The ability to disable SELinux from userspace based on the configuration
file is being deprecated in favor of the selinux=0 kernel boot
parameter. (Note that this affects only the "full" disable; switching
to/from permissive mode will work the same as before.)
Therefore, add an 'update_kernel_param' module parameter that will cause
it to set/unset the kernel command-line parameter using grubby when
enabling/disabling SELinux. (An explicit parameter was chosen for
backwards compatibility.)
More information:
https://lore.kernel.org/selinux/157836784986.560897.13893922675143903084.stgit@chester/https://fedoraproject.org/wiki/Changes/Remove_Support_For_SELinux_Runtime_Disable
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Add new firewalld_info module to ansible.posix collection
SUMMARY
Add new firewalld_info module to ansible.posix collection.
Gathering information about firewalld zone settings
fixes#98
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
ansible.posix.firewalld_info
ADDITIONAL INFORMATION
None
Reviewed-by: Abhijeet Kasurde <None>
Reviewed-by: Hideki Saito <saito@fgrep.org>
synchronize: fix to honor become_user when become_method sudo
SUMMARY
When become_method is sudo, the synchronize module ignores become_user, always running as root. This means one cannot create files as a target user, when they need to get in via a third user and can only sudo via that one. In my case, I'm connecting via a special provisioning user that has sudo privs, but I need to create the files as the become_user. I'm using it to deposit skeleton files, and there should be no reason to run another task with chown; after all, the documentation already describes the desired behavior:
The user and permissions for the synchronize dest are those of the remote_user on the destination host or the become_user if become=yes is active.
This patch takes the running become_user (if it's not None) and adds it to the sudo command with the -u command line option, so the file gets created correctly. I have tested this and it works.
Other become_methods are ignored, but they already were anyways (the code already has a TODO to add other methods, which we don't attempt in this patch)
Fixes#186
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
synchronize
ADDITIONAL INFORMATION
See reproduction in #186.
This appears to have been in place since ansible/ansible@811a906
Reviewed-by: Amin Vakil <info@aminvakil.com>
Reviewed-by: Sumit Jaiswal <sjaiswal@redhat.com>
Restructure integration tests for authorized_key module
SUMMARY
Split the large tasks/main.yml in integration tests to each function block and use import_tasks to import for them.
ISSUE TYPE
Feature Pull Request
COMPONENT NAME
tests/integration/targets/authorized_key/
ADDITIONAL INFORMATION
None
* Address the issue #28
* Modified behavior to set noauto option if boot is 'no' on Linux system
* Modified integration test to use filesize module instead of dd
Signed-off-by: Hideki Saito <saito@fgrep.org>
* firewalld: add zone target set
Fixes https://github.com/ansible/ansible/issues/49232
Signed-off-by: Adam Miller <admiller@redhat.com>
* fix sanity tests, add example of zone target setting
Signed-off-by: Adam Miller <admiller@redhat.com>
* test different zone/target combination as we're not hitting default settings
Signed-off-by: Adam Miller <admiller@redhat.com>
* fix enabled values for zone operations
Signed-off-by: Adam Miller <admiller@redhat.com>
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
the order of actions for setting, persisting and activation is changed,
to not persist an invalid sysctl value. This is only enforced when
sysct_set is True.
Previously check_mode would incorrectly return changed=False even when a
change would have taken place if ran without check_mode, with
integration tests that confirmed this incorrect behavior. Also the
module did not correctly populate the return values when run in
check_mode. Both of these issues are resolved in this PR.
Fixes https://github.com/ansible-collections/ansible.posix/issues/37
Signed-off-by: Adam Miller <admiller@redhat.com>
Previously the selinux module would only edit the state of found
configuration keys SELINUX and SELINUXTYPE in /etc/selinux/config but
would not add them with desired state if they were not found.
Fixes#23https://github.com/ansible-collections/ansible.posix/issues/23
Signed-off-by: Adam Miller <admiller@redhat.com>
This reverts part of ansible commit 72023d7462e78635264fd12bfdb23894b4163cba.
The immediate reason is that it breaks mounts where src is not a path.
Examples of such mounts are network-based filesystems such as nfs, cifs,
glusterfs, ceph, virtual filesystems such as tmpfs or overlayfs, and
also UUID-based mounts. It is too hard to come with an exhaustive list,
especially if we take non-Linux systems into account, so don't even try.
Additionally, it did not really fix the issue (ansible/ansible#59183) that
it intended to fix, because the mount could fail but leave a non-working
fstab entry for reasons other than non-existing src path.
Restore fstab and remove the mount point after a failed mount
Add a reminder that not only devices can be mounted
Fixes: ansible/ansible#65855Fixes: ansible/ansible#67588Fixes: ansible/ansible#67966
Signed-off-by: Alexander E. Patrakov <patrakov@gmail.com>
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Co-authored-by: Alexander E. Patrakov <patrakov@gmail.com>
* Bootstrap Collection
* Basic common bootstrapping of repo
* Correct Galaxy settings
* Attempt to get Shippable working
* correct directory
* patch is part of ansible.posix (not community.general
* tests/utils/shippable/ missing from ignore.txt
* shippable/units.sh from a/a:devel
* ignore.txt:patch
* CI: Only use group1 for integration
* Correct Repo URLs
Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
* HACK: Install community.general
* run integration tests first
* Install community.general in correct location
* deleted too much
* Use Extended FQCN for community.general
* Use temp-2.10-devel
* Update tests/utils/shippable/sanity.sh
Co-Authored-By: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
Co-authored-by: Sviatoslav Sydorenko <wk.cvs.github@sydorenko.org.ua>
