Fix fatal errors on Anible service disabled tasks

Resolves: rhbz#2014561
This commit is contained in:
Watson Sato 2022-02-15 19:10:19 +01:00
parent cd3b90bce2
commit 5145dcab43
2 changed files with 49 additions and 1 deletions

View File

@ -0,0 +1,44 @@
From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 15 Feb 2022 14:12:55 +0100
Subject: [PATCH] Simply mask services that should be disabled
At some point Ansible started to return much more services in
ansible_facts.services, including services that are not installed.
This caused the task to think that the service exists, attempt to stop
and mask the service.
But systemd module fatal errors on non existing services, although the
module ends up masking the service in question.
The bash remediations simply mask the service, even if it is not
installed.
Let's do the same with Ansible, mask the service and ignore errors.
One down side is that every non-existing service is reported as an
error, which is ignored. But still a fatal error.
---
shared/templates/service_disabled/ansible.template | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
index 550ed563056..254f41ac7fd 100644
--- a/shared/templates/service_disabled/ansible.template
+++ b/shared/templates/service_disabled/ansible.template
@@ -6,16 +6,13 @@
{{%- if init_system == "systemd" %}}
- name: Disable service {{{ SERVICENAME }}}
block:
- - name: Gather the service facts
- service_facts:
-
- name: Disable service {{{ SERVICENAME }}}
systemd:
name: "{{{ DAEMONNAME }}}.service"
enabled: "no"
state: "stopped"
masked: "yes"
- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
+ ignore_errors: 'yes'
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket

View File

@ -6,7 +6,7 @@
Name: scap-security-guide Name: scap-security-guide
Version: 0.1.60 Version: 0.1.60
Release: 3%{?dist} Release: 4%{?dist}
Summary: Security guidance and baselines in SCAP formats Summary: Security guidance and baselines in SCAP formats
License: BSD-3-Clause License: BSD-3-Clause
URL: https://github.com/ComplianceAsCode/content/ URL: https://github.com/ComplianceAsCode/content/
@ -57,6 +57,7 @@ Patch39: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
Patch40: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch Patch40: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
Patch41: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch Patch41: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
Patch42: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch Patch42: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
Patch43: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
BuildRequires: libxslt BuildRequires: libxslt
BuildRequires: expat BuildRequires: expat
@ -143,6 +144,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
%endif %endif
%changelog %changelog
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
- Fix Ansible service disabled tasks (RHBZ#2014561)
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3 * Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403) - Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403) - Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)