Ansible6

dockpack · Nov 25, 2022 · 5f87b7e · 5f87b7e
1 parent 6c53775
commit 5f87b7e
Show file tree

Hide file tree

Showing 10 changed files with 72 additions and 41 deletions.
diff --git a/.ansible-lint b/.ansible-lint
@@ -0,0 +1,4 @@
+---
+skip_list:
+  - experimental  # all rules tagged as experimental
+  - fqcn-builtins
diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: "${{ github.repository }}"
       - name: molecule
-        uses: robertdebock/molecule-action@2.6.8
+        uses: robertdebock/molecule-action@2.7.2
         with:
           command: lint
   test:
@@ -27,11 +27,11 @@ jobs:
       fail-fast: false
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: "${{ github.repository }}"
       - name: molecule
-        uses: robertdebock/molecule-action@2.6.8
+        uses: robertdebock/molecule-action@2.7.2
         with:
           image: ${{ matrix.config.image }}
           tag: ${{ matrix.config.tag }}
diff --git a/.yamllint b/.yamllint
@@ -3,8 +3,8 @@ extends: default
 
 rules:
   truthy:
-    allowed-values: ['true', 'false', 'on']
-    check-keys: true
+    allowed-values: ['true', 'false']
+    check-keys: false
 
 ignore: |
   .tox/
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,10 +1,10 @@
 ---
-- name: 'remove sysklogd'
+- name: 'Remove sysklogd'
   yum:
     name: sysklogd
     state: absent
 
-- name: 'restart rsyslog'
+- name: 'Restart rsyslog'
   service:
     name: rsyslog
     state: restarted

diff --git a/meta/main.yml b/meta/main.yml
@@ -3,16 +3,18 @@
 galaxy_info:
   author: Bas Meijer
   description: RSyslog
-  company: bbaassssiiee
-
+  company: dockpack
+  role_name: base_rsyslog
+  namespace: dockpack
   license: MIT
 
-  min_ansible_version: 2.8.0
+  min_ansible_version: '2.9.27'
 
   platforms:
     - name: EL
       versions:
-        - 7
+        - '7'
+        - '8'
   galaxy_tags:
     - system
     - hardening

diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
@@ -1,4 +1,12 @@
 ---
-- hosts: all
-  roles:
-    - role: base_rsyslog
+- name: Converge
+  hosts: all
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: "Include {{ role_name }}"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+
+...
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -10,9 +10,20 @@ lint: |
   ansible-lint
 platforms:
   - name: base-rsyslog-centos7
-    image: milcom/centos7-systemd
-    privileged: true
+    image: centos:7.9.2009
+    command: /sbin/init
+    capabilities:
+      - CAP_NET_BIND_SERVICE
+    tmpfs:
+      - /run
+      - /tmp
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
 provisioner:
   name: ansible
+  config_options:
+    defaults:
+      stdout_callback: yaml
+      executable: /bin/bash
 verifier:
   name: ansible
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
@@ -21,7 +21,7 @@
       get_url:
         url: "{{ goss_url }}"
         dest: "{{ goss_dst }}"
-        sha256sum: "{{ goss_sha256sum }}"
+        checksum: "sha256:{{ goss_sha256sum }}"
         mode: 0755
       register: download_goss
       until: download_goss is succeeded

diff --git a/requirements.txt b/requirements.txt
@@ -1,10 +1,15 @@
 # these python extensions are for testing
 tox
-sh==1.12.14
-molecule
-molecule-docker
-yamllint
-ansible-lint
-docker==4.2.2
+pipx
+attrs>=19.2.0
+rich==12.5.1
+ansible==6.2.0
+ansible-lint==6.4.0
+molecule==4.0.1
+molecule-docker==2.0.0
+molecule-vagrant-1.0.0
+yamllint==1.28.0
+docker>=4.3.1
+ssh-audit
 anyconfig>=0.10.0 # not directly required, pinned by Snyk to avoid a vulnerability
-
+setuptools>=65.5.1 # not directly required, pinned by Snyk to avoid a vulnerability
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,64 +1,64 @@
 ---
-- name: 'ensure log_host is defined'
+- name: 'Ensure log_host is defined'
   assert:
     that: "'{{ log_host }}' is defined"
   tags:
     - rsyslog
 
-- name: 'ensure package rsyslog is installed'
+- name: 'Ensure package rsyslog is installed'
   yum:
     name: rsyslog
     state: installed
-  notify: remove sysklogd
+  notify: Remove sysklogd
   tags:
     - rsyslog
 
-- name: 'copy /etc/rsyslog.conf file for normal host'
+- name: 'Copy /etc/rsyslog.conf file for normal host'
   template:
     src: etc-rsyslog.conf.j2
     dest: /etc/rsyslog.conf
     owner: root
     group: root
     mode: 0600
-  notify: restart rsyslog
+  notify: Restart rsyslog
   tags:
     - rsyslog
 
-- name: 'rewrite /etc/rsyslog.conf file for remote loghost'
+- name: 'Rewrite /etc/rsyslog.conf file for remote loghost'
   template:
     src: etc-rsyslog.loghost.conf.j2
     dest: /etc/rsyslog.conf
     owner: root
     group: root
     mode: 0600
   when: is_monitor|bool
-  notify: restart rsyslog
+  notify: Restart rsyslog
   tags:
     - rsyslog
 
-- name: 'copy /etc/sysconfig/rsyslog file'
+- name: 'Copy /etc/sysconfig/rsyslog file'
   template:
     src: etc-sysconfig-rsyslog.j2
     dest: /etc/sysconfig/rsyslog
     owner: root
     group: root
     mode: 0644
-  notify: restart rsyslog
+  notify: Restart rsyslog
   tags:
     - rsyslog
 
-- name: 'enable rsyslog'
+- name: 'Enable rsyslog'
   service:
     name: rsyslog
     enabled: true
-  notify: restart rsyslog
+  notify: Restart rsyslog
   tags:
     - rsyslog
 
-- name: 'restart rsyslog if needed'
+- name: 'Restart rsyslog if needed'
   meta: flush_handlers
 
-- name: 'ensure permissions on all logfiles are configured'
+- name: 'Ensure permissions on all logfiles are configured'
   file:
     path: /var/log
     mode: 'g-wx,o-rwx'
@@ -68,7 +68,7 @@
     - rsyslog
     - permissions
 
-- name: 'ensure permissions are correct on wtmp'
+- name: 'Ensure permissions are correct on wtmp'
   file:
     path: /var/log/wtmp
     mode: 0640
@@ -77,11 +77,12 @@
     - rsyslog
     - permissions
 
-- name: 'ensure permissions are correct on dmesg'
+- name: 'Ensure permissions are correct on dmesg'
   file:
     path: /var/log/dmesg
     mode: 0640
-  ignore_errors: true
+    state: touch
+  changed_when: false
   tags:
     - compliance
     - rsyslog