Using `local: true` users can enforce to work only with local policy
modifications. i.e.
# Without `local`, no new modification is added when port already exists
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
# With `local`, a port is always added/changed in local modification list
$ sudo ansible -m seport -a 'ports=22 state=present setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "present"
}
$ sudo semanage port -l -C
SELinux Port Type Proto Port Number
ssh_port_t tcp 22
# With `local`, seport removes the port only from local modifications
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | CHANGED => {
"changed": true,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
$ sudo semanage port -l -C
# Even though the port is still defined in system policy, the module
# result is success as there's no port local modification
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp local=true' localhost
localhost | SUCCESS => {
"changed": false,
"ports": [
"22"
],
"proto": "tcp",
"setype": "ssh_port_t",
"state": "absent"
}
# But it fails without `local` as it tries to remove port defined in
# system policy
$ sudo ansible -m seport -a 'ports=22 state=absent setype=ssh_port_t proto=tcp' localhost
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: Port tcp/22 is defined in policy, cannot be deleted
localhost | FAILED! => {
"changed": false,
"msg": "ValueError: Port tcp/22 is defined in policy, cannot be deleted\n"
}
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
* Adjust booleans in system modules.
* Fix some IP addresses
Co-authored-by: Sandra McCann <samccann@redhat.com>
Co-authored-by: Sandra McCann <samccann@redhat.com>
* Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt.
* Replace 'Copyright:' with 'Copyright'
sed -i 's|Copyright:\(.*\)|Copyright\1|' $(rg -l 'Copyright:')
Co-authored-by: Maxwell G <gotmax@e.email>
* xfconf: add command output to results
* add changelog fragment
* add docs for return value cmd
* Update plugins/modules/system/xfconf.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Initial Rework of netstat and ss to include additional information.
State, foreign address, process.
* Fixed sanity tests. Python 2 compatible code. pylint errors resolved.
* Sanity tests. ss_parse fix minor error I created before.
* Rename variable for clarity
* Python2 rsplit takes no keyword argument. -> remove keyword argument
* Generic improvments for split_pid_name. Added changelog
* Sanity Test (no type hints for python2.7)
* add include_non_listening param. Add param to test. Add documentation. Only return state and foreign_address when include_non_listening
* Update changelogs/fragments/4953-listen-ports-facts-extend-output.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add info to changelog fragment. Clarify documentation.
* The case where we have multiple entries in pids for udp eg: users:(("rpcbind",pid=733,fd=5),("systemd",pid=1,fd=30)) is not in the tests. So roll back to previous approach where this is covered. Fix wrong if condition for include_non_listening.
* Rewrite documentation and formatting.
* Last small documentation adjustments.
* Update parameters to match description.
* added test cases to check if include_non_listening is set to no by default. And test if ports and foreign_address exists if set to yes
* undo rename from address to local_address -> breaking change
* Replace choice with bool, as it is the correct fit here
* nestat distinguishes between tcp6 and tcp output should always be tcp
* Minor adjustments in the docs (no -> false, is set to yes -> true)
Co-authored-by: Paul-Kehnel <paul.kehnel@ocean.ibm.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
* gconftool2: deprecate state get
* added changelog fragment
* Update plugins/modules/system/gconftool2.py
* Update plugins/modules/system/gconftool2.py
* Fix keyring_info when using keyring library
This line used to always clobber the passphrase retrieved via the `keyring` library, making it useless on everything except gnome-keyring. After this change, it'll only use the alternate method if the default one didn't work.
* delete whitespace
* add changelog fragment
* Update changelogs/fragments/4964-fix-keyring-info.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Use visudo to validate sudoers rules before use
* Replace use of subprocess.Popen with module.run_command
* Switch out apt for package
* Check file mode when verifying file to determine whether something needs to change
* Only install sudo package for debian and redhat environments (when testing)
* Attempt to install sudo on FreeBSD too
* Try just installing sudo for non-darwin machines
* Don't validate file ownership
* Attempt to install sudo on all platforms
* Revert "Attempt to install sudo on all platforms"
This reverts commit b9562a8916.
* Remove file permissions changes from this PR
* Add changelog fragment for 4794 sudoers validation
* Add option to control when sudoers validation is used
* Update changelog fragment
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add version_added to validation property
Co-authored-by: Felix Fontein <felix@fontein.de>
* Also validate failed sudoers validation error message
Co-authored-by: Felix Fontein <felix@fontein.de>
* Make visudo not executable instead of trying to delete it
* Update edge case validation
* Write invalid sudoers file to alternative path to avoid breaking sudo
* Don't try to remove or otherwise modify visudo on Darwin
* Update plugins/modules/system/sudoers.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Remove trailing extra empty line to appease sanity checker
Co-authored-by: Felix Fontein <felix@fontein.de>
* cmd_runner: add __call__ method to invoke context
* change xfconf to use the callable form
* add changelog fragment
* Update changelogs/fragments/4791-cmd-runner-callable.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Only pass subcommands when they are specified as module arguments.
* When 'subcommands' is specified, 'link' must be given for every subcommand.
* Extend subcommand tests.
* alternatives: Fix bug with priority default
If neigther the priority nor the subcommands where specified the module decided to update the priority with the default value anyway. This resulted in bug #4803 and #4804
* Add changelog fragment.
* Distinguish None from 0.
* Address review comments.
* Update plugins/modules/system/alternatives.py
Co-authored-by: Pilou <pierre-louis@libregerbil.fr>
* Remove unrelated issues from changelog.
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Pilou <pierre-louis@libregerbil.fr>
* Ensure sudoers config files are created with 0440 permissions to appease visudo validation
* Remove change not required by the bugfix
* Add changelog fragment for 4814 sudoers file permissions
* Update changelogs/fragments/4814-sudoers-file-permissions.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Have less oct casting
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* xfconf: changed implementation to use cmd_runner
* added module_utils/xfconf.py
* xfconf_info: using cmd_runner
* added module_utils to BOTMETA.yml
* added changelog fragment
* use cmd_runner_fmt instead of deprecated form
* Add slaves parameter for module alternatives.
* alternatives: Improve documentation abous slaves parameter
* alternatives: Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* alternatives: Add schangelog for slaves parameter
* alernatives: Add integration tests
* alternatives: Improv tests
* alternatives: Update tests/integration/targets/alternatives/tasks/slaves.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* alternatives: Rework logic to support updating priority and subcommands
* alternatives: Use more inclusive naming
* alternatives: Fix linter warnings
* alternatives: Dont fail if link is absent
* alternatives: Update changelog fragment
* alternatives: Add tests for prio change and removing
* alternatives: Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* alternatives: Add `state=auto`to reset mode to auto
* alternatives: Fix linter warnings
* alternatives: Fix documentation.
* alternatives: Combine multiple messages.
* alternatives: Set command env for all commands.
* alternatives: Do not update subcommands if parameter is omited
* alternatives: Fix a bug with python 2.7 var scoping
* alternatives: Improce diff before generation
* alternatives: Fix linter warnings
* alternatives: Fix test names
* alternatives: Simplify subcommands handling and improve diffs
* aliases: Only test for subcommand changes if subcommands parameter is set.
* Update plugins/modules/system/alternatives.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* Multiple modules using ModuleHelper
Replaced raising exception with calling method do_raise() in MH.
Removed the importing of the exception class.
* added changelog fragment
* Add RHEL 9.0 and FreeBSD 13.1 to CI.
* RHEL 9 has no pyOpenSSL apparently.
* Adjust URL for EPEL.
* Fix cargo install on FreeBSD 13.1.
* Add Ubuntu 22.04 and Fedora 36 to CI.
* Fix logic.
* filesystem: do not die output line does not contain ':'
* Skip django_manage tests on RHEL 9 as well.
* homectl tests don't work with RHEL 9.0.
* Improve error handling, improve fatresize output handling.
* Skip Fedora 36.
* Skip filesystem vfat tests on Ubuntu 22.04.
There, resizing fails with a bug:
Bug: Assertion (disk != NULL) at ../../libparted/disk.c:1620 in function ped_disk_get_partition_by_sector() failed.
* 'trusty' is 14.04. Adding 22.04 to skip list.
* Skip jail tests for FreeBSD 13.1.
* Add config for postgres on Ubuntu 22.04.
* Make CentOS 6 happy.
* Adjust postgres version.
* Try installing EPEL a bit differently.
* Skip ufw and iso_extract tests on RHEL 9.
* Skip odbc tests on RHEL 9.
* Skip RHEL 9.0 for snap tests.
* Add changelog fragment for filesystem code changes.
* Add 'activate' parameter for alternatives
Allow alternatives to be installed without being set as the current
selection.
* add changelog fragment
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* rename 'activate' -> 'selected'
* rework 'selected' parameter -> 'state'
* handle unsetting of currently selected alternative
* add integration tests for 'state' parameter
* fix linting issues
* fix for Python 2.7 compatibility
* Remove alternatives file.
Co-authored-by: Felix Fontein <felix@fontein.de>
* feat: sudoers module supports runas parameter with default of root
* fix: sudoers tests now pass
* chore: add changelog fragment for 4380
* fix: runas feature now a non-breaking change wh no def with no default
* fix: no trailing space in sudoers.py
* Update plugins/modules/system/sudoers.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* dconf: Skip processes that disappeared while we inspected them
Fixes#4151
* Update changelogs/fragments/4151-dconf-catch-psutil-nosuchprocess.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix local port regex
Thsi PR fix the bug reported in #4091
* Update changelogs/fragments/4092-fix_local_ports_regex_listen_ports_facts.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* bugfix: don't overwrite results in 'mismatched'
Whichever mismatched package is evaluated last is the value stored in the
'mismatched' key. Instead, it should have a subdict for each pkg that is mismatched
to keep in line with its documented usage.
* Update changelogs/fragments/4078-python_requirements_info.yaml
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* initial development of homectl module
* botmeta
* fix some linting
* Update .github/BOTMETA.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* use array form of run_command
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* added mofifying user record and cleaned up based on comments
* added updating records/multiple changes regarding options, examples doc, return doc
* add integration tests and more overall improvements
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* removed modify handle within present
* adding more options and better checking of user records when updating
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/homectl.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add code review changes
- remove unsafe_shell with run_command.
- use dict.pop() in user_metadata dict.
- consistent quoting to single quotes.
- change logic to determine check mode better
- fix integration tests and added check_mode tests
* Fix handling of mount opts
When a user is created without mountopts homed will use nodev and nosuid
by default, however the user record metadata will not contain these
values. This commit takes extra care that correct value is being set to
true or false. So if a user gives mountopts with just nodev we need to
make sure the nosuid and noexec gets set to false, etc. If mountopts are
same as currently in user record make sure nothing would be changed and
outputs correctly.
Also fixed some tests.
* change fmethod modify_user to prepare_modify_user_command
* Code review fixes and add existing user pw checking
- Added methods to check existing users password is correct by comparing
the hash stored in homed user record and the hash of given password
- Updated integration tests for above case
- Added aliases file so CI can run
* Apply suggestions from code review
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* puppet: Add documentation and remove deprecation for show_diff
* Add changelog fragment
* Update changelogs/fragments/3980-puppet-show_diff.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/puppet.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update plugins/modules/system/puppet.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fixing syntax error introduced in 29298da3
* More documentation for show_diff and fix some sanity errors
* Update changelogs/fragments/3980-puppet-show_diff.yml
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update tests/sanity/ignore-2.10.txt
Co-authored-by: Felix Fontein <felix@fontein.de>
* Add validate-modules:parameter-invalid to ignores due to invalid and depricated alias
* Keep use-argspec-type-path in ignores
* Update plugins/modules/system/puppet.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Benoit Vaudel <benoit@catalyst.net.nz>
Co-authored-by: Felix Fontein <felix@fontein.de>