The apparmor systemd unit file simply calls an old SysV init script
to load AppArmor profiles. The init script exits and systemd has no
idea if it's still running or not. This causes Ansible to start
the apparmor unit each time the playbook runs, which breaks the
idempotency checks.
This patch checks the apparmor_status output directly to see what the
status of AppArmor actually is. If the module is loaded, then we
should not try to start AppArmor with the unit file again.
This patch also includes the updates from the openstack-ansible-tests
repository that were included in
https://review.openstack.org/#/c/488489/ so that the gate can be
unblocked.
Partial-Bug: 1710675
Change-Id: If253714d0ca4b5a3d324255751e6f6615ca75dde
This syncs most of the common files with the openstack-tests repository.
This effectively removes the Ubuntu 14.04 support from the Vagrantfile
as well as the RHEL6 STIG V-38496 workaround for it. This also removes
the now unused tests/vagrant.yml file and uses the tests/test.yml like
the upstream OpenStack CI does.
However, it doesn't sync the bindep.txt file since it doesn't quite
match what we have in the openstack-ansible-tests repository so the
shared one needs to be fixed first.
Finally, it adds a new doc/.gitignore file to exclude the generated
documentation file. This is necessary in order for the shared .gitignore
one to be used in the root of the repository.
Change-Id: Ia34979af9029ffb03fb525679356e6d9f3a039a6
This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:
https://review.openstack.org/#/c/467297/
Docs and general cleanup for Fedora/Debian support is coming soon.
Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
The run_tests.sh script fails when it is run multiple times on CentOS.
The `bindep` run returns an empty list of packages and then `yum`
exits with an error since no packages were provided to install.
This patch checks the length of the `bindep` output and skips the `yum`
installation when the package list is empty.
The patch also cleans up some of the old cruft left over from previous
scripts and avoids repetition.
Change-Id: Ibe4d0fd9d608dc725c354723143e60c89cd99b4b
Some Linux distributions, such as CentOS 7 and Xenial, have trouble
validating SSL certificates when using get_url with servers
that use Server Name Indication (SNI).
This patch adds those packages to the list of required packages and
uses bindep to install them in developer test environments the same
way that the gate tests install them.
Change-Id: I54118554468278b33c569b4ce19fee5d33454572
Ansible 2.x requires the python-apt package for check mode to work
properly. This patch ensures that the package is installed for the
gate as well as individual testers.
Change-Id: I0848e8f4e8bdbacf5bf8a2dda0615c0faba736d4
This patch adds detailed instructions for developers who are working on
the security role. The patch also adds CentOS/RHEL 7 support to the
run_tests.sh script.
Change-Id: I0ab79f1e4abdb3deeca9b48da3b9e4f42be37980
Paramiko version 2.0 has been released. It now uses the Python library
cryptography. Installing this requires additional system packages. This
commit adds in the appropriate packages required by cryptography based
on its documentation [1].
An alternative approach would have been to constrain the version of
Paramiko however the project describes the 1.x versions as relying on
insecure dependencies [2].
[1] https://cryptography.io/en/latest/installation/
[2] http://www.paramiko.org/installing.html
Change-Id: I33a6f9ab1aecf28e82ea756e41c482820758157f
This patch adds a framework for testing the role with check mode as well as a
fully functional test that secures a system. The two new tests will be
enabled by default when the check mode improvements are merged and some common
playbook failures are removed.
Closes-bug: 1521229
Change-Id: Iaffb982c4c9776bcc4b219e257d83591d58d0cee
This patch adds the bits needed to implement automated syntax/lint
role testing. It also moves the role into the base repository so
that the role becomes fully compatible with ansible-galaxy to
improve the role's consumability.
Change-Id: Ia79cd5dedbbe50dfdf46688830a989ff0897832a