mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Fixed check_mode status to be the same as normal execution (#40721)
* Fixed check_mode status to be the same as normal execution * Now when setting the status to `disabled` in check_mode it correctly returns the state changed and prints a warning like it does in normal model. Before it always returned changed even if everything was set correctly and a reboot was required. * Add changelog entry Co-authored by: Strahinja Kustudic <kustodian@gmail.com>
This commit is contained in:
parent
f2d4912f29
commit
0781a7f68c
3 changed files with 166 additions and 7 deletions
2
changelogs/fragments/selinux-check-mode.yaml
Normal file
2
changelogs/fragments/selinux-check-mode.yaml
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
bugfixes:
|
||||||
|
- selinux - correct check mode behavior to report same changes as normal mode (https://github.com/ansible/ansible/pull/40721)
|
|
@ -228,19 +228,20 @@ def main():
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
if state != runtime_state:
|
if state != runtime_state:
|
||||||
if module.check_mode:
|
|
||||||
module.exit_json(changed=True)
|
|
||||||
if runtime_enabled:
|
if runtime_enabled:
|
||||||
if state == 'disabled':
|
if state == 'disabled':
|
||||||
if runtime_state != 'permissive':
|
if runtime_state != 'permissive':
|
||||||
# Temporarily set state to permissive
|
# Temporarily set state to permissive
|
||||||
set_state(module, 'permissive')
|
if not module.check_mode:
|
||||||
|
set_state(module, 'permissive')
|
||||||
module.warn('SELinux state temporarily changed from \'%s\' to \'permissive\'. State change will take effect next reboot.' % (runtime_state))
|
module.warn('SELinux state temporarily changed from \'%s\' to \'permissive\'. State change will take effect next reboot.' % (runtime_state))
|
||||||
|
changed = True
|
||||||
else:
|
else:
|
||||||
module.warn('SELinux state change will take effect next reboot')
|
module.warn('SELinux state change will take effect next reboot')
|
||||||
reboot_required = True
|
reboot_required = True
|
||||||
else:
|
else:
|
||||||
set_state(module, state)
|
if not module.check_mode:
|
||||||
|
set_state(module, state)
|
||||||
msgs.append('SELinux state changed from \'%s\' to \'%s\'' % (runtime_state, state))
|
msgs.append('SELinux state changed from \'%s\' to \'%s\'' % (runtime_state, state))
|
||||||
|
|
||||||
# Only report changes if the file is changed.
|
# Only report changes if the file is changed.
|
||||||
|
@ -251,10 +252,9 @@ def main():
|
||||||
reboot_required = True
|
reboot_required = True
|
||||||
|
|
||||||
if state != config_state:
|
if state != config_state:
|
||||||
if module.check_mode:
|
if not module.check_mode:
|
||||||
module.exit_json(changed=True)
|
set_config_state(module, state, configfile)
|
||||||
msgs.append('Config SELinux state changed from \'%s\' to \'%s\'' % (config_state, state))
|
msgs.append('Config SELinux state changed from \'%s\' to \'%s\'' % (config_state, state))
|
||||||
set_config_state(module, state, configfile)
|
|
||||||
changed = True
|
changed = True
|
||||||
|
|
||||||
module.exit_json(changed=changed, msg=', '.join(msgs), configfile=configfile, policy=policy, state=state, reboot_required=reboot_required)
|
module.exit_json(changed=changed, msg=', '.join(msgs), configfile=configfile, policy=policy, state=state, reboot_required=reboot_required)
|
||||||
|
|
|
@ -205,3 +205,160 @@
|
||||||
- _state_test1.msg == 'Policy non-existing-selinux-policy does not exist in /etc/selinux/'
|
- _state_test1.msg == 'Policy non-existing-selinux-policy does not exist in /etc/selinux/'
|
||||||
- ansible_selinux.config_mode == 'enforcing'
|
- ansible_selinux.config_mode == 'enforcing'
|
||||||
- ansible_selinux.type == 'targeted'
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
||||||
|
|
||||||
|
# Fourth Test
|
||||||
|
# ##############################################################################
|
||||||
|
# Test if check mode returns correct changed values and
|
||||||
|
# doesn't make any changes
|
||||||
|
|
||||||
|
|
||||||
|
- name: TEST 4 | Set SELinux to enforcing
|
||||||
|
selinux:
|
||||||
|
state: enforcing
|
||||||
|
policy: targeted
|
||||||
|
register: _check_mode_test1
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: _check_mode_test1
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: TEST 4 | Set SELinux to enforcing in check mode
|
||||||
|
selinux:
|
||||||
|
state: enforcing
|
||||||
|
policy: targeted
|
||||||
|
register: _check_mode_test1
|
||||||
|
check_mode: yes
|
||||||
|
|
||||||
|
- name: TEST 4 | Re-gather facts
|
||||||
|
setup:
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ansible_selinux
|
||||||
|
verbosity: 1
|
||||||
|
tags: debug
|
||||||
|
|
||||||
|
- name: TEST 4 | Assert that check mode is idempotent
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- _check_mode_test1 is success
|
||||||
|
- not _check_mode_test1.reboot_required
|
||||||
|
- ansible_selinux.config_mode == 'enforcing'
|
||||||
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
||||||
|
- name: TEST 4 | Set SELinux to permissive in check mode
|
||||||
|
selinux:
|
||||||
|
state: permissive
|
||||||
|
policy: targeted
|
||||||
|
register: _check_mode_test2
|
||||||
|
check_mode: yes
|
||||||
|
|
||||||
|
- name: TEST 4 | Re-gather facts
|
||||||
|
setup:
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ansible_selinux
|
||||||
|
verbosity: 1
|
||||||
|
tags: debug
|
||||||
|
|
||||||
|
- name: TEST 4 | Assert that check mode doesn't set state permissive and returns changed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- _check_mode_test2 is changed
|
||||||
|
- not _check_mode_test2.reboot_required
|
||||||
|
- ansible_selinux.config_mode == 'enforcing'
|
||||||
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
||||||
|
- name: TEST 4 | Disable SELinux in check mode
|
||||||
|
selinux:
|
||||||
|
state: disabled
|
||||||
|
register: _check_mode_test3
|
||||||
|
check_mode: yes
|
||||||
|
|
||||||
|
- name: TEST 4 | Re-gather facts
|
||||||
|
setup:
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ansible_selinux
|
||||||
|
verbosity: 1
|
||||||
|
tags: debug
|
||||||
|
|
||||||
|
- name: TEST 4 | Assert that check mode didn't change anything, status is changed, reboot_required is True, a warning was displayed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- _check_mode_test3 is changed
|
||||||
|
- _check_mode_test3.reboot_required
|
||||||
|
- (_check_mode_test3.warnings | length ) >= 1
|
||||||
|
- ansible_selinux.config_mode == 'enforcing'
|
||||||
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
||||||
|
- name: TEST 4 | Set SELinux to permissive
|
||||||
|
selinux:
|
||||||
|
state: permissive
|
||||||
|
policy: targeted
|
||||||
|
register: _check_mode_test4
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: _check_mode_test4
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: TEST 4 | Disable SELinux in check mode
|
||||||
|
selinux:
|
||||||
|
state: disabled
|
||||||
|
register: _check_mode_test4
|
||||||
|
check_mode: yes
|
||||||
|
|
||||||
|
- name: TEST 4 | Re-gather facts
|
||||||
|
setup:
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ansible_selinux
|
||||||
|
verbosity: 1
|
||||||
|
tags: debug
|
||||||
|
|
||||||
|
- name: TEST 4 | Assert that check mode didn't change anything, status is changed, reboot_required is True, a warning was displayed
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- _check_mode_test4 is changed
|
||||||
|
- _check_mode_test4.reboot_required
|
||||||
|
- (_check_mode_test3.warnings | length ) >= 1
|
||||||
|
- ansible_selinux.config_mode == 'permissive'
|
||||||
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
||||||
|
- name: TEST 4 | Set SELinux to enforcing
|
||||||
|
selinux:
|
||||||
|
state: enforcing
|
||||||
|
policy: targeted
|
||||||
|
register: _check_mode_test5
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: _check_mode_test5
|
||||||
|
verbosity: 1
|
||||||
|
|
||||||
|
- name: TEST 4 | Disable SELinux
|
||||||
|
selinux:
|
||||||
|
state: disabled
|
||||||
|
register: _check_mode_test5
|
||||||
|
|
||||||
|
- name: TEST 4 | Disable SELinux in check mode
|
||||||
|
selinux:
|
||||||
|
state: disabled
|
||||||
|
register: _check_mode_test5
|
||||||
|
check_mode: yes
|
||||||
|
|
||||||
|
- name: TEST 4 | Re-gather facts
|
||||||
|
setup:
|
||||||
|
|
||||||
|
- debug:
|
||||||
|
var: ansible_selinux
|
||||||
|
verbosity: 1
|
||||||
|
tags: debug
|
||||||
|
|
||||||
|
- name: TEST 4 | Assert that in check mode status was not changed, reboot_required is True, a warning was displayed, and SELinux is configured properly
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- _check_mode_test5 is success
|
||||||
|
- _check_mode_test5.reboot_required
|
||||||
|
- (_check_mode_test5.warnings | length ) >= 1
|
||||||
|
- ansible_selinux.config_mode == 'disabled'
|
||||||
|
- ansible_selinux.type == 'targeted'
|
||||||
|
|
Loading…
Reference in a new issue