linux-system-roles / linux-system-roles.github.io Goto Github PK
View Code? Open in Web Editor NEWLinux System Roles website
Home Page: https://linux-system-roles.github.io/
License: Other
Linux System Roles website
Home Page: https://linux-system-roles.github.io/
License: Other
We are attempting to use the SSH system role on RHEL7 systems which are in FIPS mode due to a security policy requirement. When trying to run this role through Ansible the playbook fails at SSH key generation task with error message "ED25519 keys are not allowed in FIPS mode". This is because the ed225519 key type is not available, as noted here: https://access.redhat.com/solutions/3643252.
Playbook likely needs to either detect if FIPS mode is enabled by getting the value of crypto.fips.enabled from sysctl, provide user method to specify which key algorithms to generate, or provide a FIPS variable that user can set to indicate if system is in FIPS mode.
This is urgent due to ansible-core dropping support for python 2.7. This causes our tox -e py27
unit test to fail:
ERROR: Could not find a version that satisfies the requirement ansible-core==2.12.* (from versions: 0.0.1a1, 2.11.0b1, 2.11.0b2, 2.11.0b3, 2.11.0b4, 2.11.0rc1, 2.11.0rc2, 2.11.0, 2.11.1rc1, 2.11.1, 2.11.2rc1, 2.11.2, 2.11.3rc1, 2.11.3, 2.11.4rc1, 2.11.4, 2.11.5rc1, 2.11.5, 2.11.6rc1, 2.11.6, 2.11.7rc1)
It isn't clear from the error, but because ansible-core requires python >= 3.8, we get this error.
Instead, we should use ansible-test units
which is designed for this purpose. And - it covers python 2.6 and 2.7, as well as all supported python 3.x versions (when using --docker
- note that if you dnf install podman-docker
you can use podman
instead of the "real" docker
)
We already have support for ansible-test in tox-lsr: https://github.com/linux-system-roles/tox-lsr/blob/main/src/tox_lsr/config_files/tox-default.ini#L244 and https://github.com/linux-system-roles/tox-lsr/blob/main/src/tox_lsr/test_scripts/runansible-test.sh
However, it will take a good bit of effort to make our unit testing work with ansible-test.
get rid of py26 and py27 from all .github/workflows/tox.yml
These do not work and cause unnecessary test failures
support for --docker
is more important than without
That is - tests must work with ansible-test units --docker
and ansible-test sanity --docker
. If they don't work without --docker
, that is ok, at least for now.
change lsr_role2collection.py
This must convert the unit tests into the format expected by ansible-test units
and ansible-test sanity
.
The tests must be in $namespace/$name/tests/unit/plugins/modules/$rolename/test_*.py
The tests must use the FQCN to load the python code from the module and module_utils. This will be quite problematic for the network role especially.
Must convert test requirements into tests/unit/requirements.txt - See https://github.com/ansible-collections/ansible.posix/blob/main/tests/unit/requirements.txt for example. We can probably use pytest_extra_requirements.txt. I think kernel_settings will be quite problematic as it uses tuned as a requirement, which also has system requirements (bindep.txt?)
We may have to change the individual tests/unit/*.py files in each role in order to support this, or to make it easier to convert.
fix ansible-test sanity
to make import and compile tests work
If we convert roles to collections correctly, and get the requirements.txt correct, this may make the sanity import and compile tests work, so we don't have to ignore them
should still be able to use tox -e py38
or even pytest
directly
For role developers who just want to run tests directly on their local git clone without converting to collection format.
add an ansible-test-units
test to tox-lsr
So that developers can easily run this
in github CI - get rid of pyxx
tests - add an ansible-test-units
test
add a github CI test which uses tox-lsr ansible-test-units
The website says that the roadmap includes a role for RHSM.
I want to point out that this role exists (I'm one of the main contributors).
https://github.com/openstack/ansible-role-redhat-subscription/
How would you like to proceed? Would you prefer a move or just update the doc somewhere?
I would like to see a role added that would configure essential system monitoring and in case something bad happens then automatically alert the administrator. The areas to be monitored, the thresholds to raise alerts, and the methods of alerting should be configurable. Once configured, the administrator should not be required to manually monitor or read anything to see that a system is behaving as expected and in case of issues would receive a notification alert.
In practice at least the following could be considered as methods to alert:
The following could be areas to monitor with configurable thresholds, e.g., by default 90% limit for the disk-full case:
The user could select one or more alerting methods, local syslog could be the default since it's probably easiest to set up correctly. The default set of what to monitor and the default thresholds could be determined after consulting people and organizations maintaining and supporting production systems.
Implementation-wise one potential candidate would be PCP/pmie at least for the CPU/memory/storage/network related areas. PCP/pmie uses the same PCP infra as the existing metrics role to detect anomalies, is fully configurable, allows calling external scripts on events, and is nowadays a standard component in most distributions. It should however be tested how PCP/pmie behaves in case an alert should be raised, e.g., when disk full.
Later on it could be considered whether adding optional remediation scripts would be helpful or possible.
Thanks.
I suggest we restructure the site to have different contributing and how to install /use pages and remove the sections on the landing page , this would also be a good time to refresh and update the landing page
Hi,
Is there any plan to add a role to manage the sudoers file?
I'm currently using https://github.com/ahuffman/ansible-sudoers, which works great, but is not distributed as a collection.
I can see that roles outside of the linux-system-roles GH org can be included, e.g. sshd.
Thanks,
Ben
Hi,
Did you guys intentionally leave the roles folder empty in 1.9.2 ?
reproducer:
ansible-galaxy collection install fedora.linux_system_roles -f
ls ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/
and it shows only
logging private_logging_subrole_rsyslog
roleback to 1.8.4
ansible-galaxy collection install fedora.linux_system_roles:1.8.4 -f
ls ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/
and it shows
certificate ha_cluster metrics postfix private_metrics_subrole_grafana selinux timesync
cockpit kdump nbde_client private_logging_subrole_rsyslog private_metrics_subrole_mssql ssh tlog
crypto_policies kernel_settings nbde_server private_metrics_subrole_bpftrace private_metrics_subrole_pcp sshd vpn
firewall logging network private_metrics_subrole_elasticsearch private_metrics_subrole_redis storage
Rob
Hi,
I've started work on a dnf-automatic role to automate updates. I would like to get this under the linux-system-roles umbrella.
My current goal is to provide a role that is doing the same as cockpit does for automated updates, with more flexibility in configuration that make sense in larger(my) deployments.
https://github.com/Klaas-/dnf_automatic/
it's based on the template, it should be in a working state, but I have not finished automated tests etc.
Is getting this role into linux-system-roles something you're interested in?
Greetings
Klaas
A could reference example might be https://cockpit-project.org/external/wiki/Contributing.html
current subsystems
future ideas
revise examples
I believe having a * for dependencies is causing Ansible Automation Hub to pull in every version of community.general. This is over 100 versions and it's triggering this bug on Ansible Automation Platform 2.3 (Ansible Core <2.14): ansible/ansible#77911
Please consider setting a min required version instead of the wildcard if possible?
Edit: This may need to be applied elsewhere, not sure if this is the correct place for this issue... I just followed the link from Galaxy.
...
Dependencies
This collections requires the following collections for use
Hi,
I am currently thinking about how to properly implement mitigations in my environment because of the recent CVE for tcpsack. I noticed while there are ansible mitigation playbooks on the individual vulnerability pages there is no central point for them and they only operate one way (ie only set the mitigation and not clean it up after updates have been installed).
So I was thinking it may be a good idea to have a central role (or many roles for individual CVEs) that do the work.
My initial idea is represented in this repository:
https://github.com/Klaas-/redhat-mitigations
with the first CVE implemented as add/remove depending on the kernel.
If Red Hat is interested in this idea and putting it under the linux-system-roles umbrella I would be willing to put some more work into it.
Side question: the current system roles seem to be licensed with different licenses -- would it be a good idea to use one license for all? :) Which one is the preferred license?
Greetings
Klaas
The command line
ansible-galaxy collection install fedora.linux_system_roles --force-with-deps -vvv
on ansible-core>=2.15 and ansible-core==2.14.14 (latest at the time of writing) works correcly,
Trying on a ansible-core 2.14.0 virtualenv, it gets stuck indefinitely (I interrupted after ~10 minutes)
(core-2.14) guido@fedora:~/Development/redhat/github-actions$ ansible-galaxy collection install fedora.linux_system_roles --force-with-deps -vvv
ansible-galaxy [core 2.14.0]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/guido/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/guido/Development/virtualenv/core-2.14/lib/python3.11/site-packages/ansible
ansible collection location = /home/guido/.ansible/collections:/usr/share/ansible/collections
executable location = /home/guido/Development/virtualenv/core-2.14/bin/ansible-galaxy
python version = 3.11.8 (main, Feb 28 2024, 00:00:00) [GCC 13.2.1 20231205 (Red Hat 13.2.1-6)] (/home/guido/Development/virtualenv/core-2.14/bin/python)
jinja version = 3.1.3
libyaml = True
Using /etc/ansible/ansible.cfg as config file
Starting galaxy collection install process
Found installed collection middleware_automation.redhat_csp_download:1.2.2 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/redhat_csp_download'
Found installed collection middleware_automation.janus:1.0.0 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/janus'
Found installed collection middleware_automation.jws:1.2.5 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/jws'
Found installed collection middleware_automation.jbcs:1.0.4 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/jbcs'
Found installed collection middleware_automation.infinispan:1.3.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/infinispan'
Found installed collection middleware_automation.keycloak:2.1.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/keycloak'
Found installed collection middleware_automation.wildfly:1.5.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/wildfly'
Found installed collection middleware_automation.amq:2.0.1 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/amq'
Found installed collection middleware_automation.common:1.2.0 at '/home/guido/.ansible/collections/ansible_collections/middleware_automation/common'
Found installed collection ansible.netcommon:5.1.1 at '/home/guido/.ansible/collections/ansible_collections/ansible/netcommon'
Found installed collection ansible.utils:2.10.3 at '/home/guido/.ansible/collections/ansible_collections/ansible/utils'
Found installed collection ansible.posix:1.5.4 at '/home/guido/.ansible/collections/ansible_collections/ansible/posix'
Found installed collection community.docker:3.4.8 at '/home/guido/.ansible/collections/ansible_collections/community/docker'
Found installed collection community.fqcn_migration:1.0.2 at '/home/guido/.ansible/collections/ansible_collections/community/fqcn_migration'
Found installed collection community.aws:7.1.0 at '/home/guido/.ansible/collections/ansible_collections/community/aws'
Found installed collection community.general:8.4.0 at '/home/guido/.ansible/collections/ansible_collections/community/general'
Found installed collection guidograzioli.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/kubernetes.kubevirt'
Found installed collection redhat.eap:1.3.4 at '/home/guido/.ansible/collections/ansible_collections/redhat/eap'
Found installed collection redhat.jbcs:1.0.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/jbcs'
Found installed collection redhat.sso:2.0.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/sso'
Found installed collection redhat.runtimes_common:1.1.3 at '/home/guido/.ansible/collections/ansible_collections/redhat/runtimes_common'
Found installed collection redhat.data_grid:1.3.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/data_grid'
Found installed collection redhat.rhbk:2.1.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/rhbk'
Found installed collection redhat.jws:2.1.0 at '/home/guido/.ansible/collections/ansible_collections/redhat/jws'
Found installed collection redhat.amq_broker:2.0.1 at '/home/guido/.ansible/collections/ansible_collections/redhat/amq_broker'
Found installed collection amazon.aws:7.3.0 at '/home/guido/.ansible/collections/ansible_collections/amazon/aws'
Found installed collection azure.azcollection:1.16.0 at '/home/guido/.ansible/collections/ansible_collections/azure/azcollection'
Found installed collection containers.podman:1.12.0 at '/home/guido/.ansible/collections/ansible_collections/containers/podman'
Found installed collection kubernetes.core:2.4.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/core'
Found installed collection guidograzioli.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old2'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt.old3'
Found installed collection kubevirt.core:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubernetes/kubevirt'
Found installed collection kubernetes.kubevirt:0.1.0 at '/home/guido/.ansible/collections/ansible_collections/guidograzioli/kubevirt'
Found installed collection kubevirt.core:1.1.0 at '/home/guido/.ansible/collections/ansible_collections/kubevirt/core'
Found installed collection skupper.network:1.2.1 at '/home/guido/.ansible/collections/ansible_collections/skupper/network'
Found installed collection infra.rhbk_datagrid_aws:1.0.0 at '/home/guido/.ansible/collections/ansible_collections/infra/rhbk_datagrid_aws'
Found installed collection fedora.linux_system_roles:1.75.3 at '/home/guido/.ansible/collections/ansible_collections/fedora/linux_system_roles'
Process install dependency map
Opened /home/guido/.ansible/galaxy_token
^C [ERROR]: User interrupted execution
I noticed the behaviour in our github actions CI, where we were installing ansible-core in a matrix with ==
, and using ~=2.14
fixed it
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.