From 6f80b749f52f0f122a2db1545c7e7a479efbd6f9 Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Fri, 24 Jul 2020 12:49:48 -0600 Subject: [PATCH] Make tripleo_sshd more idempontent This change updates the sshd configuration to occur once rather than using lineinfile after writing out the template. This should improve idempontency because we won't be munging a file we wrote out with a template. Additionally this change switches from using handlers to an explicit task instead. Change-Id: Ib53c0dffca24c3aff206911dcada1d27b4351f1b --- .../roles/tripleo_sshd/handlers/main.yml | 23 ---- .../roles/tripleo_sshd/tasks/main.yml | 101 ++++++++++-------- 2 files changed, 55 insertions(+), 69 deletions(-) delete mode 100644 tripleo_ansible/roles/tripleo_sshd/handlers/main.yml diff --git a/tripleo_ansible/roles/tripleo_sshd/handlers/main.yml b/tripleo_ansible/roles/tripleo_sshd/handlers/main.yml deleted file mode 100644 index ff9c1cbee..000000000 --- a/tripleo_ansible/roles/tripleo_sshd/handlers/main.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Copyright 2019 Red Hat, Inc. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -- name: Restart sshd - systemd: - name: sshd - state: restarted - enabled: true - become: true - tags: - - handler diff --git a/tripleo_ansible/roles/tripleo_sshd/tasks/main.yml b/tripleo_ansible/roles/tripleo_sshd/tasks/main.yml index d49820e8d..d05528d78 100644 --- a/tripleo_ansible/roles/tripleo_sshd/tasks/main.yml +++ b/tripleo_ansible/roles/tripleo_sshd/tasks/main.yml @@ -36,19 +36,18 @@ package: name: "{{ tripleo_sshd_packages }}" state: "{{ tripleo_sshd_package_state }}" - notify: - - Restart sshd + register: _sshd_install_result - - name: Flush all handlers - meta: flush_handlers - - - name: Adjust ssh server configuration - template: - dest: /etc/ssh/sshd_config - src: sshd_config_block.j2 - validate: '/usr/sbin/sshd -T -f %s' - notify: - - Restart sshd + # NOTE(mwhahaha): we need this here because in order to validate our generated + # config, we need to ensure the host keys exists which happens on initial + # startup + - name: Start sshd + systemd: + name: sshd + state: restarted + enabled: true + when: + - _sshd_install_result.changed - name: PasswordAuthentication notice debug: @@ -62,15 +61,25 @@ - (tripleo_sshd_password_authentication != 'no') and not ('PermitRootLogin' in tripleo_sshd_server_options) - - name: Adjust ssh server auth configuration - lineinfile: - path: /etc/ssh/sshd_config - state: present - regexp: '^#?PasswordAuthentication.*' - line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}' - validate: '/usr/sbin/sshd -T -f %s' - notify: - - Restart sshd + - name: PasswordAuthentication duplication notice + debug: + msg: >- + WARNING - The PasswordAuthentication has been configured in + `tripleo_sshd_server_options` but the values are different. + The `tripleo_sshd_password_authentication` value will be used. + when: + - ('PasswordAuthentication' in tripleo_sshd_server_options and + tripleo_sshd_password_authentication != tripleo_sshd_server_options['PasswordAuthentication']) + + - name: Motd duplication notice + debug: + msg: >- + WARNING - The Banner or PrintMotd has been configured in + `tripleo_sshd_server_options`. These options may be ignored and + configured using values from `tripleo_sshd_banner_enabled` and + `tripleo_sshd_motd_enabled` + when: + - ('Banner' in tripleo_sshd_server_options or 'PrintMotd' in tripleo_sshd_server_options) - name: Configure the banner text copy: @@ -79,18 +88,6 @@ when: - tripleo_sshd_banner_enabled | bool - - name: Adjust ssh server banner configuration - lineinfile: - path: /etc/ssh/sshd_config - state: present - regexp: '^#?Banner.*' - line: 'Banner /etc/issue' - validate: '/usr/sbin/sshd -T -f %s' - when: - - tripleo_sshd_banner_enabled | bool - notify: - - Restart sshd - - name: Configure the motd banner copy: content: "{{ tripleo_sshd_message_of_the_day }}" @@ -98,17 +95,29 @@ when: - tripleo_sshd_motd_enabled | bool - - name: Adjust ssh server motd configuration - lineinfile: - path: /etc/ssh/sshd_config - state: present - regexp: '^#?PrintMotd.*' - line: 'PrintMotd yes' - validate: '/usr/sbin/sshd -T -f %s' - when: - - tripleo_sshd_motd_enabled | bool - notify: - - Restart sshd + - name: Update sshd configuration options from vars + set_fact: + tripleo_sshd_server_options: |- + {% set _ = tripleo_sshd_server_options.__setitem__('PasswordAuthentication', tripleo_sshd_password_authentication) %} + {% if tripleo_sshd_banner_enabled %} + {% set _ = tripleo_sshd_server_options.__setitem__('Banner', '/etc/issue') %} + {% endif %} + {% if tripleo_sshd_motd_enabled %} + {% set _ = tripleo_sshd_server_options.__setitem__('PrintMotd', 'yes') %} + {% endif %} + {{ tripleo_sshd_server_options }} -- name: Flush all handlers - meta: flush_handlers + - name: Adjust ssh server configuration + template: + dest: /etc/ssh/sshd_config + src: sshd_config_block.j2 + validate: '/usr/sbin/sshd -T -f %s' + register: _sshd_config_result + + - name: Restart sshd + systemd: + name: sshd + state: restarted + enabled: true + when: + - _sshd_config_result.changed