Fix fatal errors on Anible service disabled tasks
Resolves: rhbz#2014561
This commit is contained in:
Watson Sato
parent
cd3b90bce2
commit
5145dcab43
@ -0,0 +1,44 @@
|
||||
From 1c054ed40a4dbc2a48ffe7720d018c317cad8105 Mon Sep 17 00:00:00 2001
|
||||
From: Watson Sato <wsato@redhat.com>
|
||||
Date: Tue, 15 Feb 2022 14:12:55 +0100
|
||||
Subject: [PATCH] Simply mask services that should be disabled
|
||||
|
||||
At some point Ansible started to return much more services in
|
||||
ansible_facts.services, including services that are not installed.
|
||||
This caused the task to think that the service exists, attempt to stop
|
||||
and mask the service.
|
||||
But systemd module fatal errors on non existing services, although the
|
||||
module ends up masking the service in question.
|
||||
|
||||
The bash remediations simply mask the service, even if it is not
|
||||
installed.
|
||||
Let's do the same with Ansible, mask the service and ignore errors.
|
||||
|
||||
One down side is that every non-existing service is reported as an
|
||||
error, which is ignored. But still a fatal error.
|
||||
---
|
||||
shared/templates/service_disabled/ansible.template | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/shared/templates/service_disabled/ansible.template b/shared/templates/service_disabled/ansible.template
|
||||
index 550ed563056..254f41ac7fd 100644
|
||||
--- a/shared/templates/service_disabled/ansible.template
|
||||
+++ b/shared/templates/service_disabled/ansible.template
|
||||
@@ -6,16 +6,13 @@
|
||||
{{%- if init_system == "systemd" %}}
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
block:
|
||||
- - name: Gather the service facts
|
||||
- service_facts:
|
||||
-
|
||||
- name: Disable service {{{ SERVICENAME }}}
|
||||
systemd:
|
||||
name: "{{{ DAEMONNAME }}}.service"
|
||||
enabled: "no"
|
||||
state: "stopped"
|
||||
masked: "yes"
|
||||
- when: '"{{{ DAEMONNAME }}}.service" in ansible_facts.services'
|
||||
+ ignore_errors: 'yes'
|
||||
|
||||
- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
|
||||
command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
|
||||
@ -6,7 +6,7 @@
|
||||
|
||||
Name: scap-security-guide
|
||||
Version: 0.1.60
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Summary: Security guidance and baselines in SCAP formats
|
||||
License: BSD-3-Clause
|
||||
URL: https://github.com/ComplianceAsCode/content/
|
||||
@ -57,6 +57,7 @@ Patch39: scap-security-guide-0.1.61-grub2_rule_desc_update-PR_8184.patch
|
||||
Patch40: scap-security-guide-0.1.61-grub2_template_fix-PR_8180.patch
|
||||
Patch41: scap-security-guide-0.1.61-rear_not_applicable_aarch64-PR_8221.patch
|
||||
Patch42: scap-security-guide-0.1.61-add_RHEL_08_0103789_include_sudoers-PR_8196.patch
|
||||
Patch43: scap-security-guide-0.1.61-fix-ansible-service-disabled-task-PR_8226.patch
|
||||
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: expat
|
||||
@ -143,6 +144,9 @@ rm %{buildroot}/%{_docdir}/%{name}/Contributors.md
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Feb 15 2022 Watson Sato <wsato@redhat.com> - 0.1.60-4
|
||||
- Fix Ansible service disabled tasks (RHBZ#2014561)
|
||||
|
||||
* Mon Feb 14 2022 Gabriel Becker <ggasparb@redhat.com> - 0.1.60-3
|
||||
- Update sudoers rules in RHEL8 STIG V1R5 (RHBZ#2045403)
|
||||
- Add missing SRG references in RHEL8 STIG V1R5 rules (RHBZ#2045403)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user