Commits on Jan 11, 2017
  1. Remove groupby filter to avoid bug

    This patch adjusts the package installation/removal tasks to get around
    a bug. Jinja2 now returns namedtuples with the groupby filter and
    Ansible is unable to convert that to a usable variable data type with
    Jinja2 bug: pallets/jinja#654
    Ansible bug: ansible/ansible#20098
    Related-Bug: 1655397
    Change-Id: I3ce764bfb643bda58c4b6ad282e71c312f41465e
    major committed Jan 11, 2017
Commits on Jan 6, 2017
  1. Fix pip check in

    The logic in the pip check was backwards and this patch fixes it.
    Change-Id: Idecfaee991f87f5bfd7a47233b56a37158e816ed
    major committed Jan 6, 2017
Commits on Jan 5, 2017
  1. Add openstack-ansible-plugins dependency

    This patch adds the openstack-ansible-plugins role as a dependency
    for the security role.
    Change-Id: Ic8f06b7afb8f5188433ec77b5e91bc058c0d0454
    major committed Jan 5, 2017
Commits on Jan 4, 2017
  1. Update and clean up

    The script fails when it is run multiple times on CentOS.
    The `bindep` run returns an empty list of packages and then `yum`
    exits with an error since no packages were provided to install.
    This patch checks the length of the `bindep` output and skips the `yum`
    installation when the package list is empty.
    The patch also cleans up some of the old cruft left over from previous
    scripts and avoids repetition.
    Change-Id: Ibe4d0fd9d608dc725c354723143e60c89cd99b4b
    major committed Jan 4, 2017
Commits on Jan 3, 2017
  1. Fix invalid user/group checks bug

    The existence of output is checked for both of the invalid user/group
    tasks, but the *length* of the output isn't checked. This patch
    fixes that bug and only displays output when there is output to
    Closes-Bug: 1650113
    Change-Id: I661006e6ee5c01505c1801d7d55c3823f3632ddd
    major committed Dec 15, 2016
  2. Handle SELinux properly when it is disabled

    This patch skips the `find` task that searches for unlabeled content on
    systems with SELinux disabled. This fails because labels aren't loaded at that
    The patch also fixed an idempotent test failure that comes from the `selinux`
    Ansible module repeatedly trying to get SELinux into enforcing mode when it
    is disabled.
    Closes-bug: 1649617
    Change-Id: I7d30a07bd7e8a4461846660c281b9e53b0783461
    major committed Dec 13, 2016
  3. Unblock security role gate

    This patch addresses two issues that are blocking the security role
    CI jobs from completing:
    The OpenStack CI image is missing the default audit.rules file and this
    causes augenrules to fail when it loads new rules. The first line in
    the default rules file deletes existing rules and this must be in
    place before loading new rulesets. The contents of the default file
    are now in the template file, which is safer anyway. The default
    file provided by the OS is removed.
    The task that updates the apt cache in test.yml was running more than
    once during the CI job run when the gate ran slowly. That's fine, but
    it breaks the idempotence checks. A `changed_when` is added to the task
    to ensure that the idempotence tests aren't affected by an apt cache
    Change-Id: I9c2b50389cc2e4fa81717dcceccf6da1d973d34c
    major committed Jan 3, 2017