linux-system-roles / linux-system-roles.github.io Goto Github PK

We are attempting to use the SSH system role on RHEL7 systems which are in FIPS mode due to a security policy requirement. When trying to run this role through Ansible the playbook fails at SSH key generation task with error message "ED25519 keys are not allowed in FIPS mode". This is because the ed225519 key type is not available, as noted here: https://access.redhat.com/solutions/3643252.

Playbook likely needs to either detect if FIPS mode is enabled by getting the value of crypto.fips.enabled from sysctl, provide user method to specify which key algorithms to generate, or provide a FIPS variable that user can set to indicate if system is in FIPS mode.

This is urgent due to ansible-core dropping support for python 2.7. This causes our tox -e py27 unit test to fail:

ERROR: Could not find a version that satisfies the requirement ansible-core==2.12.* (from versions: 0.0.1a1, 2.11.0b1, 2.11.0b2, 2.11.0b3, 2.11.0b4, 2.11.0rc1, 2.11.0rc2, 2.11.0, 2.11.1rc1, 2.11.1, 2.11.2rc1, 2.11.2, 2.11.3rc1, 2.11.3, 2.11.4rc1, 2.11.4, 2.11.5rc1, 2.11.5, 2.11.6rc1, 2.11.6, 2.11.7rc1)

It isn't clear from the error, but because ansible-core requires python >= 3.8, we get this error.

Instead, we should use ansible-test units which is designed for this purpose. And - it covers python 2.6 and 2.7, as well as all supported python 3.x versions (when using --docker - note that if you dnf install podman-docker you can use podman instead of the "real" docker)

We already have support for ansible-test in tox-lsr: https://github.com/linux-system-roles/tox-lsr/blob/main/src/tox_lsr/config_files/tox-default.ini#L244 and https://github.com/linux-system-roles/tox-lsr/blob/main/src/tox_lsr/test_scripts/runansible-test.sh

However, it will take a good bit of effort to make our unit testing work with ansible-test.

• get rid of py26 and py27 from all .github/workflows/tox.yml
  These do not work and cause unnecessary test failures

• support for --docker is more important than without
  That is - tests must work with ansible-test units --docker and ansible-test sanity --docker. If they don't work without --docker, that is ok, at least for now.

• change lsr_role2collection.py
  This must convert the unit tests into the format expected by ansible-test units and ansible-test sanity.
  The tests must be in $namespace/$name/tests/unit/plugins/modules/$rolename/test_*.py
  The tests must use the FQCN to load the python code from the module and module_utils. This will be quite problematic for the network role especially.
  Must convert test requirements into tests/unit/requirements.txt - See https://github.com/ansible-collections/ansible.posix/blob/main/tests/unit/requirements.txt for example. We can probably use pytest_extra_requirements.txt. I think kernel_settings will be quite problematic as it uses tuned as a requirement, which also has system requirements (bindep.txt?)

We may have to change the individual tests/unit/*.py files in each role in order to support this, or to make it easier to convert.

• fix ansible-test sanity to make import and compile tests work
  If we convert roles to collections correctly, and get the requirements.txt correct, this may make the sanity import and compile tests work, so we don't have to ignore them

• should still be able to use tox -e py38 or even pytest directly
  For role developers who just want to run tests directly on their local git clone without converting to collection format.

• add an ansible-test-units test to tox-lsr
  So that developers can easily run this

• in github CI - get rid of pyxx tests - add an ansible-test-units test
  add a github CI test which uses tox-lsr ansible-test-units

The website says that the roadmap includes a role for RHSM.
I want to point out that this role exists (I'm one of the main contributors).

https://github.com/openstack/ansible-role-redhat-subscription/

How would you like to proceed? Would you prefer a move or just update the doc somewhere?

I would like to see a role added that would configure essential system monitoring and in case something bad happens then automatically alert the administrator. The areas to be monitored, the thresholds to raise alerts, and the methods of alerting should be configurable. Once configured, the administrator should not be required to manually monitor or read anything to see that a system is behaving as expected and in case of issues would receive a notification alert.

In practice at least the following could be considered as methods to alert:

• D-Bus
• email
• HTTP POST (this would probably also cover chat)
• SNMP
• SMS
• syslog

The following could be areas to monitor with configurable thresholds, e.g., by default 90% limit for the disk-full case:

• CPU usage - e.g., detect CPU hogs on non-dedicated systems where no process should utilize CPU for a long time
• memory usage - e.g., monitor how much memory and swap is used and how much there is swapping in/out activity
• disk usage - e.g., monitor that no partition is getting full
• network connectivity - e.g., monitor that gateway, DNS, NTP servers are pingable and no packet loss detected
• application issues - e.g., generic cases like process segfaulting constantly or a service failing to start
• security violations - e.g., high amount of failed SSH login attempts, SELinux AVCs, DDoS, or sudo failures
• hardware failures - e.g., IO errors from storage or current hardware not matching a predefined configuration

The user could select one or more alerting methods, local syslog could be the default since it's probably easiest to set up correctly. The default set of what to monitor and the default thresholds could be determined after consulting people and organizations maintaining and supporting production systems.

Implementation-wise one potential candidate would be PCP/pmie at least for the CPU/memory/storage/network related areas. PCP/pmie uses the same PCP infra as the existing metrics role to detect anomalies, is fully configurable, allows calling external scripts on events, and is nowadays a standard component in most distributions. It should however be tested how PCP/pmie behaves in case an alert should be raised, e.g., when disk full.

Later on it could be considered whether adding optional remediation scripts would be helpful or possible.

Thanks.

I suggest we restructure the site to have different contributing and how to install /use pages and remove the sections on the landing page , this would also be a good time to refresh and update the landing page

Hi,
Is there any plan to add a role to manage the sudoers file?
I'm currently using https://github.com/ahuffman/ansible-sudoers, which works great, but is not distributed as a collection.

I can see that roles outside of the linux-system-roles GH org can be included, e.g. sshd.

Thanks,
Ben

Hi,

Did you guys intentionally leave the roles folder empty in 1.9.2 ?

reproducer:

ansible-galaxy collection install fedora.linux_system_roles -f
ls  ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/

and it shows only

logging  private_logging_subrole_rsyslog

roleback to 1.8.4

ansible-galaxy collection install fedora.linux_system_roles:1.8.4 -f
ls  ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/

and it shows

certificate      ha_cluster       metrics      postfix                                private_metrics_subrole_grafana  selinux  timesync
cockpit          kdump            nbde_client  private_logging_subrole_rsyslog        private_metrics_subrole_mssql    ssh      tlog
crypto_policies  kernel_settings  nbde_server  private_metrics_subrole_bpftrace       private_metrics_subrole_pcp      sshd     vpn
firewall         logging          network      private_metrics_subrole_elasticsearch  private_metrics_subrole_redis    storage

Rob

Hi,
I've started work on a dnf-automatic role to automate updates. I would like to get this under the linux-system-roles umbrella.
My current goal is to provide a role that is doing the same as cockpit does for automated updates, with more flexibility in configuration that make sense in larger(my) deployments.
https://github.com/Klaas-/dnf_automatic/
it's based on the template, it should be in a working state, but I have not finished automated tests etc.

Is getting this role into linux-system-roles something you're interested in?

Greetings
Klaas

A could reference example might be https://cockpit-project.org/external/wiki/Contributing.html

current subsystems
future ideas
revise examples

I believe having a * for dependencies is causing Ansible Automation Hub to pull in every version of community.general. This is over 100 versions and it's triggering this bug on Ansible Automation Platform 2.3 (Ansible Core <2.14): ansible/ansible#77911

Please consider setting a min required version instead of the wildcard if possible?

Edit: This may need to be applied elsewhere, not sure if this is the correct place for this issue... I just followed the link from Galaxy.

...

Dependencies
This collections requires the following collections for use

ansible.posix: *
community.general: *
containers.podman: *

Hi,
I am currently thinking about how to properly implement mitigations in my environment because of the recent CVE for tcpsack. I noticed while there are ansible mitigation playbooks on the individual vulnerability pages there is no central point for them and they only operate one way (ie only set the mitigation and not clean it up after updates have been installed).

So I was thinking it may be a good idea to have a central role (or many roles for individual CVEs) that do the work.

My initial idea is represented in this repository:
https://github.com/Klaas-/redhat-mitigations
with the first CVE implemented as add/remove depending on the kernel.

If Red Hat is interested in this idea and putting it under the linux-system-roles umbrella I would be willing to put some more work into it.

Side question: the current system roles seem to be licensed with different licenses -- would it be a good idea to use one license for all? :) Which one is the preferred license?

Greetings
Klaas

The command line

ansible-galaxy collection install fedora.linux_system_roles --force-with-deps -vvv

on ansible-core>=2.15 and ansible-core==2.14.14 (latest at the time of writing) works correcly,

Trying on a ansible-core 2.14.0 virtualenv, it gets stuck indefinitely (I interrupted after ~10 minutes)

(core-2.14) guido@fedora:~/Development/redhat/github-actions$ ansible-galaxy collection install fedora.linux_system_roles --force-with-deps -vvv
ansible-galaxy [core 2.14.0]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/guido/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/guido/Development/virtualenv/core-2.14/lib/python3.11/site-packages/ansible
  ansible collection location = /home/guido/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/guido/Development/virtualenv/core-2.14/bin/ansible-galaxy
  python version = 3.11.8 (main, Feb 28 2024, 00:00:00) [GCC 13.2.1 20231205 (Red Hat 13.2.1-6)] (/home/guido/Development/virtualenv/core-2.14/bin/python)
  jinja version = 3.1.3
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
Starting galaxy collection install process
Found installed collection middleware_automation.redhat_csp_download:1.2.2 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/redhat_csp_download'
Found installed collection middleware_automation.janus:1.0.0 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/janus'
Found installed collection middleware_automation.jws:1.2.5 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/jws'
Found installed collection middleware_automation.jbcs:1.0.4 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/jbcs'
Found installed collection middleware_automation.infinispan:1.3.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/infinispan'
Found installed collection middleware_automation.keycloak:2.1.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/keycloak'
Found installed collection middleware_automation.wildfly:1.5.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/wildfly'
Found installed collection middleware_automation.amq:2.0.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/amq'
Found installed collection middleware_automation.common:1.2.0 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/common'
Found installed collection ansible.netcommon:5.1.1 at '/home/guido/.ansible/collections/ansible_collections/ansible/netcommon'
Found installed collection ansible.utils:2.10.3 at '/home/guido/.ansible/collections/ansible_collections/ansible/utils'
Found installed collection ansible.posix:1.5.4 at '/home/guido/.ansible/collections/ansible_collections/ansible/posix'
Found installed collection community.docker:3.4.8 at '/home/guido/.ansible/collections/ansible_collections/community/docker'
Found installed collection community.fqcn_migration:1.0.2 at '/home/guido/.ansible/collections/ansible_collections/community/fqcn_migration'
Found installed collection community.aws:7.1.0 at '/home/guido/.ansible/collections/ansible_collections/community/aws'
Found installed collection community.general:8.4.0 at '/home/guido/.ansible/collections/ansible_collections/community/general'
Found installed collection guidograzioli.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/kubernetes.kubevirt'
Found installed collection redhat.eap:1.3.4 at '/home/guido/.ansible/collections/ansible_collections/redhat/eap'
Found installed collection redhat.jbcs:1.0.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/jbcs'
Found installed collection redhat.sso:2.0.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/sso'
Found installed collection redhat.runtimes_common:1.1.3 at '/home/guido/.ansible/collections/ansible_collections/redhat/runtimes_common'
Found installed collection redhat.data_grid:1.3.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/data_grid'
Found installed collection redhat.rhbk:2.1.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/rhbk'
Found installed collection redhat.jws:2.1.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/jws'
Found installed collection redhat.amq_broker:2.0.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/amq_broker'
Found installed collection amazon.aws:7.3.0 at '/home/guido/.ansible/collections/ansible_collections/amazon/aws'
Found installed collection azure.azcollection:1.16.0 at '/home/guido/.ansible/collections/ansible_collections/azure/azcollection'
Found installed collection containers.podman:1.12.0 at '/home/guido/.ansible/collections/ansible_collections/containers/podman'
Found installed collection kubernetes.core:2.4.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/core'
Found installed collection guidograzioli.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old2'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old3'
Found installed collection kubevirt.core:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/guidograzioli/kubevirt'
Found installed collection kubevirt.core:1.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubevirt/core'
Found installed collection skupper.network:1.2.1 at '/home/guido/.ansible/collections/ansible_collections/skupper/network'
Found installed collection infra.rhbk_datagrid_aws:1.0.0 at '/home/guido/.ansible/collections/ansible_collections/infra/rhbk_datagrid_aws'
Found installed collection fedora.linux_system_roles:1.75.3 at '/home/guido/.ansible/collections/ansible_collections/fedora/linux_system_roles'
Process install dependency map
Opened /home/guido/.ansible/galaxy_token
^C [ERROR]: User interrupted execution

I noticed the behaviour in our github actions CI, where we were installing ansible-core in a matrix with ==, and using ~=2.14 fixed it