Make hardening compatible with CentOS-8. Dependant patch [1] already
passes hardening and another one resolves issue with installing
non-existent packages. So we should merge this one without passing
CentOS 8 tests not to create circular dependency
[1] https://review.opendev.org/689629
Change-Id: I33160b9a6e8331d6db39824e420033c7ab06780b
The apparmor systemd unit file simply calls an old SysV init script
to load AppArmor profiles. The init script exits and systemd has no
idea if it's still running or not. This causes Ansible to start
the apparmor unit each time the playbook runs, which breaks the
idempotency checks.
This patch checks the apparmor_status output directly to see what the
status of AppArmor actually is. If the module is loaded, then we
should not try to start AppArmor with the unit file again.
This patch also includes the updates from the openstack-ansible-tests
repository that were included in
https://review.openstack.org/#/c/488489/ so that the gate can be
unblocked.
Partial-Bug: 1710675
Change-Id: If253714d0ca4b5a3d324255751e6f6615ca75dde
This patch adds the initial support for Fedora 25 in the security
role. A non-voting gate job is proposed in the following review:
https://review.openstack.org/#/c/467297/
Docs and general cleanup for Fedora/Debian support is coming soon.
Change-Id: Ia6c551d2f33255f7f71f7ba9bb328fc8f17f61e0
The python-ndg_httpsclient package is no longer needed. This patch
removes the package from bindep.txt.
Change-Id: I63e100c6b2875eeaf2178efb44efe471ffc9852d
OpenStack-CI facilitates the ability to view compressed
files on the log server if they have the suffix .txt.gz.
This patch ensures that all collected log files are renamed
to have a .txt suffix before compressing them.
The following changes are also made:
- The bindep file is also cleaned up a little to reduce
unnecessary duplication.
- PYTHONUNBUFFERED is set to ensure that the console log
from the CI jobs are in the exact order of execution.
Change-Id: I89f5734275dc2789f44b5bd9c0b45dc34c4a7a50
This change enables log collection within the gate so that further
analysis on gate tasks can be performed post build. This is very
useful when debugging problems and also for investigating the
consequences of patches once they've been tested.
Related-Bug: #1620849
Change-Id: I2bb923ebcd73114c1199b14f9b769435596091eb
This patch bumps the openstack-ansible-security role to use Ansible
2.1 and adds the python-apt package which is now required for
Ansible's check mode on Ubuntu.
Change-Id: I4899e426a7bb5623837704b49920847c1308af53
Some Linux distributions, such as CentOS 7 and Xenial, have trouble
validating SSL certificates when using get_url with servers
that use Server Name Indication (SNI).
This patch adds those packages to the list of required packages and
uses bindep to install them in developer test environments the same
way that the gate tests install them.
Change-Id: I54118554468278b33c569b4ce19fee5d33454572