Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use find module instead of shell #294

Merged
merged 3 commits into from
Aug 16, 2020
Merged

use find module instead of shell #294

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2bedb99
use find module to find yum repos, regexp fixes
danielkubat Aug 12, 2020
6bc1bf0
use loop instead of with_*
danielkubat Aug 13, 2020
c4be3e1
Update tasks/yum.yml
rndmh3ro Aug 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
39 changes: 23 additions & 16 deletions tasks/yum.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,35 +3,42 @@
file:
name: '/etc/yum.repos.d/{{ item }}.repo'
state: 'absent'
with_items:
loop:
- 'CentOS-Debuginfo'
- 'CentOS-Media'
- 'CentOS-Vault'
when: os_security_packages_clean | bool

- name: get yum-repository-files
shell: 'find /etc/yum.repos.d/ -type f -name *.repo'
changed_when: False
find:
paths: '/etc/yum.repos.d'
patterns: '*.repo'
register: yum_repos

# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
#
# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files
# for the 'default([])' see here:
# https://github.com/dev-sec/ansible-os-hardening/issues/99 and
# https://stackoverflow.com/questions/37067827/ansible-deprecation-warning-for-undefined-variable-despite-when-clause
- name: activate gpg-check for yum-repository-files
replace:
dest: '{{ item }}'
regexp: '^\s*gpgcheck: 0'
replace: 'gpgcheck: 1'
path: '{{ item.path }}'
regexp: '^\s*gpgcheck.*'
replace: 'gpgcheck=1'
with_items:
danielkubat marked this conversation as resolved.
Show resolved Hide resolved
- '{{ yum_repos.files | default([]) }}'

# failed_when is needed because by default replace module will fail if the file doesn't exists.
# status.rc is only defined if an error accrued and only error code (rc) 257 will be ignored.
# All other errors will still be raised.
- name: activate gpg-check for config files
lineinfile:
rndmh3ro marked this conversation as resolved.
Show resolved Hide resolved
path: '{{ item }}'
regexp: '^\s*gpgcheck\W.*'
line: 'gpgcheck=1'
register: status
danielkubat marked this conversation as resolved.
Show resolved Hide resolved
failed_when: status.rc is defined and status.rc != 257
with_flattened:
loop:
- '/etc/yum.conf'
- '/etc/dnf/dnf.conf'
- '{{ yum_repos.stdout_lines| default([]) }}' # noqa 104
- '/etc/yum/pluginconf.d/rhnplugin.conf'

- name: remove deprecated or insecure packages | package-01 - package-09
Expand Down