- Remove centos6 platforms for integration tests on
the ansible devel branch from the azure-pipelines.
- Add delegate_to to each task of integration test for
synchronized module on devel branch
- Modify invalid parameter test to use key instead of name
for sysctl module
- Replace lookup plugin to slurp module in integration tests
for selinux module
- Add creating working directory task in integration tests
for acl module
Signed-off-by: Hideki Saito <saito@fgrep.org>
selinux: update kernel boot params when disabling/re-enabling SELinux
SUMMARY
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, enhance the selinux module to try to set/unset the kernel
command-line parameter using grubby when enabling/disabling SELinux.
If the grubby package is not present on the system, the module will only
update the config file and report a warning. Note that even with the
runtime disable functionality removed, setting SELINUX=disabled in the
config file will lead to a system with no SELinux policy loaded, which
will behave in a very similar way as if SELinux was fully disabled, only
there could still be some minor performance impact, since the kernel
hooks will still be active.
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
selinux module
Reviewed-by: Adam Miller <maxamillion@fedoraproject.org>
Reviewed-by: Ondrej Mosnáček <omosnacek@gmail.com>
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: quidame <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: None <None>
The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, add an 'update_kernel_param' module parameter that will cause
it to set/unset the kernel command-line parameter using grubby when
enabling/disabling SELinux. (An explicit parameter was chosen for
backwards compatibility.)
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Fix requires firewalld version in comments for permanent parameter.
SUMMARY
Version of firewalled seems to be wrong. 3.0.9 version of that package does not exist.
The latest release of firewalled: https://github.com/firewalld/firewalld/releases
ISSUE TYPE
Docs Pull Request
COMPONENT NAME
ansible.posix.firewalld
Reviewed-by: Hideki Saito <saito@fgrep.org>
Reviewed-by: Andrew Klychkov <aaklychkov@mail.ru>
Reviewed-by: None <None>
Properly quote Synchronize
SUMMARY
The synchronize action plugin and module were a bit sloppy when it came to the command-line parameter quoting and that caused failure on some systems (for example, on Fedora 34).
This commit makes sure any arguments with potentially problematic characters are quoted before being used.
Fixes#242
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
synchronize
Reviewed-by: Sergey <None>
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: None <None>
The synchronize action plugin and module were a bit sloppy when it
came to the command-line parameter quoting and that caused failuer on
some systems (for example, on Fedora 34).
This commit makes sure any argumnts with potentially problematic
characters are quoted before being used.
Add new firewalld_info module to ansible.posix collection
SUMMARY
Add new firewalld_info module to ansible.posix collection.
Gathering information about firewalld zone settings
fixes#98
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
ansible.posix.firewalld_info
ADDITIONAL INFORMATION
None
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
synchronize: fix to honor become_user when become_method sudo
SUMMARY
When become_method is sudo, the synchronize module ignores become_user, always running as root. This means one cannot create files as a target user, when they need to get in via a third user and can only sudo via that one. In my case, I'm connecting via a special provisioning user that has sudo privs, but I need to create the files as the become_user. I'm using it to deposit skeleton files, and there should be no reason to run another task with chown; after all, the documentation already describes the desired behavior:
The user and permissions for the synchronize dest are those of the remote_user on the destination host or the become_user if become=yes is active.
This patch takes the running become_user (if it's not None) and adds it to the sudo command with the -u command line option, so the file gets created correctly. I have tested this and it works.
Other become_methods are ignored, but they already were anyways (the code already has a TODO to add other methods, which we don't attempt in this patch)
Fixes#186
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
synchronize
ADDITIONAL INFORMATION
See reproduction in #186.
This appears to have been in place since ansible/ansible@811a906
Reviewed-by: Amin Vakil <info@aminvakil.com>
Reviewed-by: Sumit Jaiswal <sjaiswal@redhat.com>
Restructure integration tests for authorized_key module
SUMMARY
Split the large tasks/main.yml in integration tests to each function block and use import_tasks to import for them.
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
tests/integration/targets/authorized_key/
ADDITIONAL INFORMATION
None
