From 4e585d7c1b5ee18fe6fab3fd61ef7448fccdc594 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 11:53:20 +0200 Subject: [PATCH 01/12] Improvements for APT keys management * By default, get keys from keys.datadoghq.com, not Ubuntu keyserver * Always add the DATADOG_APT_KEY_CURRENT.public key (contains key used to sign current repodata) * Add 'signed-by' option to all sources list lines * On Debian >= 9 and Ubuntu >= 16, only add keys to /usr/share/keyrings/datadog-archive-keyring.gpg * On older systems, also add the same keyring to /etc/apt/trusted.gpg.d --- README.md | 25 ++--------------- defaults/main.yml | 23 ++++++++++----- tasks/_apt-key-import.yml | 59 +++++++++++++++++++++++++++++++++++++++ tasks/pkg-debian.yml | 54 +++++++++++++++-------------------- 4 files changed, 100 insertions(+), 61 deletions(-) create mode 100644 tasks/_apt-key-import.yml diff --git a/README.md b/README.md index 4878c177..179ef0b8 100644 --- a/README.md +++ b/README.md @@ -47,9 +47,9 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y | `datadog_disable_default_checks` | Set to `true` to remove all default checks. | | `datadog_config` | Settings for the main Agent configuration file:
- `/etc/datadog-agent/datadog.yaml` for Agent v6 and v7,
- `/etc/dd-agent/datadog.conf` for Agent v5 (under the `[Main]` section). | | `datadog_config_ex` | (Optional) Extra INI sections to go in `/etc/dd-agent/datadog.conf` (Agent v5 only). | -| `datadog_apt_repo` | Override the default Datadog `apt` repository. | +| `datadog_apt_repo` | Override the default Datadog `apt` repository. Make sure to use the `signed-by` option if repodata is signed using Datadog's signing keys: `deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://yourrepo`. | | `datadog_apt_cache_valid_time` | Override the default apt cache expiration time (defaults to 1 hour). | -| `datadog_apt_key_url_new` | Override the default URL to Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). | +| `datadog_apt_key_url_new` | Override the location from which to obtain Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE` and `F14F620E`. | | `datadog_yum_repo` | Override the default Datadog `yum` repository. | | `datadog_yum_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. | | `datadog_yum_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. | @@ -64,7 +64,6 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y | `datadog_zypper_gpgkey_e09422b3` | Override the default URL to the Datadog `zypper` key used to verify Agent v6.14+ packages (key ID `E09422B3`). | | `datadog_zypper_gpgkey_e09422b3_sha256sum` | Override the default checksum of the `datadog_zypper_gpgkey_e09422b3` key. | | `datadog_agent_allow_downgrade` | Set to `yes` to allow Agent downgrades on apt-based platforms (use with caution, see `defaults/main.yml` for details). **Note**: On Centos this only works with Ansible 2.4+. | -| `use_apt_backup_keyserver` | Set to `true` to use the backup keyserver instead of the default one. | | `datadog_enabled` | Set to `false` to prevent `datadog-agent` service from starting (defaults to `true`). | | `datadog_additional_groups` | Either a list, or a string containing a comma-separated list of additional groups for the `datadog_user` (Linux only). | | `datadog_windows_ddagentuser_name` | The name of Windows user to create/use, in the format `\` (Windows only). | @@ -485,26 +484,6 @@ Alternatively, if your playbook **only runs on Windows hosts**, use the followin ## Troubleshooting -### Debian stretch - -On Debian Stretch, the `apt_key` module used by the role requires an additional system dependency to work correctly. The dependency (`dirmngr`) is not provided by the module. Add the following configuration to your playbooks to make use of the present role: - -```yml ---- -- hosts: all - pre_tasks: - - name: Debian Stretch requires the dirmngr package to use apt_key - become: yes - apt: - name: dirmngr - state: present - - roles: - - { role: datadog.datadog, become: yes } - vars: - datadog_api_key: "" -``` - ### CentOS 6/7 with Python 3 interpreter The `yum` Python module, which is used in this role to install the Agent on CentOS-based hosts, is only available on Python 2. When a Python 3 interpreter is detected on a target host, the `dnf` package manager and the `dnf` Python module are used instead. diff --git a/defaults/main.yml b/defaults/main.yml index 3c65a9de..8c51082f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -59,12 +59,8 @@ datadog_agent_flavor: "datadog-agent" # Use the datadog_apt_repo variable to override the repository used. datadog_apt_repo: "" - datadog_apt_cache_valid_time: 3600 datadog_apt_key_retries: 5 -use_apt_backup_keyserver: false -datadog_apt_keyserver: hkp://keyserver.ubuntu.com:80 -datadog_apt_backup_keyserver: hkp://pool.sks-keyservers.net:80 # Default yum repo and keys @@ -157,10 +153,23 @@ win_install_args: " " # The following variables are for internal use only, do not modify them. # +datadog_apt_trusted_d_keyring: "/etc/apt/trusted.gpg.d/datadog-archive-keyring.gpg" +datadog_apt_usr_share_keyring: "/usr/share/keyrings/datadog-archive-keyring.gpg" +datadog_apt_key_current_name: "DATADOG_APT_KEY_CURRENT" +# NOTE: we don't use URLs starting with https://keys.datadoghq.com/, as Python +# on older Debian/Ubuntu doesn't support SNI and get_url would fail on them +datadog_apt_default_keys: + - key: "{{ datadog_apt_key_current_name }}" + value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_CURRENT.public + - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE + value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_382E94DE.public + - key: D75CEA17048B9ACBF186794B32637D44F14F620E + value: https://s3.amazonaws.com/public-signing-keys/DATADOG_APT_KEY_F14F620E.public + # The default apt repository for each major Agent version is specified in the following variables. -datadog_agent5_apt_repo: "deb https://apt.datadoghq.com/ stable main" -datadog_agent6_apt_repo: "deb https://apt.datadoghq.com/ stable 6" -datadog_agent7_apt_repo: "deb https://apt.datadoghq.com/ stable 7" +datadog_agent5_apt_repo: "deb [signed-by={{ datadog_apt_usr_share_keyring }}] https://apt.datadoghq.com/ stable main" +datadog_agent6_apt_repo: "deb [signed-by={{ datadog_apt_usr_share_keyring }}] https://apt.datadoghq.com/ stable 6" +datadog_agent7_apt_repo: "deb [signed-by={{ datadog_apt_usr_share_keyring }}] https://apt.datadoghq.com/ stable 7" # The default yum repository for each major Agent version is specified in the following variables. datadog_agent5_yum_repo: "https://yum.datadoghq.com/rpm/{{ ansible_facts.architecture }}" diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml new file mode 100644 index 00000000..e3783d53 --- /dev/null +++ b/tasks/_apt-key-import.yml @@ -0,0 +1,59 @@ +# We allow users to specify a file from which to import keys, so we expect +# that to be a binary keyring; at the same time, we have ascii armored +# individual keys at keys.datadoghq.com that we import. The below procedure +# can be called for a URL pointing to a keyring or an ascii armored file +# and extract and import a specific key from it (we specialcase the +# DATADOG_APT_KEY_CURRENT value, which we always expect to be ascii +# armored individual key). + +- set_fact: + key_fingerprint: "{{ item.key }}" + keyring_url: "{{ item.value }}" + +- name: "Find out whether key {{ key_fingerprint }} is already imported" + ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" + register: key_exists_result + failed_when: false # we expect the command to fail when the key is not found; we never want this task to fail + when: key_fingerprint != datadog_apt_key_current_name # we always want to import the CURRENT key + +- set_fact: + key_needs_import: "{{ 'false' if key_exists_result.rc == 0 else 'true' }}" + when: key_fingerprint != datadog_apt_key_current_name + +- set_fact: + key_needs_import: "true" + when: key_fingerprint == datadog_apt_key_current_name + +- name: "Create temporary directory for key manipulation" + ansible.builtin.tempfile: + state: directory + suffix: build + register: tempdir + when: key_needs_import + +- name: "Download {{ keyring_url }} to import key {{ key_fingerprint }}" + get_url: + url: "{{ keyring_url }}" + dest: "{{ tempdir.path }}/{{ key_fingerprint }}" + force: yes + when: key_needs_import + +# gpg --dearmor called on a binary keyring does nothing +- name: "Ensure downloaded file for {{ key_fingerprint }} is a binary keyring" + ansible.builtin.shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" + when: key_needs_import + +- name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})" + ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path}}/single.gpg" + when: key_fingerprint != datadog_apt_key_current_name and key_needs_import + +- name: "Extract the required key from the binary keyring (when {{ datadog_apt_key_current_name }})" + ansible.builtin.copy: + src: "{{ tempdir.path }}/binary.gpg" + dest: "{{ tempdir.path }}/single.gpg" + remote_src: yes + when: key_fingerprint == datadog_apt_key_current_name and key_needs_import + +- name: "Import key {{ key_fingerprint }} to {{ datadog_apt_usr_share_keyring }} keyring" + ansible.builtin.shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" + when: key_needs_import diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index 7f7c6c98..ced8f250 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -6,42 +6,34 @@ state: present when: not ansible_check_mode -- name: Install apt-key from keyserver (Expires 2022) - apt_key: - id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE - keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}" - state: present - # keyserver.ubuntu.com is a pool of server, we should retry if one of them is down - register: result - until: not result.failed is defined or not result.failed - retries: "{{ datadog_apt_key_retries }}" - when: datadog_apt_key_url_new is not defined - -- name: Install Datadog apt-key from url (Expires 2022) - apt_key: - id: A2923DFF56EDA6E76E55E492D3A80E30382E94DE - url: "{{ datadog_apt_key_url_new }}" - state: present - when: datadog_apt_key_url_new is defined +- name: "Ensure {{ datadog_apt_usr_share_keyring }} exists" + ansible.builtin.file: + path: "{{ datadog_apt_usr_share_keyring }}" + owner: root + group: root + mode: "0644" + state: touch -- name: Install apt-key from keyserver (Expires 2032) - apt_key: - id: D75CEA17048B9ACBF186794B32637D44F14F620E - keyserver: "{{ datadog_apt_backup_keyserver if use_apt_backup_keyserver else datadog_apt_keyserver }}" - state: present - # keyserver.ubuntu.com is a pool of server, we should retry if one of them is down - register: result_2032 - until: not result_2032.failed is defined or not result_2032.failed - retries: "{{ datadog_apt_key_retries }}" +- name: Install apt keys from default URLs + include_tasks: _apt-key-import.yml + with_dict: + "{{ datadog_apt_default_keys|items2dict }}" when: datadog_apt_key_url_new is not defined -- name: Install Datadog apt-key from url (Expires 2032) - apt_key: - id: D75CEA17048B9ACBF186794B32637D44F14F620E - url: "{{ datadog_apt_key_url_new }}" - state: present +- name: Install apt keys from custom URL + include_tasks: _apt-key-import.yml + with_dict: + A2923DFF56EDA6E76E55E492D3A80E30382E94DE: "{{ datadog_apt_key_url_new }}" + D75CEA17048B9ACBF186794B32637D44F14F620E: "{{ datadog_apt_key_url_new }}" when: datadog_apt_key_url_new is defined +- name: "Ensure {{ datadog_apt_trusted_d_keyring }} exists with same contents as {{ datadog_apt_usr_share_keyring }} for older distro versions" + copy: + src: "{{ datadog_apt_usr_share_keyring }}" + dest: "{{ datadog_apt_trusted_d_keyring }}" + remote_src: yes + when: (ansible_distribution == 'Debian' and ansible_lsb.major_release|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int < 16) + - name: Ensure Datadog non-https repositories are deprecated apt_repository: repo: "{{ item }}" From 5b1a871a493fa5150786d4932b344cf7648562e7 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 12:14:57 +0200 Subject: [PATCH 02/12] Fix ansible lint --- tasks/_apt-key-import.yml | 11 +++++++---- tasks/pkg-debian.yml | 1 + 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index e3783d53..0f7770ec 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -6,7 +6,8 @@ # DATADOG_APT_KEY_CURRENT value, which we always expect to be ascii # armored individual key). -- set_fact: +- name: "Set local variables for processed key {{ item.key }}" + set_fact: key_fingerprint: "{{ item.key }}" keyring_url: "{{ item.value }}" @@ -16,11 +17,13 @@ failed_when: false # we expect the command to fail when the key is not found; we never want this task to fail when: key_fingerprint != datadog_apt_key_current_name # we always want to import the CURRENT key -- set_fact: +- name: "Set local helper variable for determining key import (when not {{ datadog_apt_key_current_name }})" + set_fact: key_needs_import: "{{ 'false' if key_exists_result.rc == 0 else 'true' }}" when: key_fingerprint != datadog_apt_key_current_name -- set_fact: +- name: "Set local helper variable for determining key import (when {{ datadog_apt_key_current_name }})" + set_fact: key_needs_import: "true" when: key_fingerprint == datadog_apt_key_current_name @@ -44,7 +47,7 @@ when: key_needs_import - name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})" - ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path}}/single.gpg" + ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path }}/single.gpg" when: key_fingerprint != datadog_apt_key_current_name and key_needs_import - name: "Extract the required key from the binary keyring (when {{ datadog_apt_key_current_name }})" diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index ced8f250..186c9350 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -31,6 +31,7 @@ copy: src: "{{ datadog_apt_usr_share_keyring }}" dest: "{{ datadog_apt_trusted_d_keyring }}" + mode: "0644" remote_src: yes when: (ansible_distribution == 'Debian' and ansible_lsb.major_release|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int < 16) From e67cef7ef7aca3fda9a0fcf22d986aa6a8b74b11 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 13:07:02 +0200 Subject: [PATCH 03/12] Minor fix + debug for tempfile variable --- tasks/_apt-key-import.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index 0f7770ec..23399c4f 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -30,10 +30,14 @@ - name: "Create temporary directory for key manipulation" ansible.builtin.tempfile: state: directory - suffix: build + suffix: keys register: tempdir when: key_needs_import +- name: "Debug tempdir" + ansible.builtin.debug: + var: tempdir + - name: "Download {{ keyring_url }} to import key {{ key_fingerprint }}" get_url: url: "{{ keyring_url }}" From fe6a626ce3c8f87954a31100fb45a1ef49fcb9ea Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 13:13:55 +0200 Subject: [PATCH 04/12] Remove debug, add ansible_check_mode conditionals --- tasks/_apt-key-import.yml | 4 ---- tasks/pkg-debian.yml | 7 ++++--- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index 23399c4f..d2f7a400 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -34,10 +34,6 @@ register: tempdir when: key_needs_import -- name: "Debug tempdir" - ansible.builtin.debug: - var: tempdir - - name: "Download {{ keyring_url }} to import key {{ key_fingerprint }}" get_url: url: "{{ keyring_url }}" diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index 186c9350..1bbb47f8 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -13,19 +13,20 @@ group: root mode: "0644" state: touch + when: not ansible_check_mode - name: Install apt keys from default URLs include_tasks: _apt-key-import.yml with_dict: "{{ datadog_apt_default_keys|items2dict }}" - when: datadog_apt_key_url_new is not defined + when: datadog_apt_key_url_new is not defined and not ansible_check_mode - name: Install apt keys from custom URL include_tasks: _apt-key-import.yml with_dict: A2923DFF56EDA6E76E55E492D3A80E30382E94DE: "{{ datadog_apt_key_url_new }}" D75CEA17048B9ACBF186794B32637D44F14F620E: "{{ datadog_apt_key_url_new }}" - when: datadog_apt_key_url_new is defined + when: datadog_apt_key_url_new is defined and not ansible_check_mode - name: "Ensure {{ datadog_apt_trusted_d_keyring }} exists with same contents as {{ datadog_apt_usr_share_keyring }} for older distro versions" copy: @@ -33,7 +34,7 @@ dest: "{{ datadog_apt_trusted_d_keyring }}" mode: "0644" remote_src: yes - when: (ansible_distribution == 'Debian' and ansible_lsb.major_release|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int < 16) + when: ((ansible_distribution == 'Debian' and ansible_lsb.major_release|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int < 16)) and not ansible_check_mode - name: Ensure Datadog non-https repositories are deprecated apt_repository: From 8e28ba1c2366fb6a8dc65afcb0fdb2009727617e Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 13:24:47 +0200 Subject: [PATCH 05/12] Remove the ansible.builtin. prefix incompatible with older ansible versions --- tasks/_apt-key-import.yml | 12 ++++++------ tasks/pkg-debian.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index d2f7a400..15a18ac4 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -12,7 +12,7 @@ keyring_url: "{{ item.value }}" - name: "Find out whether key {{ key_fingerprint }} is already imported" - ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" + shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" register: key_exists_result failed_when: false # we expect the command to fail when the key is not found; we never want this task to fail when: key_fingerprint != datadog_apt_key_current_name # we always want to import the CURRENT key @@ -28,7 +28,7 @@ when: key_fingerprint == datadog_apt_key_current_name - name: "Create temporary directory for key manipulation" - ansible.builtin.tempfile: + tempfile: state: directory suffix: keys register: tempdir @@ -43,20 +43,20 @@ # gpg --dearmor called on a binary keyring does nothing - name: "Ensure downloaded file for {{ key_fingerprint }} is a binary keyring" - ansible.builtin.shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" + shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" when: key_needs_import - name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})" - ansible.builtin.shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path }}/single.gpg" + shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path }}/single.gpg" when: key_fingerprint != datadog_apt_key_current_name and key_needs_import - name: "Extract the required key from the binary keyring (when {{ datadog_apt_key_current_name }})" - ansible.builtin.copy: + copy: src: "{{ tempdir.path }}/binary.gpg" dest: "{{ tempdir.path }}/single.gpg" remote_src: yes when: key_fingerprint == datadog_apt_key_current_name and key_needs_import - name: "Import key {{ key_fingerprint }} to {{ datadog_apt_usr_share_keyring }} keyring" - ansible.builtin.shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" + shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" when: key_needs_import diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index 1bbb47f8..8a76bdd2 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -7,7 +7,7 @@ when: not ansible_check_mode - name: "Ensure {{ datadog_apt_usr_share_keyring }} exists" - ansible.builtin.file: + file: path: "{{ datadog_apt_usr_share_keyring }}" owner: root group: root From 4f173da47476668733a9ee5984916ce4879e192f Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 13:38:51 +0200 Subject: [PATCH 06/12] Get rid of items2dict usage, doesn't work on Ansible 2.6 --- tasks/.pkg-debian.yml.swp | Bin 0 -> 20480 bytes tasks/pkg-debian.yml | 12 +++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 tasks/.pkg-debian.yml.swp diff --git a/tasks/.pkg-debian.yml.swp b/tasks/.pkg-debian.yml.swp new file mode 100644 index 0000000000000000000000000000000000000000..e13a53f0cd49ace8b7c33b1822941a8f9314074b GIT binary patch literal 20480 zcmeI2Uu+!39mf{}h47~#1T~4OMw3Iqw$S~teLmaQhT{0nV2OVT3PlZcncJPa+uYvn zv9oK(I8H&Lm72B!@#h7U7sLbqgg}spKjH;Jd7wN*2m}R*01^U3tF{unzysfz-MxRl zbDT7&RWm1jWbfYW%>2Ido8Qdd{7RXdX0Ig^sbLMDi!|*g`dznuxMfOP_>HDqPy8?k^mCQT8hZlmbct zrGQdEDWDWk3Md6mD+T<<8tu2R_{_-aEz#dIy8fOOUC%~;f7bQ=ny%||*L8HM{wM{M z0!jg;fKosypcGIFCOWns&(rn)VnF=l}8h|99&&?LBZ5ybKP3 zgP;cXf)uz6eDh;X`wYAbUI)*E2f+it0tJu*>%kirYT94GA+QhZ1v#)5yc6}|U*~Ju z7vLpu5G()&o;Xj_9tSq~HJAozuo;{W-d~F{U=iE`_JGU5X7J^?n)Vi$0U59koC!WS z2mJ+q27dxOK@n^M8^Py4(zIjX5wHaIgI|H`z#;7PCpOo4O3H~8V@D0mt?41Nc$1iu6qfn)d~<|FV7I0BNyatu2#nJ!Z# z@}!j`k+vM}Q`=73)MwleQzi(RuQDf3qQnZFR+!`KVN!)Y$2@Mi4zV~fS=n-!xvKgb zmV=_5^$#{1X!yFv8ZOySZ01z_D!GDWh6r^`GU&KI{*jp;x>03DO|QEq8`20qK?5}~ z-Jtj)PZk)LcVUo^%ZA4|`YmsX%JU?#xY)8OZgOcUA&ZnPG)?PxFm5gGoe^-~t)mc) zp5d17dJB2j9X>EPElUiMqQe7^kwTb|LPV=!S)o?YNcyfwR$&_I3Kd>Kf$iIc1g_WY zvB&D}9E_E1Nx5{<=i{ps=|M|PIU3Zj=1H3QMjAGyxf^%}<0;#M2bghQjoxX${1zP- zZT2vIm+W2B^stxh3dp_+tBDv<&U|58IDlqLkj^$+R;GjzDYg$i3O=iHc@W1a_brQP89QAl!x<{+Mo}Hwp%Q;vkrd2L84|bEX=hpF*CokGu4`!CF$_Y#C zu?oayUMmdrl~M}CJ>z6uirazLXfq#vS?y!LFyr_=lO6g`oLqQYt3%Tw>=3Kmr%xnu z%T@Zx47E8EF=zR}&pMWGQQNwMwKpZFTx-zF!aIDI$a;hxgpB9OKznQx@p@cu^Roe2 zEZ3u0Zh5h>9>vDGi_KepRW~i+w#{I6(xE!BxJ}4w`K+F*u?2$I7tgnF?Wxnft`{#o z`z?68SR0yU;#l5XK1A>&+m@mw0JSq{jvHYN6xR+W4sL|8U(A+p2FotYQ9EGK>@(@DlTO6QYv&g522QFCSC3qWKu53{p;FY3LHOJ zU0uVup>T(@!bpoHANv~_TI1b~*!{p)Gr4Rwl+nb#t#kPi8u}jg3Cz?@9TUn!x@^;* zWo_MCp@4fjuR^}A;)dI3+vp@BH*SwLecFnGqI3_!v9BWW`b;P%T^00dorsmrwM~Zg zPK=pLqMavCEMLnAKHVnOn7B)boXyJxf-HLA*}B8#o6;l+?&e8hd~CWnH9VflPVAVR zn%*%pJdqop%`ZPXQ`BVrC(*#v$mGaqVPI=T#$Ie%g;hM>ABepy z*}dzUnswLrfFC5k^aCb*~7Gv2X2n+FWN@1<7Pm6Yu{|;XVGZK)nCs6;po1^_$|J`X~jI z0!jg;fKosypcGIFC;%(bJ@^D?`pQGfBk~Sp2C&MT`Tx$F>5=lWigb_f0rMJ&OaK4? literal 0 HcmV?d00001 diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index 8a76bdd2..0e3a8750 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -17,15 +17,17 @@ - name: Install apt keys from default URLs include_tasks: _apt-key-import.yml - with_dict: - "{{ datadog_apt_default_keys|items2dict }}" + with_items: + "{{ datadog_apt_default_keys }}" when: datadog_apt_key_url_new is not defined and not ansible_check_mode - name: Install apt keys from custom URL include_tasks: _apt-key-import.yml - with_dict: - A2923DFF56EDA6E76E55E492D3A80E30382E94DE: "{{ datadog_apt_key_url_new }}" - D75CEA17048B9ACBF186794B32637D44F14F620E: "{{ datadog_apt_key_url_new }}" + with_items: + - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE + value: "{{ datadog_apt_key_url_new }}" + - key: D75CEA17048B9ACBF186794B32637D44F14F620E + value: "{{ datadog_apt_key_url_new }}" when: datadog_apt_key_url_new is defined and not ansible_check_mode - name: "Ensure {{ datadog_apt_trusted_d_keyring }} exists with same contents as {{ datadog_apt_usr_share_keyring }} for older distro versions" From f9c70d475545e1a54e44847622601931b444e26c Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 22 Apr 2021 13:49:08 +0200 Subject: [PATCH 07/12] Fix up more ansible lint issues after latest changes --- tasks/.pkg-debian.yml.swp | Bin 20480 -> 0 bytes tasks/_apt-key-import.yml | 11 ++++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) delete mode 100644 tasks/.pkg-debian.yml.swp diff --git a/tasks/.pkg-debian.yml.swp b/tasks/.pkg-debian.yml.swp deleted file mode 100644 index e13a53f0cd49ace8b7c33b1822941a8f9314074b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20480 zcmeI2Uu+!39mf{}h47~#1T~4OMw3Iqw$S~teLmaQhT{0nV2OVT3PlZcncJPa+uYvn zv9oK(I8H&Lm72B!@#h7U7sLbqgg}spKjH;Jd7wN*2m}R*01^U3tF{unzysfz-MxRl zbDT7&RWm1jWbfYW%>2Ido8Qdd{7RXdX0Ig^sbLMDi!|*g`dznuxMfOP_>HDqPy8?k^mCQT8hZlmbct zrGQdEDWDWk3Md6mD+T<<8tu2R_{_-aEz#dIy8fOOUC%~;f7bQ=ny%||*L8HM{wM{M z0!jg;fKosypcGIFCOWns&(rn)VnF=l}8h|99&&?LBZ5ybKP3 zgP;cXf)uz6eDh;X`wYAbUI)*E2f+it0tJu*>%kirYT94GA+QhZ1v#)5yc6}|U*~Ju z7vLpu5G()&o;Xj_9tSq~HJAozuo;{W-d~F{U=iE`_JGU5X7J^?n)Vi$0U59koC!WS z2mJ+q27dxOK@n^M8^Py4(zIjX5wHaIgI|H`z#;7PCpOo4O3H~8V@D0mt?41Nc$1iu6qfn)d~<|FV7I0BNyatu2#nJ!Z# z@}!j`k+vM}Q`=73)MwleQzi(RuQDf3qQnZFR+!`KVN!)Y$2@Mi4zV~fS=n-!xvKgb zmV=_5^$#{1X!yFv8ZOySZ01z_D!GDWh6r^`GU&KI{*jp;x>03DO|QEq8`20qK?5}~ z-Jtj)PZk)LcVUo^%ZA4|`YmsX%JU?#xY)8OZgOcUA&ZnPG)?PxFm5gGoe^-~t)mc) zp5d17dJB2j9X>EPElUiMqQe7^kwTb|LPV=!S)o?YNcyfwR$&_I3Kd>Kf$iIc1g_WY zvB&D}9E_E1Nx5{<=i{ps=|M|PIU3Zj=1H3QMjAGyxf^%}<0;#M2bghQjoxX${1zP- zZT2vIm+W2B^stxh3dp_+tBDv<&U|58IDlqLkj^$+R;GjzDYg$i3O=iHc@W1a_brQP89QAl!x<{+Mo}Hwp%Q;vkrd2L84|bEX=hpF*CokGu4`!CF$_Y#C zu?oayUMmdrl~M}CJ>z6uirazLXfq#vS?y!LFyr_=lO6g`oLqQYt3%Tw>=3Kmr%xnu z%T@Zx47E8EF=zR}&pMWGQQNwMwKpZFTx-zF!aIDI$a;hxgpB9OKznQx@p@cu^Roe2 zEZ3u0Zh5h>9>vDGi_KepRW~i+w#{I6(xE!BxJ}4w`K+F*u?2$I7tgnF?Wxnft`{#o z`z?68SR0yU;#l5XK1A>&+m@mw0JSq{jvHYN6xR+W4sL|8U(A+p2FotYQ9EGK>@(@DlTO6QYv&g522QFCSC3qWKu53{p;FY3LHOJ zU0uVup>T(@!bpoHANv~_TI1b~*!{p)Gr4Rwl+nb#t#kPi8u}jg3Cz?@9TUn!x@^;* zWo_MCp@4fjuR^}A;)dI3+vp@BH*SwLecFnGqI3_!v9BWW`b;P%T^00dorsmrwM~Zg zPK=pLqMavCEMLnAKHVnOn7B)boXyJxf-HLA*}B8#o6;l+?&e8hd~CWnH9VflPVAVR zn%*%pJdqop%`ZPXQ`BVrC(*#v$mGaqVPI=T#$Ie%g;hM>ABepy z*}dzUnswLrfFC5k^aCb*~7Gv2X2n+FWN@1<7Pm6Yu{|;XVGZK)nCs6;po1^_$|J`X~jI z0!jg;fKosypcGIFC;%(bJ@^D?`pQGfBk~Sp2C&MT`Tx$F>5=lWigb_f0rMJ&OaK4? diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index 15a18ac4..51fd7070 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -6,13 +6,17 @@ # DATADOG_APT_KEY_CURRENT value, which we always expect to be ascii # armored individual key). +# NOTE: we use 'noqa risky-shell-pipe' throughout this file, because Debian's +# default shell is /bin/sh which doesn't have a pipefail option and the +# presence of a different shell isn't guaranteed. + - name: "Set local variables for processed key {{ item.key }}" set_fact: key_fingerprint: "{{ item.key }}" keyring_url: "{{ item.value }}" - name: "Find out whether key {{ key_fingerprint }} is already imported" - shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" + shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" # noqa risky-shell-pipe register: key_exists_result failed_when: false # we expect the command to fail when the key is not found; we never want this task to fail when: key_fingerprint != datadog_apt_key_current_name # we always want to import the CURRENT key @@ -43,7 +47,7 @@ # gpg --dearmor called on a binary keyring does nothing - name: "Ensure downloaded file for {{ key_fingerprint }} is a binary keyring" - shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" + shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" # noqa risky-shell-pipe when: key_needs_import - name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})" @@ -54,9 +58,10 @@ copy: src: "{{ tempdir.path }}/binary.gpg" dest: "{{ tempdir.path }}/single.gpg" + mode: "0600" remote_src: yes when: key_fingerprint == datadog_apt_key_current_name and key_needs_import - name: "Import key {{ key_fingerprint }} to {{ datadog_apt_usr_share_keyring }} keyring" - shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" + shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" # noqa risky-shell-pipe when: key_needs_import From 106893a8a384016422238fbaefba51bf0bb29b42 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Fri, 23 Apr 2021 10:25:20 +0200 Subject: [PATCH 08/12] repodata => repository metadata --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 179ef0b8..a776724b 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y | `datadog_disable_default_checks` | Set to `true` to remove all default checks. | | `datadog_config` | Settings for the main Agent configuration file:
- `/etc/datadog-agent/datadog.yaml` for Agent v6 and v7,
- `/etc/dd-agent/datadog.conf` for Agent v5 (under the `[Main]` section). | | `datadog_config_ex` | (Optional) Extra INI sections to go in `/etc/dd-agent/datadog.conf` (Agent v5 only). | -| `datadog_apt_repo` | Override the default Datadog `apt` repository. Make sure to use the `signed-by` option if repodata is signed using Datadog's signing keys: `deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://yourrepo`. | +| `datadog_apt_repo` | Override the default Datadog `apt` repository. Make sure to use the `signed-by` option if repository metadata is signed using Datadog's signing keys: `deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://yourrepo`. | | `datadog_apt_cache_valid_time` | Override the default apt cache expiration time (defaults to 1 hour). | | `datadog_apt_key_url_new` | Override the location from which to obtain Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE` and `F14F620E`. | | `datadog_yum_repo` | Override the default Datadog `yum` repository. | From fd2d326458bb88df50c2348f2e90723d21110ac1 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 29 Apr 2021 13:41:58 +0200 Subject: [PATCH 09/12] Update README.md Co-authored-by: Kylian Serrania --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a776724b..db5b7dcf 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ To deploy the Datadog Agent on hosts, add the Datadog role and your API key to y | `datadog_config_ex` | (Optional) Extra INI sections to go in `/etc/dd-agent/datadog.conf` (Agent v5 only). | | `datadog_apt_repo` | Override the default Datadog `apt` repository. Make sure to use the `signed-by` option if repository metadata is signed using Datadog's signing keys: `deb [signed-by=/usr/share/keyrings/datadog-archive-keyring.gpg] https://yourrepo`. | | `datadog_apt_cache_valid_time` | Override the default apt cache expiration time (defaults to 1 hour). | -| `datadog_apt_key_url_new` | Override the location from which to obtain Datadog `apt` key (key ID `382E94DE`; the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE` and `F14F620E`. | +| `datadog_apt_key_url_new` | Override the location from which to obtain Datadog `apt` key (the deprecated `datadog_apt_key_url` variable refers to an expired key that's been removed from the role). The URL is expected to be a GPG keyring containing keys `382E94DE` and `F14F620E`. | | `datadog_yum_repo` | Override the default Datadog `yum` repository. | | `datadog_yum_repo_gpgcheck` | Override the default `repo_gpgcheck` value (`yes`) - use `no` to turn off repodata GPG signature verification. Note that repodata signature verification is always turned off for Agent 5. | | `datadog_yum_gpgcheck` | Override the default `gpgcheck` value (`yes`) - use `no` to turn off package GPG signature verification. | From b3b26dfd0624c9e0d6f85f163b1e167e1f11d222 Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 29 Apr 2021 13:52:49 +0200 Subject: [PATCH 10/12] Address review --- README.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/README.md b/README.md index db5b7dcf..257a7d4a 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,8 @@ If you previously used the Agent v5 variables, use the **new** variables below w | `datadog_agent5_yum_repo` | `datadog_yum_repo` | | `datadog_agent5_zypper_repo` | `datadog_zypper_repo` | +Since version 4.9.0, the `use_apt_backup_keyserver` variable has been removed, as APT keys are now obtained from https://keys.datadoghq.com. + #### Windows When the variable `datadog_windows_download_url` is not set, the official Windows MSI package corresponding to the `datadog_agent_major_version` is used: @@ -484,6 +486,27 @@ Alternatively, if your playbook **only runs on Windows hosts**, use the followin ## Troubleshooting +### Debian stretch + +**Note:** this information applies to versions of the role prior to 4.9.0. Since 4.9.0, the `apt_key` module is no longer used by the role. + +On Debian Stretch, the `apt_key` module used by the role requires an additional system dependency to work correctly. The dependency (`dirmngr`) is not provided by the module. Add the following configuration to your playbooks to make use of the present role: + +```yml +--- +- hosts: all + pre_tasks: + - name: Debian Stretch requires the dirmngr package to use apt_key + become: yes + apt: + name: dirmngr + state: present + roles: + - { role: datadog.datadog, become: yes } + vars: + datadog_api_key: "" +``` + ### CentOS 6/7 with Python 3 interpreter The `yum` Python module, which is used in this role to install the Agent on CentOS-based hosts, is only available on Python 2. When a Python 3 interpreter is detected on a target host, the `dnf` package manager and the `dnf` Python module are used instead. From 17a46c22ff1c20e7c979588850fa7d720210652c Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Thu, 29 Apr 2021 14:50:55 +0200 Subject: [PATCH 11/12] Properly handle 'changed' host state --- tasks/_apt-key-import.yml | 18 +++++++++++++++++- tasks/pkg-debian.yml | 7 ++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/tasks/_apt-key-import.yml b/tasks/_apt-key-import.yml index 51fd7070..7b3afe6d 100644 --- a/tasks/_apt-key-import.yml +++ b/tasks/_apt-key-import.yml @@ -10,6 +10,14 @@ # default shell is /bin/sh which doesn't have a pipefail option and the # presence of a different shell isn't guaranteed. +# NOTE: in order to display Ansible's `changed: [hostname]` properly throughout +# tasks in this file, we added `changed_when: false` to a lot of them, even if +# they actually run every time (e.g. importing the CURRENT key). The reason is +# that they operate inside a temporary directory and they don't have a +# permanent effect on the host (nothing will actually change on the host +# whether these tasks run or not) except the last one - the actual import of +# the key to `datadog_apt_usr_share_keyring`. + - name: "Set local variables for processed key {{ item.key }}" set_fact: key_fingerprint: "{{ item.key }}" @@ -19,6 +27,7 @@ shell: "gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --list-keys --with-fingerprint --with-colons | grep {{ key_fingerprint }}" # noqa risky-shell-pipe register: key_exists_result failed_when: false # we expect the command to fail when the key is not found; we never want this task to fail + changed_when: key_exists_result.rc != 0 when: key_fingerprint != datadog_apt_key_current_name # we always want to import the CURRENT key - name: "Set local helper variable for determining key import (when not {{ datadog_apt_key_current_name }})" @@ -37,6 +46,7 @@ suffix: keys register: tempdir when: key_needs_import + changed_when: false - name: "Download {{ keyring_url }} to import key {{ key_fingerprint }}" get_url: @@ -44,15 +54,18 @@ dest: "{{ tempdir.path }}/{{ key_fingerprint }}" force: yes when: key_needs_import + changed_when: false # gpg --dearmor called on a binary keyring does nothing - name: "Ensure downloaded file for {{ key_fingerprint }} is a binary keyring" shell: "cat {{ tempdir.path }}/{{ key_fingerprint }} | gpg --dearmor > {{ tempdir.path }}/binary.gpg" # noqa risky-shell-pipe when: key_needs_import + changed_when: false - name: "Extract the required key from the binary keyring (when not {{ datadog_apt_key_current_name }})" shell: "gpg --no-default-keyring --keyring {{ tempdir.path }}/binary.gpg --export {{ key_fingerprint }} > {{ tempdir.path }}/single.gpg" when: key_fingerprint != datadog_apt_key_current_name and key_needs_import + changed_when: false - name: "Extract the required key from the binary keyring (when {{ datadog_apt_key_current_name }})" copy: @@ -61,7 +74,10 @@ mode: "0600" remote_src: yes when: key_fingerprint == datadog_apt_key_current_name and key_needs_import + changed_when: false - name: "Import key {{ key_fingerprint }} to {{ datadog_apt_usr_share_keyring }} keyring" - shell: "cat {{ tempdir.path }}/single.gpg | gpg -q --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" # noqa risky-shell-pipe + shell: "cat {{ tempdir.path }}/single.gpg | gpg --no-default-keyring --keyring {{ datadog_apt_usr_share_keyring }} --import --batch" # noqa risky-shell-pipe when: key_needs_import + register: key_import_result + changed_when: '"imported: 1" in key_import_result.stderr' diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index 0e3a8750..ad9b2bb8 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -6,6 +6,11 @@ state: present when: not ansible_check_mode +- name: "Check if {{ datadog_apt_usr_share_keyring }} exists with correct mode" + stat: + path: "{{ datadog_apt_usr_share_keyring }}" + register: apt_keyring_file + - name: "Ensure {{ datadog_apt_usr_share_keyring }} exists" file: path: "{{ datadog_apt_usr_share_keyring }}" @@ -13,7 +18,7 @@ group: root mode: "0644" state: touch - when: not ansible_check_mode + when: not ansible_check_mode and (not apt_keyring_file.stat.exists or not apt_keyring_file.stat.mode == "0644") - name: Install apt keys from default URLs include_tasks: _apt-key-import.yml From f3f48369c49ea88c9b54d7bc07483fd25e1bf9ee Mon Sep 17 00:00:00 2001 From: Slavek Kabrda Date: Fri, 30 Apr 2021 11:57:35 +0200 Subject: [PATCH 12/12] Ensure old repository references not using signed-by are removed --- tasks/pkg-debian.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/pkg-debian.yml b/tasks/pkg-debian.yml index ad9b2bb8..5367ddcd 100644 --- a/tasks/pkg-debian.yml +++ b/tasks/pkg-debian.yml @@ -43,7 +43,7 @@ remote_src: yes when: ((ansible_distribution == 'Debian' and ansible_lsb.major_release|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_lsb.major_release|int < 16)) and not ansible_check_mode -- name: Ensure Datadog non-https repositories are deprecated +- name: Ensure Datadog non-https repositories and repositories not using signed-by option are deprecated apt_repository: repo: "{{ item }}" state: "absent" @@ -52,6 +52,9 @@ - "deb http://apt.datadoghq.com/ stable main" - "deb http://apt.datadoghq.com/ stable 6" - "deb http://apt.datadoghq.com/ stable 7" + - "deb https://apt.datadoghq.com/ stable main" + - "deb https://apt.datadoghq.com/ stable 6" + - "deb https://apt.datadoghq.com/ stable 7" when: not ansible_check_mode - name: Ensure Datadog repository is up-to-date