37,7 +37,7 @@ postfix: - vars: - postfix_check: false - roles: -- - postfix -+ - linux-system-roles.postfix - ``` - - Install and enable postfix. Do single backup of main.cf (older backup will be -@@ -51,7 +51,7 @@ rewritten) and configure "relay_host=example.com": - relay_host: "example.com" - postfix_backup: true - roles: -- - postfix -+ - linux-system-roles.postfix - ``` - - Install and enable postfix. Do timestamped backup of main.cf and -@@ -66,7 +66,7 @@ set to true postfix_backup is ignored): - relay_host: "example.com" - postfix_backup_multiple: true - roles: -- - postfix -+ - linux-system-roles.postfix - ``` - - diff --git a/SOURCES/rhel-system-roles-selinux-prefix.diff b/SOURCES/rhel-system-roles-selinux-prefix.diff deleted file mode 100644 index 7e80daa..0000000 --- a/SOURCES/rhel-system-roles-selinux-prefix.diff +++ /dev/null @@ -1,32 +0,0 @@ -diff --git a/README.md b/README.md -index a0385b0..6efc62d 100644 ---- a/README.md -+++ b/README.md -@@ -42,7 +42,7 @@ This role can be configured using variab - vars: - [ see below ] - roles: -- - role: linux-system-roles.selinux -+ - role: rhel-system-roles.selinux - become: true - ``` - -diff --git a/selinux-playbook.yml b/selinux-playbook.yml -index 78d3953..b2348d5 100644 ---- a/selinux-playbook.yml -+++ b/selinux-playbook.yml -@@ -31,7 +31,7 @@ - - name: execute the role and catch errors - block: - - include_role: -- name: linux-system-roles.selinux -+ name: rhel-system-roles.selinux - rescue: - # Fail if failed for a different reason than selinux_reboot_required. - - name: handle errors -@@ -52,4 +52,4 @@ - - - name: reapply the role - include_role: -- name: linux-system-roles.selinux -+ name: rhel-system-roles.selinux diff --git a/SOURCES/rhel-system-roles-storage-prefix.diff b/SOURCES/rhel-system-roles-storage-prefix.diff deleted file mode 100644 index 7855b38..0000000 --- a/SOURCES/rhel-system-roles-storage-prefix.diff +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/README.md b/README.md -index c2debc9..d9e40b3 100644 ---- a/README.md -+++ b/README.md -@@ -154,7 +154,7 @@ Example Playbook - - hosts: all - - roles: -- - name: linux-system-roles.storage -+ - name: rhel-system-roles.storage - storage_pools: - - name: app - disks: diff --git a/SOURCES/rhel-system-roles-timesync-prefix.diff b/SOURCES/rhel-system-roles-timesync-prefix.diff deleted file mode 100644 index 6fe1889..0000000 --- a/SOURCES/rhel-system-roles-timesync-prefix.diff +++ /dev/null @@ -1,46 +0,0 @@ -diff -up timesync-1.0.0/README.md.orig timesync-1.0.0/README.md ---- timesync-1.0.0/README.md.orig 2018-08-21 11:46:41.000000000 +0200 -+++ timesync-1.0.0/README.md 2018-11-06 22:29:14.586770442 +0100 -@@ -82,7 +82,7 @@ Install and configure ntp to synchronize - - hostname: baz.example.com - iburst: yes - roles: -- - linux-system-roles.timesync -+ - rhel-system-roles.timesync - ``` - - Install and configure linuxptp to synchronize the system clock with a -@@ -95,7 +95,7 @@ grandmaster in PTP domain number 0, whic - - number: 0 - interfaces: [ eth0 ] - roles: -- - linux-system-roles.timesync -+ - rhel-system-roles.timesync - ``` - - Install and configure chrony and linuxptp to synchronize the system clock with -@@ -122,5 +122,5 @@ synchronization: - transport: UDPv4 - delay: 0.000010 - roles: -- - linux-system-roles.timesync -+ - rhel-system-roles.timesync - ``` -diff -up timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/multiple-ntp-servers.yml.orig timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/multiple-ntp-servers.yml ---- timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/multiple-ntp-servers.yml.orig 2019-06-03 18:03:18.081868584 +0200 -+++ timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/multiple-ntp-servers.yml 2019-06-03 18:03:26.718704991 +0200 -@@ -11,4 +11,4 @@ - - hostname: 3.pool.ntp.org - iburst: yes - roles: -- - linux-system-roles.timesync -+ - rhel-system-roles.timesync -diff -up timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/single-pool.yml.orig timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/single-pool.yml ---- timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/single-pool.yml.orig 2019-06-03 16:36:40.000000000 +0200 -+++ timesync-85b90feedee2a5b3148fd3f72b229b44ec597682/examples/single-pool.yml 2019-06-03 18:03:36.721515519 +0200 -@@ -6,4 +6,4 @@ - pool: yes - iburst: yes - roles: -- - linux-system-roles.timesync -+ - rhel-system-roles.timesync diff --git a/SOURCES/selinux-tier1-tags.diff b/SOURCES/selinux-tier1-tags.diff index d0c785c..c2c4abd 100644 --- a/SOURCES/selinux-tier1-tags.diff +++ b/SOURCES/selinux-tier1-tags.diff @@ -16,10 +16,18 @@ index f294101..7571066 100644 command: /usr/sbin/semanage boolean -l -n -C register: selinux_role_boolean diff --git a/tests/tests_all_purge.yml b/tests/tests_all_purge.yml -index 03dfe05..c686837 100644 +index 03dfe05..6775847 100644 --- a/tests/tests_all_purge.yml +++ b/tests/tests_all_purge.yml -@@ -14,7 +14,9 @@ +@@ -8,13 +8,17 @@ + fcontext -a -t user_home_dir_t /tmp/test_dir + login -a -s staff_u sar-user + ++ tags: ++ - 'tests::avc' + tasks: + - name: Install SELinux tool semanage on Fedora + package: name: - policycoreutils-python-utils state: present @@ -47,8 +55,7 @@ diff --git a/tests/tests_boolean.yml b/tests/tests_boolean.yml index 47eafc0..2aa0025 100644 --- a/tests/tests_boolean.yml +++ b/tests/tests_boolean.yml -@@ -1,5 +1,6 @@ - +@@ -1,4 +1,5 @@ - name: Check if selinux role sets SELinux booleans + tags: tests::expfail hosts: all @@ -80,10 +87,9 @@ diff --git a/tests/tests_login.yml b/tests/tests_login.yml index efa826d..c7ce462 100644 --- a/tests/tests_login.yml +++ b/tests/tests_login.yml -@@ -18,7 +18,7 @@ +@@ -18,6 +18,6 @@ - { login: 'sar-user', seuser: 'staff_u', serange: 's0-s0:c0.c1023', state: 'present' } - - - include: set_selinux_variables.yml + - import_tasks: set_selinux_variables.yml - name: save state after initial changes and before other changes @@ -103,10 +109,18 @@ index 446f79d..7bb112e 100644 set_fact: port_after: "{{ selinux_role_port.stdout }}" diff --git a/tests/tests_selinux_disabled.yml b/tests/tests_selinux_disabled.yml -index afd23e4..706882f 100644 +index afd23e4..883dc6d 100644 --- a/tests/tests_selinux_disabled.yml +++ b/tests/tests_selinux_disabled.yml -@@ -18,7 +18,9 @@ +@@ -12,13 +12,17 @@ + fcontext -a -t user_home_dir_t /tmp/test_dir + login -a -s staff_u sar-user + ++ tags: ++ - 'tests::avc' + tasks: + - name: Install SELinux tool semanage on Fedora + package: name: - policycoreutils-python-utils state: present @@ -157,6 +171,6 @@ index afd23e4..706882f 100644 + state: absent + + - import_role: -+ name: selinux ++ name: linux-system-roles.selinux + vars: + selinux_all_purge: true diff --git a/SOURCES/sshd-example.diff b/SOURCES/sshd-example.diff new file mode 100644 index 0000000..48243e3 --- /dev/null +++ b/SOURCES/sshd-example.diff @@ -0,0 +1,43 @@ +diff --git a/README.md b/README.md +index 676ad72..dc06d85 100644 +--- a/README.md ++++ b/README.md +@@ -190,7 +190,7 @@ defaults. This is useful if the role is used in deployment stage to make sure + the service is able to start on the first attempt. To disable this check, set + this to empty list. + +-* `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_group` ++* `sshd_hostkey_owner`, `sshd_hostkey_group`, `sshd_hostkey_mode` + + Use these variables to set the ownership and permissions for the host keys from + the above list. +@@ -273,6 +273,8 @@ for example: + X11Forwarding: yes + ``` + ++More example playbooks can be found in [`examples/`](examples/) directory. ++ + Template Generation + ------------------- + +diff --git a/examples/example-root-login.yml b/examples/example-root-login.yml +new file mode 100644 +index 0000000..156e629 +--- /dev/null ++++ b/examples/example-root-login.yml +@@ -0,0 +1,15 @@ ++--- ++- hosts: all ++ tasks: ++ - name: Configure sshd to prevent root and password login except from particular subnet ++ include_role: ++ name: ansible-sshd ++ vars: ++ sshd: ++ # root login and password login is enabled only from a particular subnet ++ PermitRootLogin: no ++ PasswordAuthentication: no ++ Match: ++ - Condition: "Address 192.0.2.0/24" ++ PermitRootLogin: yes ++ PasswordAuthentication: yes diff --git a/SOURCES/storage-safemode-luks.diff b/SOURCES/storage-safemode-luks.diff deleted file mode 100644 index fd78028..0000000 --- a/SOURCES/storage-safemode-luks.diff +++ /dev/null @@ -1,602 +0,0 @@ -diff --git a/library/blivet.py b/library/blivet.py -index cb48e71..e1903f3 100644 ---- a/library/blivet.py -+++ b/library/blivet.py -@@ -167,11 +167,16 @@ class BlivetBase(object): - raise NotImplementedError() - - def _manage_one_encryption(self, device): -+ global safe_mode - ret = device - # Make sure to handle adjusting both existing stacks and future stacks. - if device == device.raw_device and self._spec_dict['encryption']: - # add luks - luks_name = "luks-%s" % device._name -+ if safe_mode and (device.original_format.type is not None or -+ device.original_format.name != get_format(None).name): -+ raise BlivetAnsibleError("cannot remove existing formatting on device '%s' in safe mode due to adding encryption" % -+ device._name) - if not device.format.exists: - fmt = device.format - else: -@@ -196,6 +201,10 @@ class BlivetBase(object): - ret = luks_device - elif device != device.raw_device and not self._spec_dict['encryption']: - # remove luks -+ if safe_mode and (device.original_format.type is not None or -+ device.original_format.name != get_format(None).name): -+ raise BlivetAnsibleError("cannot remove existing formatting on device '%s' in safe mode due to encryption removal" % -+ device._name) - if not device.format.exists: - fmt = device.format - else: -@@ -823,17 +832,21 @@ class BlivetPool(BlivetBase): - - def manage(self): - """ Schedule actions to configure this pool according to the yaml input. """ -+ global safe_mode - # look up the device - self._look_up_disks() - self._look_up_device() - - # schedule destroy if appropriate, including member type change -- if not self.ultimately_present or self._member_management_is_destructive(): -- if not self.ultimately_present: -- self._manage_volumes() -+ if not self.ultimately_present: -+ self._manage_volumes() - self._destroy() -- if not self.ultimately_present: -- return -+ return -+ elif self._member_management_is_destructive(): -+ if safe_mode: -+ raise BlivetAnsibleError("cannot remove and recreate existing pool '%s' in safe mode" % self._pool['name']) -+ else: -+ self._destroy() - - # schedule create if appropriate - self._create() -diff --git a/tests/create-test-file.yml b/tests/create-test-file.yml -new file mode 100644 -index 0000000..d1091e2 ---- /dev/null -+++ b/tests/create-test-file.yml -@@ -0,0 +1,13 @@ -+# Create a file to be checked that it still exists and no data loss has occured. -+# To use: -+# - set testfile to a path under the mountpoint being tested -+# - include this file (create-test-file.yml) before executing the -+# operation to be tested -+# - execute the operation that could potentially result in a loss of -+# data in the filesystem where testfile is located -+# - include verify-data-preservation.yml -+ -+- name: create a file -+ file: -+ path: "{{ testfile }}" -+ state: touch -diff --git a/tests/tests_luks.yml b/tests/tests_luks.yml -index f93efe5..f733714 100644 ---- a/tests/tests_luks.yml -+++ b/tests/tests_luks.yml -@@ -2,8 +2,8 @@ - - hosts: all - become: true - vars: -- storage_safe_mode: false - mount_location: '/opt/test1' -+ testfile: "{{ mount_location }}/quux" - volume_size: '5g' - - tasks: -@@ -64,10 +64,47 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Remove the encryption layer -+ include_role: -+ name: storage -+ vars: -+ storage_volumes: -+ - name: foo -+ type: disk -+ disks: "{{ unused_disks }}" -+ mount_point: "{{ mount_location }}" -+ encryption: false -+ encryption_password: 'yabbadabbadoo' -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to encryption removal') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing filesystem in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Remove the encryption layer - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_volumes: - - name: foo - type: disk -@@ -78,10 +115,47 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Add encryption to the volume -+ include_role: -+ name: storage -+ vars: -+ storage_volumes: -+ - name: foo -+ type: disk -+ disks: "{{ unused_disks }}" -+ mount_point: "{{ mount_location }}" -+ encryption: true -+ encryption_password: 'yabbadabbadoo' -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to adding encryption') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing filesystem in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Add encryption to the volume - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_volumes: - - name: foo - type: disk -@@ -102,6 +176,7 @@ - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: partition -@@ -135,6 +210,7 @@ - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: partition -@@ -149,10 +225,51 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Remove the encryption layer -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: partition -+ disks: "{{ unused_disks }}" -+ volumes: -+ - name: test1 -+ type: partition -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ encryption: false -+ encryption_password: 'yabbadabbadoo' -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to encryption removal') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing filesystem in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Remove the encryption layer - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: partition -@@ -167,6 +284,48 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Add encryption to the volume -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: partition -+ disks: "{{ unused_disks }}" -+ volumes: -+ - name: test1 -+ type: partition -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ encryption: true -+ encryption_password: 'yabbadabbadoo' -+ -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to adding encryption') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing volume in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Test key file handling - block: - - name: Create a key file -@@ -186,6 +345,7 @@ - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: partition -@@ -216,6 +376,7 @@ - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -@@ -248,6 +409,7 @@ - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -@@ -264,10 +426,52 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Remove the encryption layer -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: lvm -+ disks: "{{ unused_disks }}" -+ volumes: -+ - name: test1 -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ encryption: false -+ encryption_password: 'yabbadabbadoo' -+ -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to encryption removal') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing volume in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Remove the encryption layer - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -@@ -281,10 +485,52 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Add encryption to the volume -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: lvm -+ disks: "{{ unused_disks }}" -+ volumes: -+ - name: test1 -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ encryption: true -+ encryption_password: 'yabbadabbadoo' -+ -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove existing -+ formatting.*in safe mode due to adding encryption') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing volume in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Add encryption to the volume - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -diff --git a/tests/tests_luks_pool.yml b/tests/tests_luks_pool.yml -index b20b806..f44916f 100644 ---- a/tests/tests_luks_pool.yml -+++ b/tests/tests_luks_pool.yml -@@ -2,9 +2,10 @@ - - hosts: all - become: true - vars: -- storage_safe_mode: false - mount_location: '/opt/test1' - mount_location_2: '/opt/test2' -+ testfile: "{{ mount_location }}/quux" -+ testfile_location_2: "{{ mount_location_2 }}/quux" - volume_size: '5g' - - tasks: -@@ -92,10 +93,50 @@ - state: absent - changed_when: false - -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Remove the encryption layer -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: lvm -+ disks: "{{ unused_disks }}" -+ encryption: false -+ encryption_password: 'yabbadabbadoo' -+ volumes: -+ - name: test1 -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove and recreate existing -+ pool.*in safe mode') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing pool in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ - - name: Remove the encryption layer - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -@@ -109,10 +150,53 @@ - - - include_tasks: verify-role-results.yml - -- - name: Add encryption to the volume -+ - import_tasks: create-test-file.yml -+ -+ - name: Test for correct handling of safe_mode -+ block: -+ - name: Add encryption to the pool -+ include_role: -+ name: storage -+ vars: -+ storage_pools: -+ - name: foo -+ type: lvm -+ disks: "{{ unused_disks }}" -+ encryption: true -+ encryption_password: 'yabbadabbadoo' -+ encryption_luks_version: luks1 -+ encryption_key_size: 512 -+ encryption_cipher: 'serpent-xts-plain64' -+ volumes: -+ - name: test1 -+ mount_point: "{{ mount_location }}" -+ size: 4g -+ - name: unreachable task -+ fail: -+ msg: UNREACH -+ rescue: -+ - name: Check that we failed in the role -+ assert: -+ that: -+ - ansible_failed_result.msg != 'UNREACH' -+ msg: "Role has not failed when it should have" -+ -+ - name: Verify the output of the safe_mode test -+ assert: -+ that: "blivet_output.failed and -+ blivet_output.msg -+ |regex_search('cannot remove and recreate existing -+ pool.*in safe mode') -+ and not blivet_output.changed" -+ msg: "Unexpected behavior w/ existing pool in safe mode" -+ -+ - import_tasks: verify-data-preservation.yml -+ -+ - name: Add encryption to the pool - include_role: - name: storage - vars: -+ storage_safe_mode: false - storage_pools: - - name: foo - type: lvm -@@ -129,6 +213,8 @@ - - - include_tasks: verify-role-results.yml - -+ - import_tasks: create-test-file.yml -+ - - name: Change the mountpoint, leaving encryption in place - include_role: - name: storage -@@ -144,6 +230,10 @@ - mount_point: "{{ mount_location_2 }}" - size: 4g - -+ - import_tasks: verify-data-preservation.yml -+ vars: -+ testfile: "{{ testfile_location_2 }}" -+ - - include_tasks: verify-role-results.yml - - - name: Clean up -diff --git a/tests/verify-data-preservation.yml b/tests/verify-data-preservation.yml -new file mode 100644 -index 0000000..eed790f ---- /dev/null -+++ b/tests/verify-data-preservation.yml -@@ -0,0 +1,19 @@ -+# Verify that a file still exists and no data loss has occured. -+# To use: -+# - set testfile to a path under the mountpoint being tested -+# - include create-test-file.yml before executing the operation to be -+# tested -+# - execute the operation that could potentially result in a loss of -+# data in the filesystem where testfile is located -+# - include this file (verify-data-preservation.yml) -+ -+- name: stat the file -+ stat: -+ path: "{{ testfile }}" -+ register: stat_r -+ -+- name: assert file presence -+ assert: -+ that: -+ stat_r.stat.isreg is defined and stat_r.stat.isreg -+ msg: "data lost!" diff --git a/SPECS/rhel-system-roles.spec b/SPECS/rhel-system-roles.spec index 8eca7b3..078e4a1 100644 --- a/SPECS/rhel-system-roles.spec +++ b/SPECS/rhel-system-roles.spec @@ -3,9 +3,10 @@ Name: rhel-system-roles %else Name: linux-system-roles %endif +Url: https://github.com/linux-system-roles/ Summary: Set of interfaces for unified system management Version: 1.0 -Release: 21%{?dist} +Release: 23%{?dist} #Group: Development/Libraries License: GPLv3+ and MIT and BSD @@ -18,15 +19,23 @@ License: GPLv3+ and MIT and BSD # (%%id and %%shortid) can be then used in the same way in both cases. # This way the rest of the spec file des not need to know whether we are # dealing with a tag or a commit. -%define defcommit() %{expand:%%global id%{1} %{2} -%%global shortid%{1} %%(c=%%{id%{1}}; echo ${c:0:7}) +%global archiveext tar.gz +%define getarchivedir() %(p=%{basename:%{S:%{1}}}; echo ${p%%.%{archiveext}}) + +%define defcommit() %{expand:%%global ref%{1} %{2} +%%global shortcommit%{1} %%(c=%%{ref%{1}}; echo ${c:0:7}) +%%global extractdir%{1} %%{expand: %%getarchivedir %{1}} +%%{!?repo%{1}:%%global repo%{1} %%{rolename%{1}}} +%%global archiveurl%{1} %%{?forgeorg%{1}}%%{!?forgeorg%{1}:%%{url}}%%{repo%{1}}/archive/%%{ref%{1}}/%%{repo%{1}}-%%{ref%{1}}.tar.gz } -%define deftag() %{expand:%%global id%{1} %{2} -%%global shortid%{1} %{2} +%define deftag() %{expand:%%global ref%{1} %{2} +%%global extractdir%{1} %%{expand: %%getarchivedir %{1}} +%%{!?repo%{1}:%%global repo%{1} %%{rolename%{1}}} +%%global archiveurl%{1} %%{?forgeorg%{1}}%%{!?forgeorg%{1}:%%{url}}%%{repo%{1}}/archive/%%{ref%{1}}/%%{repo%{1}}-%%{ref%{1}}.tar.gz } -%defcommit 0 0c2bb286bbc1b73d728226924e0010c0fa1ce30a +%defcommit 0 77596fdd976c6160d6152c200a5432c609725a14 %global rolename0 kdump #%%deftag 0 1.0.0 @@ -34,9 +43,9 @@ License: GPLv3+ and MIT and BSD %global rolename1 postfix %deftag 1 0.1 -%defcommit 2 6cd1ec8fdebdb92a789b14e5a44fe77f0a3d8ecd +#%%defcommit 2 6cd1ec8fdebdb92a789b14e5a44fe77f0a3d8ecd %global rolename2 selinux -#%%deftag 2 1.0.0 +%deftag 2 1.1.1 %defcommit 3 924650d0cd4117f73a7f0413ab745a8632bc5cec %global rolename3 timesync @@ -46,63 +55,64 @@ License: GPLv3+ and MIT and BSD %global rolename5 network #%%deftag 5 1.0.0 -%defcommit 6 81f30ab336f4ecc61b4a30ffcb080e17fd35de2e +#%%defcommit 6 81f30ab336f4ecc61b4a30ffcb080e17fd35de2e %global rolename6 storage -#%%deftag 6 1.0.2 +%deftag 6 1.2.2 %defcommit 7 7f94b49688902eb507e0ebeda1fbf08621bc3c6b %global rolename7 metrics #%%deftag 7 0.1.0 -%defcommit 8 cfa70b6b5910b3198aba2679f8fc36aad45ca45a +#%%defcommit 8 cfa70b6b5910b3198aba2679f8fc36aad45ca45a %global rolename8 tlog -#%%deftag 8 0.2.0 +%deftag 8 1.1.0 -%defcommit 9 901a73a4285469ef50a6cc37135ae55ce9d2e41b +#%%defcommit 9 901a73a4285469ef50a6cc37135ae55ce9d2e41b %global rolename9 kernel_settings -#%%deftag 9 0.2.0 +%deftag 9 1.0.1 %defcommit 10 fe3f658e72b2883d2a1460d453105c7a53dd70e8 %global rolename10 logging #%%deftag 10 0.2.0 -%defcommit 11 4b6cfca4dd24e53a4bc4e07635601d7c104346c1 +#%%defcommit 11 4b6cfca4dd24e53a4bc4e07635601d7c104346c1 %global rolename11 nbde_server -#%%deftag 11 0.1.0 +%deftag 11 1.0.1 -%defcommit 12 6306defad146d8274b04f438a04e17e44672f1a6 +#%%defcommit 12 6306defad146d8274b04f438a04e17e44672f1a6 %global rolename12 nbde_client -#%%deftag 12 0.1.0 +%deftag 12 1.0.1 -%defcommit 13 fedef6e7844bb623bb54695a602137e332f5509f +#%%defcommit 13 fedef6e7844bb623bb54695a602137e332f5509f %global rolename13 certificate -#%%deftag 13 0.1.0 - -Source: https://github.com/linux-system-roles/%{rolename0}/archive/%{id0}.tar.gz#/%{rolename0}-%{shortid0}.tar.gz -Source1: https://github.com/linux-system-roles/%{rolename1}/archive/%{id1}.tar.gz#/%{rolename1}-%{shortid1}.tar.gz -Source2: https://github.com/linux-system-roles/%{rolename2}/archive/%{id2}.tar.gz#/%{rolename2}-%{shortid2}.tar.gz -Source3: https://github.com/linux-system-roles/%{rolename3}/archive/%{id3}.tar.gz#/%{rolename3}-%{shortid3}.tar.gz -Source5: https://github.com/linux-system-roles/%{rolename5}/archive/%{id5}.tar.gz#/%{rolename5}-%{shortid5}.tar.gz -Source6: https://github.com/linux-system-roles/%{rolename6}/archive/%{id6}.tar.gz#/%{rolename6}-%{shortid6}.tar.gz -Source7: https://github.com/linux-system-roles/%{rolename7}/archive/%{id7}.tar.gz#/%{rolename7}-%{shortid7}.tar.gz -Source8: https://github.com/linux-system-roles/%{rolename8}/archive/%{id8}.tar.gz#/%{rolename8}-%{shortid8}.tar.gz -Source9: https://github.com/linux-system-roles/%{rolename9}/archive/%{id9}.tar.gz#/%{rolename9}-%{shortid9}.tar.gz -Source10: https://github.com/linux-system-roles/%{rolename10}/archive/%{id10}.tar.gz#/%{rolename10}-%{shortid10}.tar.gz -Source11: https://github.com/linux-system-roles/%{rolename11}/archive/%{id11}.tar.gz#/%{rolename11}-%{shortid11}.tar.gz -Source12: https://github.com/linux-system-roles/%{rolename12}/archive/%{id12}.tar.gz#/%{rolename12}-%{shortid12}.tar.gz -Source13: https://github.com/linux-system-roles/%{rolename13}/archive/%{id13}.tar.gz#/%{rolename13}-%{shortid13}.tar.gz +%deftag 13 1.0.1 + +%defcommit 14 76b2d5b0460dba22c5d290c1af96e4fdb3434cb9 +%global rolename14 crypto_policies + +%global forgeorg15 https://github.com/willshersystems/ +%global repo15 ansible-sshd +%global rolename15 sshd +%defcommit 15 e1de59b3c54e9d48a010eeca73755df339c7e628 + +Source: %{archiveurl0} +Source1: %{archiveurl1} +Source2: %{archiveurl2} +Source3: %{archiveurl3} +Source5: %{archiveurl5} +Source6: %{archiveurl6} +Source7: %{archiveurl7} +Source8: %{archiveurl8} +Source9: %{archiveurl9} +Source10: %{archiveurl10} +Source11: %{archiveurl11} +Source12: %{archiveurl12} +Source13: %{archiveurl13} +Source14: %{archiveurl14} +Source15: %{archiveurl15} Source999: md2html.sh -%if "%{roleprefix}" != "linux-system-roles." -Patch1: rhel-system-roles-%{rolename1}-prefix.diff -Patch2: rhel-system-roles-%{rolename2}-prefix.diff -Patch3: rhel-system-roles-%{rolename3}-prefix.diff -Patch5: rhel-system-roles-%{rolename5}-prefix.diff -Patch6: rhel-system-roles-%{rolename6}-prefix.diff -# for some roles, the prefix change can be scripted - see below -%endif - Patch11: rhel-system-roles-postfix-pr5.diff Patch12: postfix-meta-el8.diff Patch101: rhel-system-roles-kdump-pr22.diff @@ -116,19 +126,11 @@ Patch31: timesync-tier1-tags.diff Patch52: network-permissions.diff Patch53: network-tier1-tags.diff +Patch54: network-pr298.diff +Patch55: network-disable-bondtests.diff -Patch61: storage-safemode-luks.diff - -Patch1001: logging-0001-test-playbooks-enhancement.diff -Patch1002: logging-0002-elasticsearch-output-template.diff -Patch1003: logging-0003-README.diff -Patch1004: logging-0004-yamllint-errors.diff -Patch1005: logging-0005-property-based-filters.diff -Patch1006: logging-0006-property_op.diff -Patch1007: logging-0007-RHELPLAN-56807.diff +Patch151: sshd-example.diff - -Url: https://github.com/linux-system-roles/ BuildArch: noarch BuildRequires: asciidoc @@ -154,100 +156,98 @@ of Fedora, Red Hat Enterprise Linux & CentOS. %endif %prep -%setup -qc -a1 -a2 -a3 -a5 -a6 -a7 -a8 -a9 -a10 -a11 -a12 -a13 -cd %{rolename0}-%{id0} +%setup -qc -a1 -a2 -a3 -a5 -a6 -a7 -a8 -a9 -a10 -a11 -a12 -a13 -a14 -a15 +for rolename_id in %{extractdir0} %{extractdir1} %{extractdir2} \ + %{extractdir3} %{extractdir5} %{extractdir6} \ + %{extractdir7} %{extractdir8} %{extractdir9} \ + %{extractdir10} %{extractdir11} %{extractdir12} \ + %{extractdir13} %{extractdir14}; do + # assumes rolename has no dash in it + # note that we have to use double %% + # in order for a single % to be passed to bash + rolename=${rolename_id%%-*} + mv ${rolename_id} ${rolename} +done +# how to do this inside the loop for all the roles? +mv %{extractdir15} %{rolename15} + +cd %{rolename0} %patch101 -p1 %patch102 -p1 %patch103 -p1 cd .. -cd %{rolename1}-%{id1} -%if "%{roleprefix}" != "linux-system-roles." -%patch1 -p1 -%endif +cd %{rolename1} %patch11 -p1 %patch12 -p1 cd .. -cd %{rolename2}-%{id2} -%if "%{roleprefix}" != "linux-system-roles." -%patch2 -p1 -%endif +cd %{rolename2} %patch21 -p1 cd .. -cd %{rolename3}-%{id3} -%if "%{roleprefix}" != "linux-system-roles." -%patch3 -p1 -%endif +cd %{rolename3} %patch31 -p1 cd .. -cd %{rolename5}-%{id5} -%if "%{roleprefix}" != "linux-system-roles." -%patch5 -p1 -%endif +cd %{rolename5} %patch52 -p1 %patch53 -p1 +%patch54 -p1 +%patch55 -p1 cd .. -cd %{rolename6}-%{id6} -%if "%{roleprefix}" != "linux-system-roles." -%patch6 -p1 -%endif -%patch61 -p1 +cd %{rolename6} +#%%patch61 -p1 cd .. -cd %{rolename10}-%{id10} -%patch1001 -p1 -%patch1002 -p1 -%patch1003 -p1 -%patch1004 -p1 -%patch1005 -p1 -%patch1006 -p1 -%patch1007 -p1 +cd %{rolename15} +%patch151 -p1 +sed -r -i -e "s/ansible-sshd/linux-system-roles.sshd/" tests/*.yml examples/*.yml README.md cd .. # for some roles, the prefix change can be scripted - see below %if "%{roleprefix}" != "linux-system-roles." -for rolename_id in %{rolename7}-%{id7} %{rolename8}-%{id8} %{rolename9}-%{id9} \ - %{rolename10}-%{id10} %{rolename11}-%{id11} %{rolename12}-%{id12} \ - %{rolename13}-%{id13}; do - # assumes rolename has no dash in it - # note that we have to use double %% - # in order for a single % to be passed to bash - rolename=${rolename_id%%-*} - find $rolename_id -type f -exec \ +for rolename in %{rolename1} %{rolename2} \ + %{rolename3} %{rolename5} %{rolename6} \ + %{rolename7} %{rolename8} %{rolename9} \ + %{rolename10} %{rolename11} %{rolename12} \ + %{rolename13} %{rolename14} %{rolename15}; do + find $rolename -type f -exec \ sed "s/linux-system-roles[.]${rolename}\\>/%{roleprefix}${rolename}/g" -i {} \; done %endif %build sh %{SOURCE999} \ -%{rolename0}-%{id0}/README.md \ -%{rolename1}-%{id1}/README.md \ -%{rolename2}-%{id2}/README.md \ -%{rolename3}-%{id3}/README.md \ -%{rolename5}-%{id5}/README.md \ -%{rolename6}-%{id6}/README.md \ -%{rolename7}-%{id7}/README.md \ -%{rolename8}-%{id8}/README.md \ -%{rolename9}-%{id9}/README.md \ -%{rolename10}-%{id10}/README.md \ -%{rolename11}-%{id11}/README.md \ -%{rolename12}-%{id12}/README.md \ -%{rolename13}-%{id13}/README.md +%{rolename0}/README.md \ +%{rolename1}/README.md \ +%{rolename2}/README.md \ +%{rolename3}/README.md \ +%{rolename5}/README.md \ +%{rolename6}/README.md \ +%{rolename7}/README.md \ +%{rolename8}/README.md \ +%{rolename9}/README.md \ +%{rolename10}/README.md \ +%{rolename11}/README.md \ +%{rolename12}/README.md \ +%{rolename13}/README.md \ +%{rolename14}/README.md \ +%{rolename15}/README.md %install mkdir -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles -cp -pR %{rolename0}-%{id0} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename0} -cp -pR %{rolename1}-%{id1} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename1} -cp -pR %{rolename2}-%{id2} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename2} -cp -pR %{rolename3}-%{id3} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename3} -cp -pR %{rolename5}-%{id5} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename5} -cp -pR %{rolename6}-%{id6} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename6} -cp -pR %{rolename7}-%{id7} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename7} -cp -pR %{rolename8}-%{id8} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename8} -cp -pR %{rolename9}-%{id9} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename9} -cp -pR %{rolename10}-%{id10} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename10} -cp -pR %{rolename11}-%{id11} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename11} -cp -pR %{rolename12}-%{id12} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename12} -cp -pR %{rolename13}-%{id13} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename13} +cp -pR %{rolename0} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename0} +cp -pR %{rolename1} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename1} +cp -pR %{rolename2} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename2} +cp -pR %{rolename3} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename3} +cp -pR %{rolename5} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename5} +cp -pR %{rolename6} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename6} +cp -pR %{rolename7} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename7} +cp -pR %{rolename8} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename8} +cp -pR %{rolename9} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename9} +cp -pR %{rolename10} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename10} +cp -pR %{rolename11} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename11} +cp -pR %{rolename12} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename12} +cp -pR %{rolename13} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename13} +cp -pR %{rolename14} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename14} +cp -pR %{rolename15} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}%{rolename15} %if 0%{?rolealtprefix:1} ln -s %{roleprefix}%{rolename0} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename0} @@ -263,6 +263,8 @@ ln -s %{roleprefix}%{rolename10} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/% ln -s %{roleprefix}%{rolename11} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename11} ln -s %{roleprefix}%{rolename12} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename12} ln -s %{roleprefix}%{rolename13} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename13} +ln -s %{roleprefix}%{rolename14} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename14} +ln -s %{roleprefix}%{rolename15} $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{rolealtprefix}%{rolename15} %endif mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/kdump @@ -278,6 +280,8 @@ mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/logging mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/nbde_server mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/nbde_client mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/certificate +mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/crypto_policies +mkdir -p $RPM_BUILD_ROOT%{_pkgdocdir}/sshd cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}kdump/README.md \ $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}kdump/README.html \ @@ -342,6 +346,11 @@ mv $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}network/examples/wirele mv $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}network/examples/remove+down_profile.yml \ $RPM_BUILD_ROOT%{_pkgdocdir}/network/example-remove+down_profile-playbook.yml +# referenced in the configuring-openssh-servers-using-the-sshd-system-role documentation module +# must be updated if changing the file path +mv $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}sshd/examples/example-root-login.yml \ + $RPM_BUILD_ROOT%{_pkgdocdir}/sshd/example-root-login-playbook.yml + cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}storage/README.md \ $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}storage/README.html \ $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}storage/LICENSE \ @@ -394,6 +403,16 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/LICENSE \ $RPM_BUILD_ROOT%{_pkgdocdir}/certificate +cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}crypto_policies/README.md \ + $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}crypto_policies/README.html \ + $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}crypto_policies/LICENSE \ + $RPM_BUILD_ROOT%{_pkgdocdir}/crypto_policies + +cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}sshd/README.md \ + $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}sshd/README.html \ + $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}sshd/LICENSE \ + $RPM_BUILD_ROOT%{_pkgdocdir}/sshd + %files %dir %{_datadir}/ansible %dir %{_datadir}/ansible/roles @@ -411,6 +430,8 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m %{_datadir}/ansible/roles/%{rolealtprefix}nbde_server %{_datadir}/ansible/roles/%{rolealtprefix}nbde_client %{_datadir}/ansible/roles/%{rolealtprefix}certificate +%{_datadir}/ansible/roles/%{rolealtprefix}crypto_policies +%{_datadir}/ansible/roles/%{rolealtprefix}sshd %endif %{_datadir}/ansible/roles/%{roleprefix}kdump %{_datadir}/ansible/roles/%{roleprefix}postfix @@ -425,6 +446,8 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m %{_datadir}/ansible/roles/%{roleprefix}nbde_server %{_datadir}/ansible/roles/%{roleprefix}nbde_client %{_datadir}/ansible/roles/%{roleprefix}certificate +%{_datadir}/ansible/roles/%{roleprefix}crypto_policies +%{_datadir}/ansible/roles/%{roleprefix}sshd %doc %{_pkgdocdir}/*/example-*-playbook.yml %doc %{_pkgdocdir}/network/example-inventory %doc %{_pkgdocdir}/*/README.md @@ -442,6 +465,8 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m %doc %{_datadir}/ansible/roles/%{roleprefix}nbde_server/README.md %doc %{_datadir}/ansible/roles/%{roleprefix}nbde_client/README.md %doc %{_datadir}/ansible/roles/%{roleprefix}certificate/README.md +%doc %{_datadir}/ansible/roles/%{roleprefix}crypto_policies/README.md +%doc %{_datadir}/ansible/roles/%{roleprefix}sshd/README.md %doc %{_datadir}/ansible/roles/%{roleprefix}kdump/README.html %doc %{_datadir}/ansible/roles/%{roleprefix}postfix/README.html %doc %{_datadir}/ansible/roles/%{roleprefix}selinux/README.html @@ -455,6 +480,8 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m %doc %{_datadir}/ansible/roles/%{roleprefix}nbde_server/README.html %doc %{_datadir}/ansible/roles/%{roleprefix}nbde_client/README.html %doc %{_datadir}/ansible/roles/%{roleprefix}certificate/README.html +%doc %{_datadir}/ansible/roles/%{roleprefix}crypto_policies/README.html +%doc %{_datadir}/ansible/roles/%{roleprefix}sshd/README.html %license %{_pkgdocdir}/*/COPYING @@ -474,19 +501,33 @@ cp -p $RPM_BUILD_ROOT%{_datadir}/ansible/roles/%{roleprefix}certificate/README.m %license %{_datadir}/ansible/roles/%{roleprefix}nbde_server/LICENSE %license %{_datadir}/ansible/roles/%{roleprefix}nbde_client/LICENSE %license %{_datadir}/ansible/roles/%{roleprefix}certificate/LICENSE +%license %{_datadir}/ansible/roles/%{roleprefix}crypto_policies/LICENSE +%license %{_datadir}/ansible/roles/%{roleprefix}sshd/LICENSE %changelog -* Tue Nov 24 2020 Noriko Hosoi - 1.0-21 -- logging: Support oVirt input + elasticsearch output. - Resolves: rhbz#1889893 -- logging: Fixing a logic bug in elasticsearch output template. - Resolves: rhbz#1878857 -- logging: Support property-based filters in the files and forwards outputs. - Resolves: rhbz#1889492 - -* Tue Sep 22 2020 Pavel Cahyna - 1.0-20 -- storage: backport upstream PR #168 to prevent toggling encryption in safe mode, - as it is a destructive operation. Resolves rhbz#1881524 +* Fri Jan 8 2021 Pavel Cahyna - 1.0-23 +- Add {crypto_policies,sshd}/README.md to docfiles, thanks jjelen +- Fix role name in selinux patch +- Add sshd role example and README fix +- Fix role name in sshd role tests and docs +- Backport network role PR #298 to fix problems often triggered by the CI + "error: down connection failed while waiting", Resolves rhbz#1817242 +- Disable bond test in downstream CI, it started to break DNS in RHEL 8.4. + Related rhbz#1915017 + +* Thu Jan 7 2021 Pavel Cahyna - 1.0-22 +- Rebase kdump, certificate, storage, selinux, nbde_client/server, + kernel_settings in preparation for collections + Includes upstream PR #168 for storage to prevent toggling encryption + in safe mode, as it is a destructive operation. Resolves rhbz#1881524 +- Introduce & use simpler macros for Sources management, + similar to %%forgemeta + https://docs.fedoraproject.org/en-US/packaging-guidelines/SourceURL/ +- Use a script to perform prefix transformation for all roles to reduce + the number of patches +- Rebase tlog to add exclude_{users,groups} support, Resolves rhbz#1895472 +- Add crypto_policies role, Resolves rhbz#1893699 +- Add sshd role, Resolves rhbz#1893696 * Mon Aug 24 2020 Pavel Cahyna - 1.0-19 - Rebase network role to latest upstream, resolves rhbz#1800627