Fix security role gate

This patch includes three manual backports to fix the stable/ocata gate jobs. It disables ClamAV auto updates, temporarily disables installation of ClamAV in the gate, and cleans up the func_rhel7 job from tox.ini. Combined backport of: I44c2e089ff6175b3004ef7f6713622ac615bf6db Ifbfc56ed5fe92887cf5beb6b2703fdc3e1c8bb05 I39cfcc102bc98895823b4de9df930e6f273aaf15 Change-Id: Ieb0a1bb0acd1172600e23555babf66d6bb940a29
2017-05-16 14:14:28 -05:00 · 2017-05-16 14:14:28 -05:00 · 3a2486f51b
parent c58c839f9c
commit 3a2486f51b
5 changed files with 9 additions and 15 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -548,6 +548,8 @@ security_rhel7_enable_linux_security_module: yes             # RHEL-07-020210 /
 security_rhel7_disable_autofs: yes                           # RHEL-07-020161
 # Enable virus scanning with clamav
 security_enable_virus_scanner: no                            # RHEL-07-030810
+# Run the virus scanner update during the deployment (if scanner is deployed)
+security_run_virus_scanner_update: yes
 # Disable ctrl-alt-delete key sequence on the console.
 security_rhel7_disable_ctrl_alt_delete: yes                  # RHEL-07-020220
 # Install and enable firewalld for iptables management.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -31,7 +31,7 @@
    tags:
      - always

-  - name: Check to see if we're booting with EFI/UEFI
+  - name: Check to see if we are booting with EFI or UEFI
    set_fact:
      booted_with_efi: "{{ ansible_mounts | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
    tags:
--- a/tasks/rhel7stig/misc.yml
+++ b/tasks/rhel7stig/misc.yml
@ -188,6 +188,7 @@
  when:
    - clamav_install_check.stat.exists
    - security_enable_virus_scanner | bool
+    - security_run_virus_scanner_update | bool
  async: 300
  poll: 5
  tags:
--- a/tests/test.yml
+++ b/tests/test.yml
@ -86,7 +86,11 @@
    security_unattended_upgrades_enabled: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
    security_unattended_upgrades_notifications: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
    security_rhel7_automatic_package_updates: "{{ (ansible_os_family | lower == 'debian') | ternary(true, false) }}"
-    security_enable_virus_scanner: yes
+    # NOTE(mhayden): clamav is only available if EPEL is installed. There needs
+    # to be some work done to figure out how to install EPEL for use with
+    # this role without causing disruptions on the system.
+    security_enable_virus_scanner: no
+    security_run_virus_scanner_update: no
    security_search_for_invalid_owner: yes
    security_search_for_invalid_group_owner: yes
    security_enable_firewalld: yes
--- a/tox.ini
+++ b/tox.ini
@ -114,19 +114,6 @@ commands =
    {[testenv:tests_clone]commands}
    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"

-# NOTE(mhayden): This should be removed once upstream gating is using the
-#                func_rhel6 test below.
-[testenv:func_rhel7]
-deps =
-    {[testenv:ansible]deps}
-setenv =
-    {[testenv]setenv}
-    # NOTE(mhayden): Disabling chrony since it causes conflicts in CI.
-    ANSIBLE_PARAMETERS=-e stig_version=rhel6 --skip-tags V-38462,V-38660 -e security_enable_chrony=no
-commands =
-    {[testenv:tests_clone]commands}
-    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
-
 [testenv:func_rhel6]
 deps =
    {[testenv:ansible]deps}