Skip to content

Prevent fails in check mode #13703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 14 commits into from
Jul 17, 2025
Merged

Prevent fails in check mode #13703

Mab879 merged 14 commits into from
Jul 17, 2025

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Jul 15, 2025
edited
Loading

Description:

This PR changes some Ansible Tasks to work in check mode. The objective is to prevent premature terminations of Ansible Playbooks for our profiles.

The most frequent change is that some Ansible tasks that use the command or shell module will run also in check mode. This isn't done for all tasks using these modules but only for some of them that are read only and they check some status or read some files, usually the grep command.

For more details, please read commit messages of each commit.

Rationale:

Resolves: https://issues.redhat.com/browse/OPENSCAP-5480

Review Hints:

Run the contest test that will be introduced by PR RHSecurityCompliance/contest#424.

@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Jul 15, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 15, 2025
@openshift-ci
Copy link

openshift-ci bot commented Jul 15, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jan-cerny jan-cerny mentioned this pull request Jul 15, 2025
Merged
@jan-cerny jan-cerny added this to the 0.1.78 milestone Jul 15, 2025
@Mab879 Mab879 self-assigned this Jul 15, 2025
@openshift-merge-robot openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Jul 16, 2025
jan-cerny added 14 commits July 16, 2025 09:09
@jan-cerny
Prevent fail because of nonexistent file
700acae 
Prevents failure if the file "pam_file_path" doesn't exist.
Notice that "pam_file_path" is a variable with sometimes
a different value than "pam_file" constant, therefore we can't
reuse the already existing ansible.builtin.stat task above.
@jan-cerny
Ensure the SSHD config file exists
acf87b6
@jan-cerny
Do not fail the assert in check mode
b680c3b 
If authselect isn't enabled, the playbook would terminate here.
In normal mode it makes sense because subsequent tasks depend on
authselect and use the authselect command. But, in check mode,
it isn't possible to enable authselect, so we need to skip this check.
@jan-cerny
Run some shell commands in check mode
404def0 
Tasks using shell or command module normally don't run in check mode.
Setting the check_mode attribute to false on a task using shell or command module
will cause that this task will be executed also in check mode.
This can't be done on all these tasks but only on tasks that don't
perform any change to the system but they just read a value or
read a status of something (for example grep commands).
@jan-cerny
Prevent using undefined variables
31d59cd
@jan-cerny
Check that the file exists
56ff87e 
Check that the file modified in the tasks exists before starting
the tasks to prevent errors "no such file".
@jan-cerny
Avoid errors in check mode in authselect tasks
1fc6a0a 
Prevent executing tasks depending on authselect profile
if authselect profile hasn't been created.
@jan-cerny
Ensure AIDE configuration file exists
6821050 
Prevent playbook termination in check mode if aide hasn't been
installed.
@jan-cerny
Configure AIDE only if AIDE is installed
1c4509d 
Prevent fails in check mode caused by attempts to modify nonexistent
files. Make sure AIDE is installed before trying to modify AIDE
configuration files.
@jan-cerny
Configure fapolicyd only if fapolicyd is installed
a389c90 
Prevent fails in check mode caused by attempts to modify nonexistent
files. Make sure fapolicyd is installed before trying to modify fapolicyd
configuration files.
@jan-cerny
Prevent fail in check mode if the file doesn't exist
0a25104 
The task fail is check mode because the /etc/cron.daily/logrotate
doesn't exist. This fail can happen only in check mode because in the
normal run the file is created in the task right before.
@jan-cerny
Ensure the audit rules file exists
ca9d28a 
This prevents errors in check mode. In normal mode it doesn't
have an effect because the file is created by the previous task above.
@jan-cerny
Prevent fail in check mode
1112fff 
If the file doesn't exists it fails with "No such file or directory: b'gpg'"
@jan-cerny
Disable asserts in Ansible check mode
1f9312a 
Prevents termination in check mode if the service doesn't run
because a playbook in check mode doesn't start services, it only
checks
@jan-cerny jan-cerny force-pushed the ansible_check_mode branch from d7caaae to 1f9312a Compare July 16, 2025 07:11
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Jul 16, 2025
@jan-cerny jan-cerny marked this pull request as ready for review July 16, 2025 09:14
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Jul 16, 2025
@Mab879 Mab879 merged commit d382f7b into ComplianceAsCode:master Jul 17, 2025
126 of 129 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Ansible Ansible remediation update.

Projects

None yet

Milestone

0.1.78

Development

Successfully merging this pull request may close these issues.

3 participants

@jan-cerny @Mab879 @openshift-merge-robot