Commit Graph

1032 Commits

Author SHA1 Message Date
Dmitriy Rabotyagov 510a0778a7 Use valid value for CREATE_HOME
At the moment we pass boolean value to CREATE_HOME instead of yes/no.
Leveraging ternary allows to always supply expected values despite of
variable type in ansible.

Closes-Bug: #1850200
Change-Id: I957dc9b98f1de23ea66ea0e225989e4f907a02cb
2024-03-28 10:52:07 +00:00
OpenStack Release Bot 9d7f0ad471 reno: Update master for unmaintained/xena
Update the xena release notes configuration to build from
unmaintained/xena.

Change-Id: I4d2aeb0613c5c975b2a62d3fb47c84b11865c1dc
2024-03-14 12:52:43 +00:00
Dmitriy Rabotyagov db284ddf93 Use replace module instead of lineinfile for disabling dynamic motd
Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.

In order to properly comment out/uncomment all occurances replace module
should be used instead.

Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
2024-01-29 16:26:16 +00:00
OpenStack Release Bot ced5df4956 Update master for stable/2023.2
Add file to the reno documentation build to show release notes for
stable/2023.2.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/2023.2.

Sem-Ver: feature
Change-Id: I4f820c0073b76009ddc224cf6419d8379e4bc1d7
2023-12-07 11:03:36 +00:00
Dmitriy Rabotyagov b31cd46c18 Disable dynamic motd message
Right now default cloud images of Ubuntu does contain dynamic MOTD
by default, that takes around extra 0.4 sec for establishing connection.

Disabiling MOTD should improve responsivness of hosts and speedup
ansible execution as well.

With that we're keeping static MOTD that has no impact on connection
speed.

Change-Id: Iaf25f6f444055cefd60dd2e3b4d5579f2a6fcdb1
2023-10-26 11:15:46 +00:00
Dmitriy Rabotyagov abfa76ba93 Disable GSSAPIAuthentication for SSH
This implements STIG V-204598 [1] and disables
GSSAPIAuthentication that is enabled by default on EL
systems.
This also should speedup deployments on such systems, as
enabled GSSAPIAuthentication requires some time while
initiating connection.

[1] https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-12-08/finding/V-204598

Change-Id: I2d92541ccfc27e91224fd481c3792993428a052e
2023-10-26 11:15:11 +00:00
Dmitriy Rabotyagov db5c6f2d66 Fix linters and metadata
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.

With that we also update metdata to reflect current state.

Change-Id: I1920cd05ac5b4d32ad12bce42d9161a568f288b6
2023-07-17 14:25:21 +02:00
Dmitriy Rabotyagov 2c7889852c Remove warn argument for command/shell
Since ansible-core 2.14 you can't use warn as module argument.

Instead, noqa should be used to instruct ansible-lint to
supress alerts.

Change-Id: Ie448fa182db8c1c9f64744ea72f27f285aa64366
2023-06-30 15:05:50 +02:00
Dmitriy Rabotyagov 037e5493b6 Remove commandkey from chrony config
Since version 2.2 chorny has removed commandkey options and
it's not a valid option for any currently supported distro.

Change-Id: I7c02cf6b7575a9ab753d85cdd6582f209f39be1b
2023-05-23 19:00:23 +02:00
Jonathan Rosser a07f0c5a9d Disable UsePriviledgeSeparation directive for sshd
This was deprecated a long time ago in openssh-server 7.4 and has
been generating warnings in the log file ever since.

Change-Id: Ic3f7afadcaa875e6ce871c0ce36b4b11f10a7044
2023-03-16 15:00:39 +00:00
Dmitriy Rabotyagov e77c311442 Update tox.ini to work with 4.0
With tox release of 4.0, some parameters were deprecated and are ignored now
which causes tox failures. One of the most spread issues we have is using
`whitelist_externals` isntead of `allowlist_externals`


Change-Id: I7807b7d29f4504404253f5c42b624639c8b19c97
2022-12-27 17:53:11 +01:00
OpenStack Release Bot 4eeac146d1 Update master for stable/zed
Add file to the reno documentation build to show release notes for
stable/zed.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/zed.

Sem-Ver: feature
Change-Id: I664bf44a2202856a12e6484f63a0944535dc071e
2022-12-13 13:03:55 +00:00
Dmitriy Rabotyagov b709007104 Remove sebang from get_users
Shebang is not required for modern ansible versions. But in some cases
it might lead to incorrect behaviour by using incorrect interpreter.

Change-Id: I11763ed4563506b7d25585f8c633df08a123e731
2022-10-04 17:46:24 +02:00
Zuul 02edef4106 Merge "Clean out SSH options we managing" 2022-06-06 08:18:38 +00:00
Zuul 93ee8069c3 Merge "Updated from OpenStack Ansible Tests" 2022-06-03 21:11:27 +00:00
Dmitriy Rabotyagov 38909eae0e Switch sphinx language to en
With sphinx release of 5.0.0, they changed default for language variable
to 'en' from None. With that current None valuable is not valid and should
not be used.


Change-Id: I159a23ae2c147f75c0944a0a5e92f1a19ba20e2b
2022-05-30 16:01:18 +02:00
Dmitriy Rabotyagov aa1feb4527 Clean out SSH options we managing
With current behaviour we duplicate SSH options and don't care if same
thing is defined anywhere down the line.
With that change we change how options are defined - instead of the
template we use a list of mappings. With that
we can select and remove options that playbook supposed to manage.

With that we also keep playbook idempotency. As side effect we still
can have options duplicated but only if they have exact same value.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353
Change-Id: I140606f7e724fbe2a4f0b03f6a0501da7bdd5964
Closes-Bug: #1958649
2022-05-20 07:53:05 +00:00
OpenStack Proposal Bot da6ffd7d65 Updated from OpenStack Ansible Tests
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/840353

Change-Id: Id5e2ba2e6d4b5970be4ae3115bfb090652b500bf
2022-05-03 16:17:12 +00:00
Jonathan Rosser 7b7e25b0a8 Cleanup setup.py config
Change-Id: Id743a4119b35789eb8522f9e95e7fc442a8e6011
2022-04-04 10:50:36 +01:00
Zuul abef57cf7c Merge "Add centos-9 support" 2022-02-03 22:14:03 +00:00
Zuul 7626153a08 Merge "Refactor use of include_vars" 2022-01-12 14:23:14 +00:00
Jonathan Rosser 6007645fd7 Refactor use of include_vars
Use a first_found lookup instead of a with_first_found loop so that
the 'paths' parameter can be used.

This ensures that only vars from the role are included, and not vars
from a parent calling role. This can happen when a parent role has
a higher priority vars file available for inclusion than the role
it calls.

Change-Id: I078590020a98f0b5759f3de524753e01bb9c5597
2022-01-12 08:52:34 +00:00
Jonathan Rosser 11ae75f92b Add centos-9 support
Change-Id: If86dd75bbf444eaacf9eb7a890f17fa7593a1099
2022-01-06 09:37:04 -05:00
Dmitriy Rabotyagov a82570f1a5 Use pipefail for shell module
It's not safe to run pipes without pipefail, but for some cases we
expect it to fail and working this around. In such case we ignore rule

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-tests/+/784751
Change-Id: I79a630ebe8ff54bc9f4600e1f3c0fda653cc4b71
2022-01-04 13:07:09 +00:00
OpenStack Proposal Bot a502ad3ed9 Updated from OpenStack Ansible Tests
Change-Id: Ib5442b1cd0b367e513fc93bb506d42579461f465
2021-12-17 16:50:16 +00:00
OpenStack Release Bot f80502a2fa Update master for stable/xena
Add file to the reno documentation build to show release notes for
stable/xena.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/xena.

Sem-Ver: feature
Change-Id: I4dffba103892d243d460e120ac5262f6752b2af1
2021-12-07 10:05:25 +00:00
Zuul 4ba0de970a Merge "Explicitly create clamav socket directory" 2021-11-03 12:57:39 +00:00
Dmitriy Rabotyagov 9d6a927d8c Explicitly create clamav socket directory
While most our supported distributions does create LocalSocket on their
own, it's not always the case and shouldn't be trusted that much.

Change-Id: I56851f56aa85108a4898ef99c48ac77c898ccb69
Closes-Bug: #1944564
2021-10-20 15:27:21 +03:00
Ghanshyam Mann b75f5d30d5 Moving IRC network reference to OFTC
Change-Id: Ia22f21a3fb2e3c03af9a47b48c99f4024faaecb3
2021-07-08 18:26:27 -05:00
Jonathan Rosser 480dd9d866 Remove references to unsupported operating systems
All references to Gentoo, SUSE, Debian stretch and Centos-7  are removed.
Conditional tasks, ternary operators and variables are simplified where possible
OS specific variables files are generalised where possible
Change-Id: Id3136a5eed068e317aa1a7b33a1149629dc76d77
2021-06-11 14:14:20 +00:00
Dmitriy Rabotyagov 6f354a7a4b Switch hardening to integrated tests
We aim to decrease usage of the tests repo as much as we can, so we
are switching roles to the tests completed by integrated repo.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/792639
Change-Id: Ice89ada6e009d3aaaff5fa261c7b9cf23216f159
2021-05-21 17:28:39 +03:00
codejubilee 9b3ea39df4 Added pam_auth_password to nullok check
Change-Id: I692241ce21e8bd8912b8d1ff5a261ae10d7da1f2
2021-04-12 22:39:31 +00:00
Dmitriy Rabotyagov e4b55822cf Extend timeout for RPM verification
For systems with many packages deployed or heavy loaded environments
rpm verification takes the way more time then 5 minutes ending up in
corrupted database of the rpm packages. So we set limit to 1 hour
and extending amount of retries to wait for result to match the async
timeout

Change-Id: I30d29630214914bea99fc7fd66afa3218705d733
Closes-Bug: #1921292
2021-03-25 09:47:35 +02:00
OpenStack Proposal Bot 4cdc2de73c Updated from OpenStack Ansible Tests
Change-Id: I679b36fb98f24ffa178cd06da46b6149054be61a
2021-03-22 08:53:32 +00:00
Zuul c2b4675ac9 Merge "Use ansible_facts[] instead of fact variables" 2021-03-15 09:36:19 +00:00
OpenStack Proposal Bot d608ecd1d1 Updated from OpenStack Ansible Tests
Change-Id: I51564aa762b8f1c5bc9bc74ef3dda0c9281ebfac
2021-03-12 22:23:17 +00:00
Jonathan Rosser b9a9310d7c Use ansible_facts[] instead of fact variables
See https://github.com/ansible/ansible/issues/73654

Change-Id: I3dc2486a0666367d673b23403f2510c94c40eaf4
2021-03-10 16:54:58 +00:00
Zuul 087919c425 Merge "Make possible to avoid aide installation" 2021-02-12 10:33:08 +00:00
Jonathan Rosser b7b945b21e Exclude system directories (/sys, /proc, /dev) from the shosts file search
This halves the number of files examined by the find module on an ubuntu
focal system and nearly halves the runtime of the task on a ceph backed
VM.

Change-Id: I862351badc70fa091bebf55dd2910cccfa731ca2
2021-02-03 11:54:52 +00:00
Dmitriy Rabotyagov 180fc448eb Make possible to avoid aide installation
This patch adds variable `security_rhel7_enable_aide`. When it's False,
all AIDE related tasks would be ommited.

Change-Id: I64af348d9f49922ab51d8cd348d987df4263faa1
2021-02-02 14:12:10 +00:00
Jonathan Rosser c6703cd5e5 Fix linter errors
Work around the mutually incompatible W503 and W504.

Change-Id: I45d0ca8a911d9cf1af2df52a1cf911db817b13b3
2021-02-02 16:11:03 +02:00
OpenStack Proposal Bot 4e44a54b95 Updated from OpenStack Ansible Tests
Change-Id: I816a89649849d7773c4a35452fe4989092537fea
2020-09-24 16:59:52 +00:00
Dmitriy Rabotyagov 64ea421bba Ensure that motd is not displayed twice
motd is handled by default with pam_motd.so module. Setting Banner option
for sshd_config makes motd to be shown twice, which is excessive

Change-Id: I4e8bdbe8f482f61235b4b14a619e4ed91b01f2f4
2020-08-05 14:09:46 +03:00
Zuul 1890dc0520 Merge "Stop to use the __future__ module." 2020-07-27 12:04:52 +00:00
Marc Gariepy 17ccd9f06c Cleanup ansible_python_interpreter
ansible_pyhton_interpreter is set to auto, it's not needed anywhere now.

Change-Id: I204db302995d779d390444f3f6a865ead750fed5
2020-06-17 11:14:01 -04:00
Andreas Jaeger 260b23b9b6 Use newer openstackdocstheme and reno versions
The sync from https://review.opendev.org/733244 updated to
openstackdocstheme 2.2.1 and reno 3.1.0 versions.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html

Change-Id: Id2c810e9214981f381d5a9d4f1f2e40cb63a02af
2020-06-04 09:22:27 +02:00
OpenStack Proposal Bot 53bcfcf743 Updated from OpenStack Ansible Tests
Change-Id: Idf23e61424fc04fdd4f0804ced5742e25dc5f9b9
2020-06-04 09:21:15 +02:00
Andreas Jaeger 1fa67fd90d Enable syncing of docs
The docs job is failing in https://review.opendev.org/671840 and thus
nothing is synced in from openstack-ansible-tests. The failure is due to
the removal of entries from doc/requirements.txt. Add those
to test-requirements.txt instead.

Change-Id: I21bcbde8acc8d4fd83b28026bcec33f388e69912
2020-06-03 22:04:16 +02:00
Hervé Beraud b2b89afb08 Stop to use the __future__ module.
The __future__ module [1] was used in this context to ensure compatibility
between python 2 and python 3.

We previously dropped the support of python 2.7 [2] and now we only support
python 3 so we don't need to continue to use this module and the imports
listed below.

Imports commonly used and their related PEPs:
- `division` is related to PEP 238 [3]
- `print_function` is related to PEP 3105 [4]
- `unicode_literals` is related to PEP 3112 [5]
- `with_statement` is related to PEP 343 [6]
- `absolute_import` is related to PEP 328 [7]

[1] https://docs.python.org/3/library/__future__.html
[2] https://governance.openstack.org/tc/goals/selected/ussuri/drop-py27.html
[3] https://www.python.org/dev/peps/pep-0238
[4] https://www.python.org/dev/peps/pep-3105
[5] https://www.python.org/dev/peps/pep-3112
[6] https://www.python.org/dev/peps/pep-0343
[7] https://www.python.org/dev/peps/pep-0328

Change-Id: I1d485edac47a29c48e280f99bb2a3839739d7a7b
2020-06-02 19:32:55 +02:00
OpenStack Release Bot 28f397c063 Update master for stable/ussuri
Add file to the reno documentation build to show release notes for
stable/ussuri.

Use pbr instruction to increment the minor version number
automatically so that master versions are higher than the versions on
stable/ussuri.

Change-Id: I29c8a8f1df649c9e01213ff5937ea72a12b14e5d
Sem-Ver: feature
2020-06-01 13:06:36 +00:00