From 7b6bd685698e48dee8f4ac563c804c00f3e3110f Mon Sep 17 00:00:00 2001 From: Sagi Shnaidman Date: Thu, 11 Jul 2019 13:21:59 +0300 Subject: [PATCH] Logindefs role in tripleo-ansible Change-Id: I61625792cd581b1ccd26cfc63c140151634d1318 --- doc/source/roles/role-login-defs.rst | 10 ++++ .../roles/login-defs/defaults/main.yml | 28 +++++++++ .../roles/login-defs/meta/main.yml | 44 ++++++++++++++ .../login-defs/molecule/default/Dockerfile | 37 ++++++++++++ .../login-defs/molecule/default/molecule.yml | 48 +++++++++++++++ .../login-defs/molecule/default/playbook.yml | 21 +++++++ .../login-defs/molecule/default/prepare.yml | 21 +++++++ .../login-defs/molecule/default/verify.yml | 45 ++++++++++++++ .../roles/login-defs/tasks/main.yml | 58 +++++++++++++++++++ zuul.d/molecule.yaml | 9 +++ 10 files changed, 321 insertions(+) create mode 100644 doc/source/roles/role-login-defs.rst create mode 100644 tripleo_ansible/roles/login-defs/defaults/main.yml create mode 100644 tripleo_ansible/roles/login-defs/meta/main.yml create mode 100644 tripleo_ansible/roles/login-defs/molecule/default/Dockerfile create mode 100644 tripleo_ansible/roles/login-defs/molecule/default/molecule.yml create mode 100644 tripleo_ansible/roles/login-defs/molecule/default/playbook.yml create mode 100644 tripleo_ansible/roles/login-defs/molecule/default/prepare.yml create mode 100644 tripleo_ansible/roles/login-defs/molecule/default/verify.yml create mode 100644 tripleo_ansible/roles/login-defs/tasks/main.yml diff --git a/doc/source/roles/role-login-defs.rst b/doc/source/roles/role-login-defs.rst new file mode 100644 index 000000000..0ddbaa157 --- /dev/null +++ b/doc/source/roles/role-login-defs.rst @@ -0,0 +1,10 @@ +================= +Role - login-defs +================= + +Login-defs role installs default parameters for user account parameters. They +are used by useradd, usermod, userdel, groupadd and other group utilities. +Parameters are set in /etc/login.defs file. + +.. ansibleautoplugin:: + :role: tripleo_ansible/roles/login-defs diff --git a/tripleo_ansible/roles/login-defs/defaults/main.yml b/tripleo_ansible/roles/login-defs/defaults/main.yml new file mode 100644 index 000000000..a7b97bb18 --- /dev/null +++ b/tripleo_ansible/roles/login-defs/defaults/main.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +tripleo_login_defs_debug: false + +# The maximum number of days a password may be used +tripleo_login_defs_password_max_days: 60 +# The minimum number of days allowed between password changes +tripleo_login_defs_password_min_days: 1 +# The minimal number of significant characters in the password +tripleo_login_defs_password_min_len: 5 +# The number of days warning given before a password expires +tripleo_login_defs_password_warn_age: 7 +# Delay in seconds before being allowed another attempt after a login failure +tripleo_login_defs_fail_delay: 4 diff --git a/tripleo_ansible/roles/login-defs/meta/main.yml b/tripleo_ansible/roles/login-defs/meta/main.yml new file mode 100644 index 000000000..f3f15f74c --- /dev/null +++ b/tripleo_ansible/roles/login-defs/meta/main.yml @@ -0,0 +1,44 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +galaxy_info: + author: OpenStack + description: TripleO OpenStack Role -- login-defs + company: Red Hat + license: Apache-2.0 + min_ansible_version: 2.7 + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + platforms: + - name: Fedora + versions: + - 28 + - name: CentOS + versions: + - 7 + + galaxy_tags: + - tripleo + + +# List your role dependencies here, one per line. Be sure to remove the '[]' above, +# if you add dependencies to this list. +dependencies: [] diff --git a/tripleo_ansible/roles/login-defs/molecule/default/Dockerfile b/tripleo_ansible/roles/login-defs/molecule/default/Dockerfile new file mode 100644 index 000000000..1b91a0e0b --- /dev/null +++ b/tripleo_ansible/roles/login-defs/molecule/default/Dockerfile @@ -0,0 +1,37 @@ +# Molecule managed +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +{% if item.registry is defined %} +FROM {{ item.registry.url }}/{{ item.image }} +{% else %} +FROM {{ item.image }} +{% endif %} + +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ + elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \ + elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ + elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \ + elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \ + elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi + +{% for pkg in item.easy_install | default([]) %} +# install pip for centos where there is no python-pip rpm in default repos +RUN easy_install {{ pkg }} +{% endfor %} + + +CMD ["sh", "-c", "while true; do sleep 10000; done"] diff --git a/tripleo_ansible/roles/login-defs/molecule/default/molecule.yml b/tripleo_ansible/roles/login-defs/molecule/default/molecule.yml new file mode 100644 index 000000000..3a32890d4 --- /dev/null +++ b/tripleo_ansible/roles/login-defs/molecule/default/molecule.yml @@ -0,0 +1,48 @@ +--- +driver: + name: docker + +log: true + +platforms: + - name: centos7 + hostname: centos7 + image: centos:7 + dockerfile: Dockerfile + pkg_extras: python-setuptools + easy_install: + - pip + environment: &env + http_proxy: "{{ lookup('env', 'http_proxy') }}" + https_proxy: "{{ lookup('env', 'https_proxy') }}" + + - name: fedora28 + hostname: fedora28 + image: fedora:28 + dockerfile: Dockerfile + pkg_extras: python*-setuptools + environment: + <<: *env + +provisioner: + name: ansible + log: true + env: + ANSIBLE_STDOUT_CALLBACK: yaml + +scenario: + test_sequence: + - destroy + - create + - prepare + - converge + - verify + - destroy + +lint: + enabled: false + +verifier: + name: testinfra + lint: + name: flake8 diff --git a/tripleo_ansible/roles/login-defs/molecule/default/playbook.yml b/tripleo_ansible/roles/login-defs/molecule/default/playbook.yml new file mode 100644 index 000000000..da511b2e3 --- /dev/null +++ b/tripleo_ansible/roles/login-defs/molecule/default/playbook.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Converge + hosts: all + roles: + - role: "login-defs" diff --git a/tripleo_ansible/roles/login-defs/molecule/default/prepare.yml b/tripleo_ansible/roles/login-defs/molecule/default/prepare.yml new file mode 100644 index 000000000..ef85c3128 --- /dev/null +++ b/tripleo_ansible/roles/login-defs/molecule/default/prepare.yml @@ -0,0 +1,21 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Prepare + hosts: all + roles: + - role: test_deps diff --git a/tripleo_ansible/roles/login-defs/molecule/default/verify.yml b/tripleo_ansible/roles/login-defs/molecule/default/verify.yml new file mode 100644 index 000000000..24b82ef9f --- /dev/null +++ b/tripleo_ansible/roles/login-defs/molecule/default/verify.yml @@ -0,0 +1,45 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- hosts: all + tasks: + - name: Check the file exits + stat: + path: /etc/login.defs + register: file + + - name: Verify + assert: + that: + - file.stat.exists + - file.stat.gr_name == 'root' + - file.stat.pw_name == 'root' + - file.stat.mode == '0644' + fail_msg: "File login.defs doesn't exist or has wrong attributes!" + + - name: Check the file contains all required values + command: grep "^{{ item.0 }} {{ item.1 }}$" /tmp/login.defs + loop: + - - PASS_MAX_DAYS + - "{{ tripleo_login_defs_password_max_days }}" + - - PASS_MIN_DAYS + - "{{ tripleo_login_defs_password_min_days }}" + - - PASS_MIN_LEN + - "{{ tripleo_login_defs_password_min_len }}" + - - PASS_WARN_AGE + - "{{ tripleo_login_defs_password_warn_age }}" + - - FAIL_DELAY + - "{{ tripleo_login_defs_fail_delay }}" diff --git a/tripleo_ansible/roles/login-defs/tasks/main.yml b/tripleo_ansible/roles/login-defs/tasks/main.yml new file mode 100644 index 000000000..349dedbee --- /dev/null +++ b/tripleo_ansible/roles/login-defs/tasks/main.yml @@ -0,0 +1,58 @@ +--- +# Copyright 2019 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +# "login-defs" will search for and load any operating system variable file + +# found within the "vars/" path. If no OS files are found the task will skip. +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - skip: true + files: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always + +- name: Install shadow-utils + package: + name: shadow-utils + state: present + +- name: Change login defs file + lineinfile: + line: "{{ item.0 }} {{ item.1 }}" + regexp: "^[#]*{{ item.0 }}.*" + dest: /etc/login.defs + owner: root + group: root + mode: 0644 + loop: + - - PASS_MAX_DAYS + - "{{ tripleo_login_defs_password_max_days }}" + - - PASS_MIN_DAYS + - "{{ tripleo_login_defs_password_min_days }}" + - - PASS_MIN_LEN + - "{{ tripleo_login_defs_password_min_len }}" + - - PASS_WARN_AGE + - "{{ tripleo_login_defs_password_warn_age }}" + - - FAIL_DELAY + - "{{ tripleo_login_defs_fail_delay }}" diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml index 64faa7e89..b5fd21f20 100644 --- a/zuul.d/molecule.yaml +++ b/zuul.d/molecule.yaml @@ -19,6 +19,7 @@ - tripleo-ansible-centos-7-molecule-tripleo-podman - tripleo-ansible-centos-7-molecule-tripleo-persist - tripleo-ansible-centos-7-molecule-tripleo-ceph-run-ansible + - tripleo-ansible-centos-7-molecule-login-defs gate: jobs: - tripleo-ansible-centos-7-molecule-aide @@ -38,6 +39,7 @@ - tripleo-ansible-centos-7-molecule-tripleo-podman - tripleo-ansible-centos-7-molecule-tripleo-persist - tripleo-ansible-centos-7-molecule-tripleo-ceph-run-ansible + - tripleo-ansible-centos-7-molecule-login-defs name: tripleo-ansible-molecule-jobs - job: files: @@ -164,3 +166,10 @@ vars: tripleo_role_name: tripleo-ceph-run-ansible tripleo_job_ansible_args: '-v --skip-tags=run_uuid_ansible,run_ceph_ansible' +- job: + files: + - ^tripleo_ansible/roles/login-defs/.* + name: tripleo-ansible-centos-7-molecule-login-defs + parent: tripleo-ansible-centos-7-base + vars: + tripleo_role_name: login-defs