import missing logic from puppet manifests
The sshd role now implements the existing logic found within the legacy puppet manifest. This change will ensure our ssh configs are managed in the same way was as before, with the same user interface, resulting the same functional outcomes. A new molecule test has been added to ensure we're exercising all available code path's. This new test will run through our banner and motd configuration options. Change-Id: I68a12c0992455c5a9dc3362b8121151235f409a2 Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
parent
2f6cc5cdff
commit
578962e83f
|
@ -28,3 +28,23 @@ tripleo_sshd_banner_enabled: false
|
|||
|
||||
# SSH configuration options
|
||||
tripleo_sshd_password_authentication: 'no'
|
||||
|
||||
tripleo_sshd_server_options:
|
||||
HostKey:
|
||||
- '/etc/ssh/ssh_host_rsa_key'
|
||||
- '/etc/ssh/ssh_host_ecdsa_key'
|
||||
- '/etc/ssh/ssh_host_ed25519_key'
|
||||
SyslogFacility: 'AUTHPRIV'
|
||||
AuthorizedKeysFile: '.ssh/authorized_keys'
|
||||
ChallengeResponseAuthentication: 'no'
|
||||
GSSAPIAuthentication: 'yes'
|
||||
GSSAPICleanupCredentials: 'no'
|
||||
UsePAM: 'yes'
|
||||
UseDNS: 'no'
|
||||
X11Forwarding: 'yes'
|
||||
AcceptEnv:
|
||||
- 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
|
||||
- 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
|
||||
- 'LC_IDENTIFICATION LC_ALL LANGUAGE'
|
||||
- 'XMODIFIERS'
|
||||
Subsystem: 'sftp /usr/libexec/openssh/sftp-server'
|
||||
|
|
|
@ -0,0 +1,37 @@
|
|||
# Molecule managed
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
{% if item.registry is defined %}
|
||||
FROM {{ item.registry.url }}/{{ item.image }}
|
||||
{% else %}
|
||||
FROM {{ item.image }}
|
||||
{% endif %}
|
||||
|
||||
RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
|
||||
elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
|
||||
elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
|
||||
elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
|
||||
elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
|
||||
elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
|
||||
|
||||
{% for pkg in item.easy_install | default([]) %}
|
||||
# install pip for centos where there is no python-pip rpm in default repos
|
||||
RUN easy_install {{ pkg }}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
CMD ["sh", "-c", "while true; do sleep 10000; done"]
|
|
@ -0,0 +1,68 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
|
||||
log: true
|
||||
|
||||
platforms:
|
||||
- name: centos7
|
||||
hostname: centos7
|
||||
image: centos:7
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python-setuptools
|
||||
easy_install:
|
||||
- pip
|
||||
environment: &env
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
command: /sbin/init
|
||||
tmpfs:
|
||||
- /run
|
||||
- /tmp
|
||||
capabilities:
|
||||
- ALL # CENT7 requires all due to the age of the software
|
||||
volumes:
|
||||
- /run/udev:/run/udev:ro
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
|
||||
- name: fedora28
|
||||
hostname: fedora28
|
||||
image: fedora:28
|
||||
dockerfile: Dockerfile
|
||||
pkg_extras: python*-setuptools
|
||||
environment:
|
||||
http_proxy: "{{ lookup('env', 'http_proxy') }}"
|
||||
https_proxy: "{{ lookup('env', 'https_proxy') }}"
|
||||
command: /sbin/init
|
||||
privileged: true
|
||||
tmpfs:
|
||||
- /run
|
||||
- /tmp
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
volumes:
|
||||
- /run/udev:/run/udev:ro
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: true
|
||||
env:
|
||||
ANSIBLE_STDOUT_CALLBACK: yaml
|
||||
|
||||
scenario:
|
||||
test_sequence:
|
||||
- destroy
|
||||
- create
|
||||
- prepare
|
||||
- converge
|
||||
- verify
|
||||
- destroy
|
||||
|
||||
lint:
|
||||
enabled: false
|
||||
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
# Copyright 2019 Red Hat, Inc.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- name: tripleo-sshd
|
||||
tripleo_sshd_motd_enabled: true
|
||||
tripleo_sshd_banner_enabled: true
|
|
@ -19,8 +19,3 @@
|
|||
hosts: all
|
||||
roles:
|
||||
- name: tripleo-sshd
|
||||
vars:
|
||||
tripleo_sshd_install: true
|
||||
post_tasks:
|
||||
- name: End the playbook before the systemd handler runs to restart sshd
|
||||
meta: end_play
|
||||
|
|
|
@ -39,17 +39,36 @@
|
|||
notify:
|
||||
- Restart sshd
|
||||
|
||||
- name: force systemd to reread configs
|
||||
- name: Flush all handlers
|
||||
meta: flush_handlers
|
||||
|
||||
- name: Adjust ssh server configuration
|
||||
blockinfile:
|
||||
template:
|
||||
dest: /etc/ssh/sshd_config
|
||||
state: present
|
||||
marker: "# {mark} MANAGED BY TRIPLEO-ANSIBLE"
|
||||
insertafter: "EOF"
|
||||
src: sshd_config_block.j2
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify:
|
||||
- Restart sshd
|
||||
|
||||
- name: PasswordAuthentication notice
|
||||
debug:
|
||||
msg: >-
|
||||
Notice - The option `tripleo_sshd_password_authentication` is set to
|
||||
"{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
|
||||
undefined. While this may be perfectly valid, the sshd_config options
|
||||
should be reviewed to ensure general user access is functional and
|
||||
meeting expectations.
|
||||
when:
|
||||
- (tripleo_sshd_password_authentication != 'no') and
|
||||
not (PermitRootLogin in tripleo_sshd_server_options)
|
||||
|
||||
- name: Adjust ssh server auth configuration
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
regexp: '^#?PasswordAuthentication.*'
|
||||
line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
block: "{{ lookup('template', 'sshd_config_block.j2') }}"
|
||||
notify:
|
||||
- Restart sshd
|
||||
|
||||
|
@ -60,9 +79,36 @@
|
|||
when:
|
||||
- tripleo_sshd_banner_enabled | bool
|
||||
|
||||
- name: Adjust ssh server banner configuration
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
regexp: '^#?Banner.*'
|
||||
line: 'Banner /etc/issue'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
when:
|
||||
- tripleo_sshd_banner_enabled | bool
|
||||
notify:
|
||||
- Restart sshd
|
||||
|
||||
- name: Configure the motd banner
|
||||
copy:
|
||||
content: "{{ tripleo_sshd_message_of_the_day }}"
|
||||
dest: /etc/motd
|
||||
when:
|
||||
- tripleo_sshd_motd_enabled | bool
|
||||
|
||||
- name: Adjust ssh server motd configuration
|
||||
lineinfile:
|
||||
path: /etc/ssh/sshd_config
|
||||
state: present
|
||||
regexp: '^#?PrintMotd.*'
|
||||
line: 'PrintMotd yes'
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
when:
|
||||
- tripleo_sshd_motd_enabled | bool
|
||||
notify:
|
||||
- Restart sshd
|
||||
|
||||
- name: Flush all handlers
|
||||
meta: flush_handlers
|
||||
|
|
|
@ -1,9 +1,12 @@
|
|||
SyslogFacility AUTHPRIV
|
||||
AuthorizedKeysFile .ssh/authorized_keys
|
||||
ChallengeResponseAuthentication no
|
||||
GSSAPIAuthentication yes
|
||||
GSSAPICleanupCredentials no
|
||||
UsePAM yes
|
||||
UseDNS no
|
||||
X11Forwarding yes
|
||||
PasswordAuthentication {{ tripleo_sshd_password_authentication }}
|
||||
## {{ ansible_managed }}
|
||||
|
||||
{% for k, v in tripleo_sshd_server_options.items() %}
|
||||
{% if (v is iterable) and (v is not string) %}
|
||||
{% set vars = (v | unique) %}
|
||||
{% for var in vars %}
|
||||
{{ k }} {{ var }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ k }} {{ v }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
|
Loading…
Reference in New Issue