New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the firewall role, the selinux role, and the certificate role from the logging role #293
Conversation
[citest] |
tasks/gather_ports.yml
Outdated
{%- endif %} | ||
{% endfor %} | ||
{% set both = [tcp_ports, tls_tcp_ports] %} | ||
{{ both }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sadly, this does not work for ansible-2.9. :( Fixing it now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is the issue?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ansible 2.9 requires strict list filter to convert string to list... (ansible-core-2.13 quietly interprets it for me, and I did not notice it... :p)
(but i only tested a couple of test playbooks... there could be more issues...)
Yes - and it is difficult to test this locally e.g. you can't install ansible 2.9 with jinja 2.7 in a virtualenv with fedora anymore |
[citest] |
1 similar comment
[citest] |
[citest bad] |
- Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Add meta/collection-requirements.yml Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role.
[citest] |
set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false.
README.md
Outdated
NOTE: `logging_manage_firewall` is limited to *adding* ports. | ||
It cannot be used for *removing* ports. | ||
If you want to remove ports, you will need to use the firewall system | ||
roles directly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
roles directly. | |
role directly. |
README.md
Outdated
NOTE: `logging_manage_selinux` is limited to *adding* policy. | ||
It cannot be used for *removing* policy. | ||
If you want to remove policy, you will need to use the selinux system | ||
roles directly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
roles directly. | |
role directly. |
README.md
Outdated
|
||
The port is then configured by the selinux role and given | ||
an appropriate syslog selinux port type depending upon the | ||
associated tls value. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tls value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some inputs/outputs (e.g., relp) have a tls
key in the dictionary like this.
- `tls`: If true, encrypt the connection with TLS. You must provide key/certificates and triplets {`ca_cert`, `cert`, `private_key`} and/or {`ca_cert_src`, `cert_src`, `private_key_src`}. Default to `true`.
I'm going to put ` around tls as follows. Do you think it's clearer?
859 associated tls
value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, I see - then use TLS in all caps.
--- | ||
- block: | ||
- name: Add tcp ports to logging_firewall_ports | ||
set_fact: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you are using set_fact
, you'll need to ensure that logging_firewall_ports
is empty before this task, either by resetting it before this task, or resetting it after the task that calls the firewall role
[citest] |
1 similar comment
[citest] |
dd1ab93
to
160c2f3
Compare
README.md
Outdated
|
||
Otherwise, please run the following command line to install the collection. | ||
``` | ||
ansible-galaxy collection install -r meta/requirements.yml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ansible-galaxy collection install -r meta/requirements.yml | |
ansible-galaxy collection install -r meta/collection-requirements.yml |
[citest] |
[citest bad] |
[1.11.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role, the selinux role, and the certificate role from the logging role (linux-system-roles#293) - Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role. When logging_manage_firewall and logging_manage_selinux are set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false. ### Bug Fixes - none ### Other Changes - To avoid the CI conflicts on the control host when running tests in parallel, create a temporary directory by tempfile to store files used in the test. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
[1.11.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role, the selinux role, and the certificate role from the logging role (#293) - Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role. When logging_manage_firewall and logging_manage_selinux are set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false. ### Bug Fixes - none ### Other Changes - To avoid the CI conflicts on the control host when running tests in parallel, create a temporary directory by tempfile to store files used in the test. Signed-off-by: Rich Megginson <rmeggins@redhat.com> Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Use the firewall role and the selinux role from the logging role
Use the certificate role to generate certificates in the logging role
Note: This pr is for refactoring #292.