This allow the master playbook used for update to set
tripleo_redhat_enforce to false on a per role basis on Red Hat
environment.
The default in defaults/main.yml is now "true" so that it keeps its
behavior of being run by default if nothing is changed in the role
definition.
We then avoid running it on other plateform than Red Hat by adding an
explicit test in that tasks/main.yml file.
Overall the behavior is as follows:
| Red Hat Env | tripleo_enforced | Test run |
|-------------+----------------------+----------|
| True | Unset | Yes |
| True | Set to true in role | Yes |
| True | Set to false in role | No |
| False | Doesn't matter | No |
Change-Id: I6268a01d16f8288bf862003d19184fc93b88282a
Partial-Bug: #1912512
This change will enable or disable no_log and debug options whenever the
verbosity is set to an integer greater than 2. This will ensure operators and
deployers are best equipped to troubleshoot issues by dynamically providing
additional data in an expected way. To ensure we're able to differentiate
between output masking and security masking, two options were used to enable or
disable no_log across our roles and playbooks.
> All debug options, without security implications, will now react to the
`ansible_verbosity` built in by default. Changes have been made to our
skeleton role to ensure this is enforced on all new roles created going
forward.
> An additional prefixed role option, `*_hide_sensitive_logs`, has been added to
allow operators to easily toggle sensitive output when required. The role
prefixed variables will respond to the global option `hide_sensitive_logs` as
defined in THT which will ensure a consistent user experience.
Depends-On: I84f3982811ade59bac5ebaf3a124f9bfa6fa22a4
Change-Id: Ia6658110326899107a0e277f0d2574c79a8a820b
Signed-off-by: Kevin Carter <kecarter@redhat.com>
OSP, the downstream version of tripleo have to enforce some policies
for rhel version and subscribed channel.
This module hosts hoses requirements, so that we prevent update to
wrong rhel release or subscription to wrong channels.
Currently it only implements a basic check to the subscribed rhel
version.
This check has some fail-safe logic to avoid crashing the update on
temporary network issue when running subscription-manager.
We are avoiding the validation framework as this can be easily
disabled and we want this enforcement to be mandatory as this could
lead user to unsupported combination of OSP/RHEL.
For upstream that change is transparent as the tasks are skipped if
the ansible_distribution is not Red Hat.
For Red Hat, there will be a mechanism in THT to avoid the check
altogether, for instance for CI purposes.
For this first check (RHEL/OSP version), downstream patches will add
the required values in vars/redhat.yml.
Change-Id: I2d1ac92ee6ee8407fb156a2718f94ad3e9220bbe
Sofer Athlan-Guyot
Kevin Carter