diff --git a/.ansible-lint b/.ansible-lint
index 9c9323e8df825eddaf10a9188e0fd26583c5dde0..f18a6472898d714ef85310cdbe01e39500977528 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -6,7 +6,7 @@
# and not relative to the CWD of execution. CLI arguments passed to the --exclude
# option will be parsed relative to the CWD of execution.
exclude_paths:
- - .cache/ # implicit unless exclude_paths is defined in config
+ - .cache/ # implicit unless exclude_paths is defined in config
- .git/
- .githooks/
- backups/
@@ -15,24 +15,19 @@ exclude_paths:
# verbosity: 1
# Mock modules or roles in order to pass ansible-playbook --syntax-check
-#mock_modules:
-# - zuul_return
-# # note the foo.bar is invalid as being neither a module or a collection
-# - fake_namespace.fake_collection.fake_module
-# - fake_namespace.fake_collection.fake_module.fake_submodule
-#mock_roles:
-# - mocked_role
-# - author.role_name # old standalone galaxy role
-# - fake_namespace.fake_collection.fake_role # role within a collection
+# mock_modules:
+# - zuul_return
+# # note the foo.bar is invalid as being neither a module or a collection
+# - fake_namespace.fake_collection.fake_module
+# - fake_namespace.fake_collection.fake_module.fake_submodule
+# mock_roles:
+# - mocked_role
+# - author.role_name # old standalone galaxy role
+# - fake_namespace.fake_collection.fake_role # role within a collection
# Enable checking of loop variable prefixes in roles
loop_var_prefix: "{role}_"
-# Enforce variable names to follow pattern below, in addition to Ansible own
-# requirements, like avoiding python identifiers. To disable add `var-naming`
-# to skip_list.
-var_naming_pattern: "^[a-z_][a-z0-9_]*$"
-
use_default_rules: true
# Load custom rules from this specific folder
# rulesdir:
@@ -46,9 +41,9 @@ skip_list:
# Any rule that has the 'opt-in' tag will not be loaded unless its 'id' is
# mentioned in the enable_list:
enable_list:
- - empty-string-compare # opt-in
- - no-log-password # opt-in
- - no-same-owner # opt-in
+ - empty-string-compare # opt-in
+ - no-log-password # opt-in
+ - no-same-owner # opt-in
# add yaml here if you want to avoid ignoring yaml checks when yamllint
# library is missing. Normally its absence just skips using that rule.
- yaml
@@ -60,19 +55,19 @@ enable_list:
warn_list:
- skip_this_tag
- git-latest
- - experimental # experimental is included in the implicit list
+ - experimental # experimental is included in the implicit list
# - role-name
# Offline mode disables installation of requirements.yml
offline: false
# Define required Ansible's variables to satisfy syntax check
-#extra_vars:
-# foo: bar
-# multiline_string_variable: |
-# line1
-# line2
-# complex_variable: ":{;\t$()"
+# extra_vars:
+# foo: bar
+# multiline_string_variable: |
+# line1
+# line2
+# complex_variable: ":{;\t$()"
# Uncomment to enforce action validation with tasks, usually is not
# needed as Ansible syntax check also covers it.
diff --git a/.config/molecule/config.yml b/.config/molecule/config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ece7ff6dd671a6a55ec8f7e9e498c0310e52d4cc
--- /dev/null
+++ b/.config/molecule/config.yml
@@ -0,0 +1,2 @@
+---
+prerun: false
diff --git a/.githooks/pre-commit b/.githooks/pre-commit
index 02df4d59f0a37ead68a96a3e70d7428dad7f4270..b5975f0886faa4d654c04415bdcdb5dbf875747b 100755
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
@@ -24,12 +24,12 @@ exec 1>&2
# Cross platform projects tend to avoid non-ASCII filenames; prevent
# them from being added to the repository. We exploit the fact that the
# printable range starts at the space character and ends with tilde.
-if [ "${allownonascii}" != "true" ] &&
+if [ "$allownonascii" != "true" ] &&
# Note that the use of brackets around a tr range is ok here, (it's
# even required, for portability to Solaris 10's /usr/bin/tr), since
# the square bracket bytes happen to fall in the designated range.
- test "$( git diff --cached --name-only --diff-filter=A -z "${against}" |
- LC_ALL=C tr -d '[ -~]\0' | wc -c )" != 0
+ test $(git diff --cached --name-only --diff-filter=A -z $against |
+ LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
then
cat <<\EOF
Error: Attempt to add a non-ASCII file name.
@@ -69,16 +69,12 @@ YAML_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".yml$")
if [[ ${YAML_FILES} != "" ]]; then
for file in ${YAML_FILES}; do
yamllint "${file}"
- if ! yamllint "${file}"; then
+ if [[ ${?} -ne 0 ]]; then
exit 1
fi
done
fi && echo "SUCCESS: Yamllint stage."
-### ANSIBLE-LINT stage
-ansible-lint "site.yml" || exit 1
-echo "SUCCESS: Ansible-lint stage."
-
### VAULT detection stage
VAULT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".vault$")
if [[ ${VAULT_FILES} != "" ]]; then
@@ -92,15 +88,14 @@ fi
if [[ ${STAGED_FILES} != "" ]]; then
for file in ${STAGED_FILES}; do
grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"
- if grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"; then
- echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
- fi
+ [[ ${?} -eq 0 ]] && echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
done
fi
echo "SUCCESS: Vault detection stage."
### URL detection stage
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
echo "ERROR: found internal URLs."
exit 1;
fi
@@ -109,28 +104,21 @@ echo "SUCCESS: URL detection stage."
### IP address detection stage
# This is pretty basic regex matching, but it's a start.
IP_REGEX='[^a-zA-ZäöÜÄÖÜß/\\\-][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"
+if [[ ${?} -eq 0 ]]; then
echo "ERROR: found IP address."
exit 1;
fi
echo "SUCCESS: IP address detection stage."
### SSH-Key detection stage
-if "${GREP_CMD}" "${GREP_EXCLUDES}" -e "ssh-[dr]sa " "${REPOPATH}"; then
+${GREP_CMD} ${GREP_EXCLUDES} -e "ssh-[dr]sa " "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
echo "ERROR: found SSH key."
exit 1;
fi
echo "SUCCESS: SSH Key detection stage."
-### SHELLSCRIPT CHECK stage
-SH_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".sh$")
-if [[ ${SH_FILES} != "" ]]; then
- for file in ${SH_FILES}; do
- shellcheck "${file}"
- done
-fi
-echo "SUCCESS: SHELLSCRIPT CHECK stage."
-
diff --git a/.gitignore b/.gitignore
index 2e89c4b81eaaa3b67df49afe0c002b587226261a..ed783329d62a4c1e481a467fe674eb420a2b81dd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -51,6 +51,8 @@ Thumbs.db
*.retry
*.vault
+inventory.*
+inv.*
# Vim #
#######
@@ -72,3 +74,15 @@ tags
.vagrant/
*.box
+
+# Temporary/Build/Backup #
+##########################
+
+backups/
+build/
+
+# CONFIDENTIAL #
+################
+
+ssh_host_*
+
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6cc3d222f54fb7bd1e32f58f9d8ee9fcee4e0170
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,45 @@
+---
+# A pipeline is composed of independent jobs that run scripts, grouped into stages.
+# Stages run in sequential order, but jobs within stages run in parallel.
+#
+# For more information, see: https://docs.gitlab.com/ee/ci/yaml/index.html#stages
+
+stages: # List of stages for jobs, and their order of execution
+ - test
+
+default:
+ before_script:
+ - source /opt/molecule/bin/activate
+ - ansible --version
+ - molecule --version
+
+test-job:
+ stage: test
+ tags:
+ - "shell"
+ script:
+ # make sure that Ansible Vaults are present and can be decrypted
+ - echo "${VAULT_LZA_BOOTSTRAP_RHEL_SERVER}" > ../lza_bootstrap_rhel_server.pass
+ - export ANSIBLE_VAULT_IDENTITY_LIST="../lza_bootstrap_rhel_server.pass"
+ - rm -rf ../ansible_vaults/
+ - git clone https://gitlab+deploy-token-25:${VAULT_ACCESS_TOKEN}@git.slub-dresden.de/slub-referat-2-3/ansible_vaults.git ../ansible_vaults/; \
+
+ # run Molecule tests against DEFAULT scenario (virtualbox_centos7)
+ - export SCENARIO="virtualbox_centos7"
+ - molecule syntax --scenario-name "${SCENARIO}"
+ - molecule lint --scenario-name "${SCENARIO}"
+ - molecule create --scenario-name "${SCENARIO}"
+ - molecule converge --scenario-name "${SCENARIO}"
+ - molecule idempotence --scenario-name "${SCENARIO}"
+ # - molecule verify --scenario-name "${SCENARIO}"
+ - molecule destroy --scenario-name "${SCENARIO}"
+
+ # run Molecule tests against Rocky Linux 8 scenario (virtualbox_rocky8)
+ - export SCENARIO="virtualbox_rocky8"
+ - molecule syntax --scenario-name "${SCENARIO}"
+ - molecule lint --scenario-name "${SCENARIO}"
+ - molecule create --scenario-name "${SCENARIO}"
+ - molecule converge --scenario-name "${SCENARIO}"
+ - molecule idempotence --scenario-name "${SCENARIO}"
+ # - molecule verify --scenario-name "${SCENARIO}"
+ - molecule destroy --scenario-name "${SCENARIO}"
diff --git a/.yamllint b/.yamllint
index 7c0f15cf782b192e2b80d4eadb9dcbf92b4553bf..88276760562cb58bb9bc47fa890e8a3df1125b9b 100644
--- a/.yamllint
+++ b/.yamllint
@@ -1,7 +1,5 @@
---
-# based on documentation available at
-# https://yamllint.readthedocs.io/en/stable/rules.html
-
+# Based on ansible-lint config
extends: default
rules:
@@ -11,13 +9,25 @@ rules:
brackets:
max-spaces-inside: 1
level: error
- comments:
- min-spaces-from-content: 4
+ colons:
+ max-spaces-after: -1
+ level: error
+ commas:
+ max-spaces-after: -1
+ level: error
+ comments: disable
comments-indentation: disable
- document-end: disable
- document-start:
- level: warning
- octal-values:
- forbid-explicit-octal: false
+ document-start: disable
+ empty-lines:
+ max: 3
+ level: error
+ hyphens:
+ level: error
+ indentation: disable
+ key-duplicates: enable
line-length: disable
- truthy: enable
+ new-line-at-end-of-file: disable
+ new-lines:
+ type: unix
+ trailing-spaces: disable
+ truthy: disable
diff --git a/defaults/main.yml b/defaults/main.yml
index 9dc5e4b28331aac57fcc73f904c1fa1a9e27703a..c5ffe80e4a49ef7edf2a54d86cc4e72c4c3810ce 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,6 @@
---
# defaults file for ansible_lza_bootstrap_rhel_server
-tsm_default_version_short: "v8110"
-tsm_default_version_long: "8.1.10"
-tsm_default_checksum: "sha1:8ed715ad4c934a9891b2357d4877f3095a2c5ac2"
+tsm_default_version_short: "v8115"
+tsm_default_version_long: "8.1.15"
+tsm_default_checksum: "sha256:e24735f2f2f88bedc93371eae507c14dccb8e7be2676794b53ad94674338d8a1"
diff --git a/meta/main.yml b/meta/main.yml
index 2107fd33011716dab8002a0df8a3dbdfcd373ddd..a601195ec03e0b363586c0122f6ddb4efec25832 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,29 +1,32 @@
---
galaxy_info:
- author: Jörg Sachse
- description: role to initialise empty VMs that should become RHEL servers before switching to a non-root user for further management.
+ author: Jörg Sachse (<Joerg.Sachse@slub-dresden.de>)
company: SLUB Dresden
- # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker Some suggested licenses: - BSD
- # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
- license: GPLv3
- min_ansible_version: 2.5
- # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
- #for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
- #notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
- #
- # Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available
+ description: This role can be used to initialise empty VMs that should become RHEL servers before switching to a non-root user for further management.
+ galaxy_tags: []
+ # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
+ # add tags to this list.
+ #
+ # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+ # Maximum 20 tags per role.
+ # issue_tracker_url: "https://example.com/"
+ # If the issue tracker for your role is not on github, uncomment the next line and provide a value issue_tracker_url: http://example.com/issue/tracker
+ license: public domain
+ # Some suggested licenses: - BSD
+ # (default) - MIT - GPLv2 - GPLv3 - Apache - CC-BY
+ min_ansible_version: "2.5"
+ # If this a Container Enabled role, provide the minimum Ansible Container version. min_ansible_container_version: Optionally specify the branch Galaxy will use when accessing the GitHub repo
+ # for this role. During role install, if no tags are available, Galaxy will use this branch. During import Galaxy will access files on this branch. If Travis integration is configured, only
+ # notifications for this branch will be accepted. Otherwise, in all cases, the repo's default branch (usually master) will be used. github_branch:
+ namespace: "slub"
+ # Provide a list of supported platforms, and for each platform a list of versions. If you don't wish to enumerate all versions for a particular platform, use 'all'. To view available
# platforms and versions (or releases), visit: https://galaxy.ansible.com/api/v1/platforms/
#
# platforms: - name: Fedora
# versions: - all - 25 - name: SomePlatform versions: - all - 1.0 - 7 - 99.99
platforms:
- - name: RedHat
+ - name: EL
versions:
- - 7
- galaxy_tags: []
- # List tags for your role here, one per line. A tag is a keyword that describes and categorizes the role. Users find roles by searching for tags. Be sure to remove the '[]' above, if you
- # add tags to this list.
- #
- # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
- # Maximum 20 tags per role.
+ - "7"
+ - "8"
dependencies: []
diff --git a/molecule/default b/molecule/default
new file mode 120000
index 0000000000000000000000000000000000000000..0a8acd21180777d88330a691df946bff9f05e547
--- /dev/null
+++ b/molecule/default
@@ -0,0 +1 @@
+virtualbox_centos7
\ No newline at end of file
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
deleted file mode 100644
index 33d132bf5321b1c8a3cf8ef4301314fe7e781b0f..0000000000000000000000000000000000000000
--- a/molecule/default/molecule.yml
+++ /dev/null
@@ -1,31 +0,0 @@
----
-dependency:
- name: galaxy
-driver:
- name: vagrant
- provider:
- name: virtualbox
-lint: |
- set -e
- yamllint .
- ansible-lint -x formatting
- flake8 --ignore=E501
-platforms:
- - name: molecule-bootstrap-redhat
- box: centos/7
- memory: 512
- cpus: 1
-provisioner:
- name: ansible
- log: true
- config_options:
- defaults:
- # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
- vault_identity_list: "@$HOME/.ansible/roles/molecule_prepare.pass, @$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/lza_server_hardening.pass, @$HOME/.ansible/roles/lza_bootstrap_rhel_server.pass, @$HOME/.ansible/roles/slub_osquery.pass"
- vvv: false
-verifier:
- name: testinfra
- env:
- PYTHONWARNINGS: "ignore:.*U.*mode is deprecated:DeprecationWarning"
- options:
- v: 1
diff --git a/molecule/default/playbook.yml b/molecule/default/playbook.yml
deleted file mode 100644
index 85cef84d470036f0ad7760d3753ea8aec79939d4..0000000000000000000000000000000000000000
--- a/molecule/default/playbook.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: Converge
- hosts: all
- roles:
- - role: ansible_lza_bootstrap_rhel_server
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
deleted file mode 100644
index 4b18d485a2590659e6c48bd711a566aa569553ad..0000000000000000000000000000000000000000
--- a/molecule/default/prepare.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- name: Prepare
- hosts: all
- gather_facts: false
- tasks:
- - name: Install python for Ansible
- raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
- become: true
- changed_when: false
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
deleted file mode 100644
index eedd64a1d3d5c5f97f055b53c500cee079b02711..0000000000000000000000000000000000000000
--- a/molecule/default/tests/test_default.py
+++ /dev/null
@@ -1,14 +0,0 @@
-import os
-
-import testinfra.utils.ansible_runner
-
-testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
- os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
-
-
-def test_hosts_file(host):
- f = host.file('/etc/hosts')
-
- assert f.exists
- assert f.user == 'root'
- assert f.group == 'root'
diff --git a/molecule/default/INSTALL.rst b/molecule/resources/playbooks/INSTALL.rst
similarity index 84%
rename from molecule/default/INSTALL.rst
rename to molecule/resources/playbooks/INSTALL.rst
index 4f44b6745beb4e4a1ca19e93e42ccc8e98919d41..0c4bf5c7eb43b1b428b1824a62f8fb8a213f3600 100644
--- a/molecule/default/INSTALL.rst
+++ b/molecule/resources/playbooks/INSTALL.rst
@@ -1,6 +1,6 @@
-*******
+*********************************
Vagrant driver installation guide
-*******
+*********************************
Requirements
============
@@ -20,4 +20,4 @@ widely recommended `'--user' flag`_ when invoking ``pip``.
.. code-block:: bash
- $ pip install 'molecule[vagrant]'
+ $ pip install 'molecule_vagrant'
diff --git a/molecule/resources/playbooks/README.md b/molecule/resources/playbooks/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..0c91883011699e3b0ec08bad9bcc19d201ef6331
--- /dev/null
+++ b/molecule/resources/playbooks/README.md
@@ -0,0 +1,3 @@
+This drectory contains shared playbooks and a shared Dockerfile.
+
+Visit https://molecule.readthedocs.io/en/latest/examples.html#sharing-across-scenarios for details on sharing playbooks, tests etc. across multiple scenarios.
diff --git a/molecule/resources/playbooks/converge.yml b/molecule/resources/playbooks/converge.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ae3065159999c38e32455dc5c0d007859a3ba9ed
--- /dev/null
+++ b/molecule/resources/playbooks/converge.yml
@@ -0,0 +1,17 @@
+---
+- name: Converge
+ hosts: all
+ pre_tasks:
+ - name: update apt cache
+ ansible.builtin.apt:
+ update_cache: true
+ upgrade: dist
+ become: true
+ when: ansible_os_family == "Debian"
+ - name: update yum cache
+ ansible.builtin.yum:
+ update_cache: true
+ become: true
+ when: ansible_os_family == "RedHat"
+ roles:
+ - {role: "ansible_lza_bootstrap_rhel_server", become: true}
diff --git a/molecule/resources/playbooks/prepare.yml b/molecule/resources/playbooks/prepare.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4288e3ef6a35d6e72d7de35e90d42b2a0ebc8f4f
--- /dev/null
+++ b/molecule/resources/playbooks/prepare.yml
@@ -0,0 +1,45 @@
+---
+- name: Prepare
+ hosts: "*"
+ tasks:
+ - name: add SLUB Debian Repository
+ block:
+ - name: install GPG
+ ansible.builtin.apt:
+ name: "gnupg"
+ state: latest
+ update_cache: true
+ become: true
+ - name: add GPG key for SLUB Debian repository
+ ansible.builtin.apt_key:
+ url: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
+ state: present
+ become: true
+ - name: add repo URL to sources.list
+ ansible.builtin.apt_repository:
+ repo: "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
+ state: present
+ update_cache: true
+ mode: "0644"
+ become: true
+ when: ansible_os_family == "Debian"
+ - name: Increase disk size of created VM. The Rocky Linux 8 Vagrant image is too small to fit the IBMSP client on it, so we have to make room before running any tests.
+ block:
+ - name: install growpart
+ ansible.builtin.yum:
+ name: "cloud-utils-growpart"
+ become: true
+ - name: resize partition
+ ansible.builtin.command: "growpart /dev/sda 1"
+ register: growpart
+ changed_when: '"CHANGED:" in growpart.stdout'
+ failed_when:
+ - 'not "it cannot be grown" in growpart.stdout'
+ - 'not growpart.rc == 0'
+ become: true
+ - name: resize XFS filesystem
+ ansible.builtin.command: "xfs_growfs -d /"
+ register: growfs
+ changed_when: '"data blocks changed from" in growfs.stdout'
+ become: true
+ when: ansible_os_family == "RedHat"
diff --git a/molecule/resources/playbooks/verify.yml b/molecule/resources/playbooks/verify.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e707420ab5c87edfa59c7805ce4534ff1b387177
--- /dev/null
+++ b/molecule/resources/playbooks/verify.yml
@@ -0,0 +1,10 @@
+---
+# This is an example playbook to execute Ansible tests.
+
+- name: Verify
+ hosts: all
+ gather_facts: false
+ tasks:
+ - name: Example assertion
+ ansible.builtin.assert:
+ that: true
diff --git a/molecule/virtualbox_centos7/molecule.yml b/molecule/virtualbox_centos7/molecule.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bea3b5d87a9d5fa0af5c20713c675b9c573ceeda
--- /dev/null
+++ b/molecule/virtualbox_centos7/molecule.yml
@@ -0,0 +1,41 @@
+---
+dependency:
+ name: galaxy
+ enabled: false
+driver:
+ name: vagrant
+lint: |
+ set -e
+ yamllint .
+ ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
+platforms:
+ # Check out the documentation at
+ # https://github.com/ansible-community/molecule-vagrant#documentation
+ # for more platform parameters.
+ - name: vm-runner
+ box: centos/7
+ memory: 1024
+ # List of raw Vagrant `config` options.
+ # provider_raw_config_args:
+ # - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+ # Dictionary of `config` options.
+ config_options:
+ ssh.keep_alive: yes
+ ssh.remote_user: "'lza'"
+provisioner:
+ name: ansible
+ log: true
+ config_options:
+ defaults:
+ # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
+ # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+ vault_identity_list: "../lza_bootstrap_rhel_server.pass"
+ vvv: false
+ playbooks:
+ # create: ../resources/playbooks/create.yml
+ # destroy: ../resources/playbooks/destroy.yml
+ converge: ../resources/playbooks/converge.yml
+ # prepare: ../resources/playbooks/prepare.yml
+ verify: ../resources/playbooks/verify.yml
+verifier:
+ name: ansible
diff --git a/molecule/virtualbox_rocky8/molecule.yml b/molecule/virtualbox_rocky8/molecule.yml
new file mode 100644
index 0000000000000000000000000000000000000000..78e22c55f70c9832688340ad09315306306e4211
--- /dev/null
+++ b/molecule/virtualbox_rocky8/molecule.yml
@@ -0,0 +1,42 @@
+---
+dependency:
+ name: galaxy
+ enabled: false
+driver:
+ name: vagrant
+lint: |
+ set -e
+ yamllint .
+ ansible-lint -x no-loop-var-prefix,command-instead-of-module,package-latest
+platforms:
+ # Check out the documentation at
+ # https://github.com/ansible-community/molecule-vagrant#documentation
+ # for more platform parameters.
+ - name: mol-lza-bootstrap-rocky8
+ box: rockylinux/8
+ memory: 1024
+ # List of raw Vagrant `config` options.
+ # provider_raw_config_args:
+ # - "customize [ 'modifyvm', :id, '--natdnshostresolver1', 'on' ]"
+ # Dictionary of `config` options.
+ config_options:
+ ssh.keep_alive: yes
+ ssh.remote_user: "'lza'"
+ disksize.size: '10GB'
+provisioner:
+ name: ansible
+ log: true
+ config_options:
+ defaults:
+ # https://stackoverflow.com/questions/57435811/ansible-molecule-pass-multiple-vault-ids
+ # vault_identity_list: "@$HOME/.ansible/roles/lza_install_common.pass, @$HOME/.ansible/roles/passfile_1.pass"
+ vault_identity_list: "../lza_bootstrap_rhel_server.pass"
+ vvv: false
+ playbooks:
+ # create: ../resources/playbooks/create.yml
+ # destroy: ../resources/playbooks/destroy.yml
+ converge: ../resources/playbooks/converge.yml
+ prepare: ../resources/playbooks/prepare.yml
+ verify: ../resources/playbooks/verify.yml
+verifier:
+ name: ansible
diff --git a/requirements.yml b/requirements.yml
deleted file mode 100644
index 629afa7cdabb7ba183d46541ba7ae16c4b759afc..0000000000000000000000000000000000000000
--- a/requirements.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-# https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#installing-multiple-roles-from-a-file
-- src: git+https://git.slub-dresden.de/digital-preservation/ansible_lza_install_common.git
- scm: git
-- src: git+https://git.slub-dresden.de/digital-preservation/ansible_lza_server_hardening.git
- scm: git
-- src: git+https://git.slub-dresden.de/digital-preservation/ansible_slub_osquery.git
- scm: git
-#- src: git+
-# scm: git
diff --git a/tasks/configure_repos.yml b/tasks/configure_repos.yml
index b9bc45205f841e830f78fd52be82043add82420b..45bc439e851e1987a1f4b885870c20104c8b5b17 100644
--- a/tasks/configure_repos.yml
+++ b/tasks/configure_repos.yml
@@ -2,24 +2,37 @@
# Systems have to be subscribed with RedHat in order to be able to use software
# repositories, install software and receive updates/support.
- name: subscribe system with RedHat
- redhat_subscription:
+ community.general.redhat_subscription:
state: present
username: "{{ vault_rhel_username }}"
password: "{{ vault_rhel_password }}"
auto_attach: true
+ # We cannot test this in Molecule, because subscribing requires a valid
+ # license, which we don't have.
+ tags: [molecule-notest]
- name: activate RHEL repos
- rhsm_repository:
+ community.general.rhsm_repository:
name: "{{ item }}"
state: enabled
loop:
- "rhel-7-server-optional-rpms"
- "rhel-7-server-rh-common-rpms"
- "rhel-7-server-extras-rpms"
+ # We cannot test this in Molecule because this can only be done on systems
+ # with a valid subscription (see previous task).
+ tags: [molecule-notest]
+
+- name: install additional GPG keys
+ ansible.builtin.rpm_key:
+ key: "{{ item }}"
+ loop:
+ # EPEL
+ - "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
# Additional software is made available through the EPEL (Extra Packages for
# Enterprise Linux) repository, which is managed by the Fedora Special Interest
# Group of the same name.
- name: activate EPEL repos
- yum:
- name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm"
+ ansible.builtin.yum:
+ name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
state: installed
diff --git a/tasks/configure_ssh_client.yml b/tasks/configure_ssh_client.yml
index 65921a23ff0ab87c252593c7602f0ab6283cbff6..8aff3f3a844671fa64ad6704166d6da1a5bc5ff5 100644
--- a/tasks/configure_ssh_client.yml
+++ b/tasks/configure_ssh_client.yml
@@ -1,6 +1,6 @@
---
- name: add SSH key
- authorized_key:
+ ansible.builtin.authorized_key:
comment: "{{ item.ssh_comment | default(omit) }}"
key: "{{ item.ssh_key }}"
user: "{{ item.name }}"
diff --git a/tasks/configure_users.yml b/tasks/configure_users.yml
index 8207a2178045a59f7f8c63caab7b1b35d921fa56..9b681227f2ff653af1d4b8dfbec003f37bc695fb 100644
--- a/tasks/configure_users.yml
+++ b/tasks/configure_users.yml
@@ -1,11 +1,11 @@
---
- name: create groups
- group:
- name: sudo
+ ansible.builtin.group:
+ name: "sudo"
system: true
- name: create users
- user:
+ ansible.builtin.user:
name: "{{ item.name }}"
uid: "{{ item.uid | default(omit) }}"
comment: "{{ item.comment | default(omit) }}"
@@ -14,9 +14,10 @@
groups: "sudo"
shell: "{{ item.shell | default('/bin/bash') }}"
loop: "{{ vault_users }}"
+ no_log: true
- name: grant sudo
- blockinfile:
+ ansible.builtin.blockinfile:
path: "/etc/sudoers.d/group_sudo"
create: true
owner: "root"
diff --git a/tasks/install_tsm_client.yml b/tasks/install_tsm_client.yml
index 27b2e031096f13f630ab4bfa5067903ab102b518..5255c502488e2c2bd77a204e302c2d31b4eb48bf 100644
--- a/tasks/install_tsm_client.yml
+++ b/tasks/install_tsm_client.yml
@@ -1,47 +1,103 @@
---
-- name: download IBM TSM Client setup checksum file
- get_url:
+- name: Download IBM TSM Client setup checksum file.
+ ansible.builtin.get_url:
url: "https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar.sha256sum.txt"
dest: "/tmp/"
+ mode: "0644"
delegate_to: 127.0.0.1
-- name: extract IBM TSM Client setup archive checksum from file
- set_fact:
+- name: >
+ Extract IBM TSM Client setup archive checksum from file. We want to use
+ this info later to verify the integrity of our download.
+ ansible.builtin.set_fact:
tsm_checksum: "{{ lookup('file', '/tmp/'+ tsm_version_long | default(tsm_default_version_long) +'.0-TIV-TSMBAC-LinuxX86.tar.sha256sum.txt').split(' ')[0] | lower }}"
-- name: download IBM TSM Client setup files
- get_url:
+
+
+- name: >
+ Check if IBM TSM Client setup file has already been downloaded. If it has,
+ we can skip the next step, which might otherwise take very long.
+ ansible.builtin.stat:
+ path: "/tmp/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
+ checksum_algorithm: "sha256"
+ register: ibmsp_tar
+
+- name: >
+ Download IBM TSM Client setup file. (Be patient, IBM doesn't want to give
+ us appropriate download speeds. This will take about 6 minutes.)
+ ansible.builtin.get_url:
url: "https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/LinuxX86/BA/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
dest: "/tmp/"
+ mode: "0644"
checksum: "sha256:{{ tsm_checksum | default(omit) }}"
+ when: (( not ibmsp_tar.stat.exists ) or
+ ( not ibmsp_tar.stat.checksum == tsm_checksum ))
+
+
- name: create temporary extraction dir
- file:
- path: "/tmp/tsm/"
+ ansible.builtin.file:
+ path: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
state: directory
+ mode: "0755"
- name: extract IBM TSM Client setup files
- unarchive:
+ ansible.builtin.unarchive:
src: "/tmp/{{ tsm_version_long | default(tsm_default_version_long) }}.0-TIV-TSMBAC-LinuxX86.tar"
- dest: "/tmp/tsm/"
- copy: false
+ dest: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
+ remote_src: true
+ owner: "root"
+ group: "root"
+
+- name: >
+ Install GPG keys for IBMSP and GSKit. They can't be grabbed online, so we
+ have to use the files that come with the tar archive.
+ ansible.builtin.rpm_key:
+ key: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/{{ item }}"
+ loop:
+ - "GSKit.pub2.pgp"
+ - "RPM-GPG-KEY-ibmpkg"
-# https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.12/client/t_inst_linuxx86client.html
+
+
+- name: >
+ Find all extracted RPM packages, so we don't have to hardcode their names.
+ That's cool, because some of them contain version numbers that we don't
+ want to constantly keep updated. Also, passing a list to
+ ansible.builtin.yum later on is much faster than looping through the
+ packages individually, and it saves us from dependency hell.
+ ansible.builtin.find:
+ path: "/tmp/tsm/{{ tsm_version_short | default(tsm_default_version_short) }}/"
+ pattern: "*.rpm"
+ register: rpm_packages
+ failed_when: rpm_packages.matched == 0
+
+# NOTE:
+# - We need to install 'lsof' along with those, because it's a requirement
+# for 'TIVsm-WebUI', but doesn't seem to get resolved correctly. The
+# workaround is to install it separately first to satisfy the dependency.
+# Only then we use the second loop iteration to install the rest of the
+# packages.
+# - We remove the 'TIVsm-JBB.x86_64.rpm' package from the list of install
+# candidates, because we don't need it and it requires 'TIVsm-filepath',
+# which we would have to compile on our own. So that's a big NOPE!
+# OFFICIAL IBM INSTALL DOCUMENTATION:
+# - https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.15/client/t_inst_linuxx86client.html
+# - https://www.ibm.com/docs/en/spectrum-protect/8.1.15?topic=clients-installing-linux-x86-64-client
+# LIST CREATION MAGIC STOLEN FROM:
+# - https://stackoverflow.com/a/62197473
+# - https://stackoverflow.com/a/60721624
- name: install IBM TSM Client
- yum:
- name: [
- '/tmp/tsm/gskcrypt64-8.0.55.21.linux.x86_64.rpm',
- '/tmp/tsm/gskssl64-8.0.55.21.linux.x86_64.rpm',
- '/tmp/tsm/TIVsm-API64.x86_64.rpm',
- '/tmp/tsm/TIVsm-APIcit.x86_64.rpm',
- '/tmp/tsm/TIVsm-BA.x86_64.rpm',
- '/tmp/tsm/TIVsm-BAcit.x86_64.rpm',
- '/tmp/tsm/TIVsm-BAhdw.x86_64.rpm'
- ]
- become: true
+ ansible.builtin.yum:
+ name: "{{ item }}"
+ loop:
+ - "lsof"
+ - "{{ rpm_packages.files | json_query('[*].path') | reject('match', '.*TIVsm-JBB.x86_64.rpm') | list | flatten }}"
+
+
- name: make sure IBM Spectrum Protect backup service is active and running
- systemd:
+ ansible.builtin.systemd:
name: "dsmcad.service"
enabled: true
become: true
diff --git a/tasks/main.yml b/tasks/main.yml
index 0fce7cea555fe6e0a7dd2ed449c7b929862b80e1..c4b64bb01a8b959bb0bae86abf75305bf4168275 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,24 +1,24 @@
---
# tasks file for ansible_lza_bootstrap_rhel_server
- name: include Ansible Vaults
- include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
+ ansible.builtin.include_vars: "{{ role_path }}/../ansible_vaults/{{ role_name }}/{{ item }}"
loop:
- "redhat.vault"
- "users.vault"
tags: [always]
- name: create users
- import_tasks: configure_users.yml
+ ansible.builtin.import_tasks: configure_users.yml
tags: [users]
- name: prepare SSH access
- import_tasks: configure_ssh_client.yml
+ ansible.builtin.import_tasks: configure_ssh_client.yml
tags: [ssh]
- name: activate software repositories
- import_tasks: configure_repos.yml
+ ansible.builtin.import_tasks: configure_repos.yml
tags: [repos]
- name: install IBM Spectrum Protect Backup Client (formerly IBM TSM Client)
- import_tasks: install_tsm_client.yml
+ ansible.builtin.import_tasks: install_tsm_client.yml
tags: [tsm, ibmsp, backup]
diff --git a/vars/main.yml b/vars/main.yml
index 3d0825fb0dcbe4b0f6dd4285b216aaefc9faf086..2abcf30b97b3447a00c76980ad9e066b88871606 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,5 +1,5 @@
---
# vars file for ansible_lza_bootstrap_rhel_server
-tsm_version_short: "v8112"
-tsm_version_long: "8.1.12"
+tsm_version_short: "v8115"
+tsm_version_long: "8.1.15"