Use the firewall role, the selinux role, and the certificate role from the logging role #293
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[citest] |
nhosoi
commented
Sep 16, 2022
tasks/gather_ports.yml
Outdated
| {%- endif %} | ||
| {% endfor %} | ||
| {% set both = [tcp_ports, tls_tcp_ports] %} | ||
| {{ both }} |
There was a problem hiding this comment.
Sadly, this does not work for ansible-2.9. :( Fixing it now.
There was a problem hiding this comment.
Ansible 2.9 requires strict list filter to convert string to list... (ansible-core-2.13 quietly interprets it for me, and I did not notice it... :p)
(but i only tested a couple of test playbooks... there could be more issues...)
|
Yes - and it is difficult to test this locally e.g. you can't install ansible 2.9 with jinja 2.7 in a virtualenv with fedora anymore |
|
[citest] |
1 similar comment
|
[citest] |
|
[citest bad] |
- Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Add meta/collection-requirements.yml Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role.
|
[citest] |
set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false.
richm
reviewed
Sep 22, 2022
README.md
Outdated
| NOTE: `logging_manage_firewall` is limited to *adding* ports. | ||
| It cannot be used for *removing* ports. | ||
| If you want to remove ports, you will need to use the firewall system | ||
| roles directly. |
There was a problem hiding this comment.
Suggested change
| roles directly. | |
| role directly. |
richm
reviewed
Sep 22, 2022
README.md
Outdated
| NOTE: `logging_manage_selinux` is limited to *adding* policy. | ||
| It cannot be used for *removing* policy. | ||
| If you want to remove policy, you will need to use the selinux system | ||
| roles directly. |
There was a problem hiding this comment.
Suggested change
| roles directly. | |
| role directly. |
richm
reviewed
Sep 22, 2022
README.md
Outdated
|
|
||
| The port is then configured by the selinux role and given | ||
| an appropriate syslog selinux port type depending upon the | ||
| associated tls value. |
There was a problem hiding this comment.
Some inputs/outputs (e.g., relp) have a tls key in the dictionary like this.
- `tls`: If true, encrypt the connection with TLS. You must provide key/certificates and triplets {`ca_cert`, `cert`, `private_key`} and/or {`ca_cert_src`, `cert_src`, `private_key_src`}. Default to `true`.
I'm going to put ` around tls as follows. Do you think it's clearer?
859 associated tls value.
There was a problem hiding this comment.
ah, I see - then use TLS in all caps.
richm
reviewed
Sep 22, 2022
| --- | ||
| - block: | ||
| - name: Add tcp ports to logging_firewall_ports | ||
| set_fact: |
There was a problem hiding this comment.
Since you are using set_fact, you'll need to ensure that logging_firewall_ports is empty before this task, either by resetting it before this task, or resetting it after the task that calls the firewall role
|
[citest] |
1 similar comment
|
[citest] |
nhosoi
force-pushed
the
use_roles
branch
2 times, most recently
from
dd1ab93
to
160c2f3
Compare
richm
reviewed
Sep 26, 2022
README.md
Outdated
|
|
||
| Otherwise, please run the following command line to install the collection. | ||
| ``` | ||
| ansible-galaxy collection install -r meta/requirements.yml |
There was a problem hiding this comment.
Suggested change
| ansible-galaxy collection install -r meta/requirements.yml | |
| ansible-galaxy collection install -r meta/collection-requirements.yml |
|
[citest] |
|
[citest bad] |
richm
approved these changes
Sep 27, 2022
richm
added a commit
to richm/linux-system-roles-logging
that referenced
this pull request
Nov 1, 2022
[1.11.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role, the selinux role, and the certificate role from the logging role (linux-system-roles#293) - Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role. When logging_manage_firewall and logging_manage_selinux are set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false. ### Bug Fixes - none ### Other Changes - To avoid the CI conflicts on the control host when running tests in parallel, create a temporary directory by tempfile to store files used in the test. Signed-off-by: Rich Megginson <rmeggins@redhat.com>
richm
added a commit
that referenced
this pull request
Nov 1, 2022
[1.11.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role, the selinux role, and the certificate role from the logging role (#293) - Introduce logging_manage_firewall to use the firewall role to manage the syslog ports. logging_manage_firewall is set to true, by default. If the variable is set to false, the firewall configuration is disabled. - Introduce logging_manage_selinux to use the selinux role to manage the ports specified in the logging configuration. logging_manage_ selinux is set to true, by default. If the variable is set to false, the selinux configuration is disabled except the ports defined in the selinux policy. - Add the test check task check_firewall_selinux.yml for verify the ports status. - Use the certificate role to generate certificates in the logging role - Introduce logging_certificates variable to specify parameters for using the certificate role. When logging_manage_firewall and logging_manage_selinux are set to false, it does not call the firewall role and the selinux role, respectively. The default value of logging_manage_firewall and logging_ manage_selinux are changed to false. ### Bug Fixes - none ### Other Changes - To avoid the CI conflicts on the control host when running tests in parallel, create a temporary directory by tempfile to store files used in the test. Signed-off-by: Rich Megginson <rmeggins@redhat.com> Signed-off-by: Rich Megginson <rmeggins@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use the firewall role and the selinux role from the logging role
Use the certificate role to generate certificates in the logging role
Note: This pr is for refactoring #292.