Skip to content

Commit

Permalink
refactor: Use vars/RedHat_N.yml symlink for CentOS, Rocky, Alma where…
Browse files Browse the repository at this point in the history
…ver possible

We have a lot of requests to support Rocky and Alma in various system roles. The
first part of adding support is adding `vars/` files for these platforms. In
almost every case, for a given major version N, the vars file RedHat_N.yml can
be used for CentOS, Rocky, and Alma.  Rather than making a copy of the
RedHat_N.yml file, just use a symlink to reduce size and maintenance burden, and
standardize this across all system roles for consistency.

NOTE: There is no Alma or Rocky version 7 or less.

NOTE: OracleLinux is not a strict clone, so we are not going to do this for
OracleLinux at this time.  Support for OracleLinux will need to be done in
separate PRs. For more information, see
linux-system-roles/cockpit#130

**Question**: Why not just use `ansible_facts["os_family"] == "RedHat"`?

**Answer**:  This is what Ansible uses as the RedHat os_family:
https://github.com/ansible/ansible/blob/1e6ffc1d02559a26def6c9c3b07baf27032865a2/lib/ansible/module_utils/facts/system/distribution.py#L511
There are a lot of distributions in there. I know that Fedora is not a clone of
RHEL, but it is very closely related. Most of the others are not clones, and it
would generally not work to replace ansible_distribution in ['CentOS', 'Fedora',
'RedHat'] with ansible_facts['os_family'] == 'RedHat' (but it would probably
work in specific cases with specific distributions).  For example, OracleLinux
is in there, and we know that doesn't generally work.  The only ones we can be
pretty sure about are `RedHat`, `CentOS`, `Fedora`, `AlmaLinux`, and `Rocky`.

**Question**: Does my role really need this because it should already work on
RHEL clones?

**Answer**: Maybe not - but:

* it doesn't hurt anything
* it's there if we need it in the future
* the role will be inconsistent with the other system roles if we don't have this

**Question**: Why do I need the `tests/vars/rh_distros_vars.yml` file?  Doesn't
the test load the vars from the role?

**Answer**: No, the test does not load the vars from the role until the role is
included, and many tests use version and distribution before including the role.

**Question**: Do we need to change the code now to use the new variables?

**Answer**: No, not now, in subsequent PRs, hopefully by Alma and Rocky users.

Note that there may be more work to be done to the role to fully support Rocky
and Alma.  Many roles have conditionals like this:

```yaml
some_var: "{{ 'some value' if ansible_distribution in ['CentOS', 'RedHat'] else 'other value' }}"
another_var: "{{ 'some value' if ansible_distribution in ['CentOS', 'Fedora', 'RedHat'] else 'other value' }}"

...

- name: Do something
  when: ansible_distribution in ['CentOS', 'RedHat']
  ...
- name: Do something else
  when: ansible_distribution in ['CentOS', 'Fedora', 'RedHat']
  ...
```

Adding Rocky and AlmaLinux to these conditionals will have to be done
separately. In order to simplify the task, some new variables are being
introduced:

```yaml
__$rolename_rh_distros:
  - AlmaLinux
  - CentOS
  - RedHat
  - Rocky

__$rolename_rh_distros_fedora: "{{ __$rolename_rh_distros + ['Fedora'] }}"

__$rolename_is_rh_distro: "{{ ansible_distribution in __$rolename_rh_distros }}"
__$rolename_is_rh_distro_fedora: "{{ ansible_distribution in __$rolename_rh_distros_fedora }}"
```

Then the conditionals can be rewritten as:

```yaml
some_var: "{{ 'some value' if __$rolename_is_rh_distro else 'other value' }}"
another_var: "{{ 'some value' if __$rolename_is_rh_distro_fedora else 'other value' }}"

...

- name: Do something
  when: __$rolename_is_rh_distro | bool
  ...
- name: Do something else
  when: __$rolename_is_rh_distro_fedora | bool
  ...
```

For tests - tests that use such conditionals will need to use `vars_files` or
`include_vars` to load the variables that are defined in
`tests/vars/rh_distros_vars.yml`:

```yaml
vars_files:
  - vars/rh_distros_vars.yml
```

We don't currently have CI testing for Rocky or Alma, so someone wanting to run
tests on those platforms would need to change the test code to use these.

Signed-off-by: Rich Megginson <[email protected]>
  • Loading branch information
richm committed Oct 25, 2024
1 parent e898442 commit 1b526b9
Show file tree
Hide file tree
Showing 30 changed files with 93 additions and 76 deletions.
2 changes: 1 addition & 1 deletion .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,6 @@ exclude_paths:
- .markdownlint.yaml
- examples/roles/
mock_roles:
- linux-system-roles.template
- linux-system-roles.aide
supported_ansible_also:
- "2.14.0"
2 changes: 1 addition & 1 deletion .github/workflows/tft.yml
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ jobs:
api_key: ${{ secrets.TF_API_KEY_RH }}
update_pull_request_status: false
tmt_hardware: '{ "memory": ">= ${{ needs.prepare_vars.outputs.memory }} MB" }'
tmt_plan_filter: "tag:general,template"
tmt_plan_filter: "tag:general,aide"

- name: Set final commit status
uses: myrotvorets/set-commit-status-action@master
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/weekly_ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ name: Weekly CI trigger
on: # yamllint disable-line rule:truthy
workflow_dispatch:
schedule:
- cron: 0 0 * * 6
- cron: 0 11 * * 6
env:
BRANCH_NAME: weekly-ci
COMMIT_MESSAGE: "ci: This PR is to trigger periodic CI testing"
Expand Down
27 changes: 12 additions & 15 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@
# Role Name

[![ansible-lint.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/template/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/template/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/template/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/template/actions/workflows/woke.yml)
[![ansible-lint.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-lint.yml) [![ansible-test.yml](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/ansible-test.yml) [![markdownlint.yml](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/markdownlint.yml) [![shellcheck.yml](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/shellcheck.yml) [![tft.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft.yml) [![tft_citest_bad.yml](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/tft_citest_bad.yml) [![woke.yml](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml/badge.svg)](https://github.com/linux-system-roles/aide/actions/workflows/woke.yml)

![template](https://github.com/linux-system-roles/template/workflows/tox/badge.svg)

A template for an ansible role that configures some GNU/Linux subsystem or
service. A brief description of the role goes here.
Ansible role for managing Advanced Intrusion Detection Environment (AIDE).

## Requirements

Expand Down Expand Up @@ -34,12 +31,12 @@ A description of all input variables (i.e. variables that are defined in
`defaults/main.yml`) for the role should go here as these form an API of the
role. Each variable should have its own section e.g.

### template_foo
### aide_foo

This variable is required. It is a string that lists the foo of the role.
There is no default value.

### template_bar
### aide_bar

This variable is optional. It is a boolean that tells the role to disable bar.
The default value is `true`.
Expand All @@ -53,8 +50,8 @@ the lifetime.
Example of setting the variables:

```yaml
template_foo: "oof"
template_bar: false
aide_foo: "oof"
aide_bar: false
```
## Variables Exported by the Role
Expand All @@ -63,12 +60,12 @@ This section is optional. Some roles may export variables for playbooks to
use later. These are analogous to "return values" in Ansible modules. For
example, if a role performs some action that will require a system reboot, but
the user wants to defer the reboot, the role might set a variable like
`template_reboot_needed: true` that the playbook can use to reboot at a more
`aide_reboot_needed: true` that the playbook can use to reboot at a more
convenient time.

Example:

### template_reboot_needed
### aide_reboot_needed

Default `false` - if `true`, this means a reboot is needed to apply the changes
made by the role
Expand All @@ -79,13 +76,13 @@ Including an example of how to use your role (for instance, with variables
passed in as parameters) is always nice for users too:

```yaml
- name: Manage the template subsystem
- name: Manage the aide subsystem
hosts: all
vars:
template_foo: "foo foo!"
template_bar: false
aide_foo: "foo foo!"
aide_bar: false
roles:
- linux-system-roles.template
- linux-system-roles.aide
```

More examples can be provided in the [`examples/`](examples) directory. These
Expand Down
8 changes: 4 additions & 4 deletions contributing.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Contributing to the template Linux System Role
# Contributing to the aide Linux System Role

## Where to start

Expand All @@ -12,10 +12,10 @@ This has all of the common information that all role developers need:
* How to create git commits and submit pull requests

**Bugs and needed implementations** are listed on
[Github Issues](https://github.com/linux-system-roles/template/issues).
[Github Issues](https://github.com/linux-system-roles/aide/issues).
Issues labeled with
[**help wanted**](https://github.com/linux-system-roles/template/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
[**help wanted**](https://github.com/linux-system-roles/aide/issues?q=is%3Aissue+is%3Aopen+label%3A%22help+wanted%22)
are likely to be suitable for new contributors!

**Code** is managed on [Github](https://github.com/linux-system-roles/template), using
**Code** is managed on [Github](https://github.com/linux-system-roles/aide), using
[Pull Requests](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests).
4 changes: 2 additions & 2 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@
# This file also serves as a documentation for such a variables.

# Examples of role input variables:
template_foo: foo
template_bar: true
aide_foo: foo
aide_bar: true
8 changes: 4 additions & 4 deletions examples/simple.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# SPDX-License-Identifier: MIT
---
- name: Example template role invocation
- name: Example aide role invocation
hosts: all
vars:
template_foo: example variable value
template_bar: false
aide_foo: example variable value
aide_bar: false
roles:
- linux-system-roles.template
- linux-system-roles.aide
4 changes: 2 additions & 2 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# SPDX-License-Identifier: MIT
---
- name: Handler for template to restart services
- name: Handler for aide to restart services
service:
name: "{{ item }}"
state: restarted
loop: "{{ __template_services }}"
loop: "{{ __aide_services }}"
14 changes: 7 additions & 7 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,22 @@
# Examples of some tasks:
- name: Ensure required packages are installed
package:
name: "{{ __template_packages }}"
name: "{{ __aide_packages }}"
state: present
use: "{{ (__template_is_ostree | d(false)) |
use: "{{ (__aide_is_ostree | d(false)) |
ternary('ansible.posix.rhel_rpm_ostree', omit) }}"

- name: Ensure required services are enabled and started
service:
name: "{{ item }}"
state: started
enabled: true
loop: "{{ __template_services }}"
loop: "{{ __aide_services }}"

- name: Generate /etc/{{ __template_foo_config }}
- name: Generate /etc/{{ __aide_foo_config }}
template:
src: "{{ __template_foo_config }}.j2"
dest: /etc/{{ __template_foo_config }}
src: "{{ __aide_foo_config }}.j2"
dest: /etc/{{ __aide_foo_config }}
backup: true
mode: "0400"
notify: Handler for template to restart services
notify: Handler for aide to restart services
File renamed without changes.
File renamed without changes.
File renamed without changes.
4 changes: 2 additions & 2 deletions tests/setup-snapshot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,11 @@
tasks:
- name: Set platform/version specific variables
include_role:
name: linux-system-roles.template
name: linux-system-roles.aide
tasks_from: set_vars.yml
public: true

- name: Install test packages
package:
name: "{{ __template_packages }}"
name: "{{ __aide_packages }}"
state: present
4 changes: 2 additions & 2 deletions tests/tests_default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
hosts: all
gather_facts: false # test that role works in this case
roles:
- linux-system-roles.template
- linux-system-roles.aide
tasks:
- name: Check header for ansible_managed, fingerprint
include_tasks: tasks/check_header.yml
vars:
__file: /etc/foo.conf
__fingerprint: system_role:template
__fingerprint: system_role:aide
2 changes: 1 addition & 1 deletion tests/tests_include_vars_from_parent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
import_role:
name: caller
vars:
roletoinclude: linux-system-roles.template
roletoinclude: linux-system-roles.aide

- name: Cleanup
file:
Expand Down
20 changes: 20 additions & 0 deletions tests/vars/rh_distros_vars.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# vars for handling conditionals for RedHat and clones
# DO NOT EDIT - file is auto-generated
# repo is https://github.com/linux-system-roles/.github
# file is playbooks/templates/tests/vars/rh_distros_vars.yml
---
# Ansible distribution identifiers that the role treats like RHEL
__aide_rh_distros:
- AlmaLinux
- CentOS
- RedHat
- Rocky

# Same as above but includes Fedora
__aide_rh_distros_fedora: "{{ __aide_rh_distros + ['Fedora'] }}"

# Use this in conditionals to check if distro is Red Hat or clone
__aide_is_rh_distro: "{{ ansible_distribution in __aide_rh_distros }}"

# Use this in conditionals to check if distro is Red Hat or clone, or Fedora
__aide_is_rh_distro_fedora: "{{ ansible_distribution in __aide_rh_distros_fedora }}"
1 change: 1 addition & 0 deletions vars/AlmaLinux_10.yml
1 change: 1 addition & 0 deletions vars/AlmaLinux_8.yml
1 change: 1 addition & 0 deletions vars/AlmaLinux_9.yml
7 changes: 0 additions & 7 deletions vars/CentOS_10.yml

This file was deleted.

1 change: 1 addition & 0 deletions vars/CentOS_10.yml
7 changes: 0 additions & 7 deletions vars/CentOS_7.yml

This file was deleted.

1 change: 1 addition & 0 deletions vars/CentOS_7.yml
7 changes: 0 additions & 7 deletions vars/CentOS_8.yml

This file was deleted.

1 change: 1 addition & 0 deletions vars/CentOS_8.yml
7 changes: 0 additions & 7 deletions vars/CentOS_9.yml

This file was deleted.

1 change: 1 addition & 0 deletions vars/CentOS_9.yml
1 change: 1 addition & 0 deletions vars/Rocky_10.yml
1 change: 1 addition & 0 deletions vars/Rocky_8.yml
1 change: 1 addition & 0 deletions vars/Rocky_9.yml
30 changes: 24 additions & 6 deletions vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,35 @@
# value in a platform/version specific file in vars/

# Examples of non-distribution specific (generic) internal variables:
__template_foo_config: foo.conf
__template_packages: []
__template_services: []
__aide_foo_config: foo.conf
__aide_packages: []
__aide_services: []
# ansible_facts required by the role
__template_required_facts:
__aide_required_facts:
- distribution
- distribution_major_version
- distribution_version
- os_family
# the subsets of ansible_facts that need to be gathered in case any of the
# facts in required_facts is missing; see the documentation of
# the 'gather_subset' parameter of the 'setup' module
__template_required_facts_subsets: "{{ ['!all', '!min'] +
__template_required_facts }}"
__aide_required_facts_subsets: "{{ ['!all', '!min'] +
__aide_required_facts }}"

# BEGIN - DO NOT EDIT THIS BLOCK - rh distros variables
# Ansible distribution identifiers that the role treats like RHEL
__aide_rh_distros:
- AlmaLinux
- CentOS
- RedHat
- Rocky

# Same as above but includes Fedora
__aide_rh_distros_fedora: "{{ __aide_rh_distros + ['Fedora'] }}"

# Use this in conditionals to check if distro is Red Hat or clone
__aide_is_rh_distro: "{{ ansible_distribution in __aide_rh_distros }}"

# Use this in conditionals to check if distro is Red Hat or clone, or Fedora
__aide_is_rh_distro_fedora: "{{ ansible_distribution in __aide_rh_distros_fedora }}"
# END - DO NOT EDIT THIS BLOCK - rh distros variables

0 comments on commit 1b526b9

Please sign in to comment.