ACTUALLY corrects the behavior in #297 #303
Conversation
There was a problem hiding this comment.
I'd like to first just try changing:
- file: file_{{ stig_id }}-{{ cfgFile }}
to:
- file: {{ cfgFile }}
in each file, to see if that gives salt enough of a clue to de-dupe the service.running states.
If that doesn't work, then we can proceed with moving the service.running to a separate sls, but we'll still need to modify the stig sls's to include the restart_sshd sls, remove the onchanges from the service.running state, and use onchanges_in the file.replace states to point at the state service: service_sshd_restart.
The include directive should be within the jinja else block, so the service state does not run if the stig_id is skipped.
Lemme make a quick branch to try it out. |
Ok, so, they've updated saltstack so that using |
|
Any other methods want to test before accepting the PR? |
There was a problem hiding this comment.
The current implementation is still incomplete. It relies on someone invoking the .cat2 sls to include the service restart. If someone calls RHEL-07-040660 directly, no restart.
To address that, each of the RHEL-07-xxxxxx.sls files changed in this PR can implement the following pattern with include and onchanges_in:
{%- else %}
include:
- ash-linux.el7.STIGbyID.cat2.restart_sshd
file_{{ stig_id }}-{{ cfgFile }}:
file.replace:
- name: '{{ cfgFile }}'
- pattern: '^\s*{{ parmName }} .*$'
- repl: '{{ parmName }} {{ parmValu }}'
- append_if_not_found: True
- not_found_content: |-
# Inserted per STIG {{ stig_id }}
{{ parmName }} {{ parmValu }}
- onchanges_in:
- service: service_sshd_restart
{%- endif %}
Then:
- Remove
ash-linux.el7.STIGbyID.cat2.restart_sshdfromcat2/init.slsas it is no longer necessary - Delete the
onchangesdirective fromcat2/restart_sshd.sls, since each state sets the requisite withonchanges_in
|
Seems like that would still cause each state that has the |
|
I don't believe so, but it's a bit difficult to say for sure without studying the rendered highstate data structure. |
|
Running a test now to validate: just because things feel like you're circling over the same terrain doesn't actually mean you are (and, even if you are, that doing it on a ATV rather than a dirtbike won't produce different results). |
|
Ok. First run through seems to have not triggered the "too many restarts" error ...but then, because I'd branched off of master, meant that my skip-logic for the ( |
|
Looks good: Will push the mods, shortly. |
Previous fix for #297 turned out to not actually fix the "
restarted too many times too soon" behavior. This fix appears to better do so.