From 78d37afccc72aaf70266979ca65ae4aa3abee661 Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Wed, 16 Aug 2017 09:02:42 -0500 Subject: [PATCH] Manually check apparmor_status The apparmor systemd unit file simply calls an old SysV init script to load AppArmor profiles. The init script exits and systemd has no idea if it's still running or not. This causes Ansible to start the apparmor unit each time the playbook runs, which breaks the idempotency checks. This patch checks the apparmor_status output directly to see what the status of AppArmor actually is. If the module is loaded, then we should not try to start AppArmor with the unit file again. This patch also includes the updates from the openstack-ansible-tests repository that were included in https://review.openstack.org/#/c/488489/ so that the gate can be unblocked. Partial-Bug: 1710675 Change-Id: If253714d0ca4b5a3d324255751e6f6615ca75dde --- Vagrantfile | 4 ++++ bindep.txt | 6 ++++-- run_tests.sh | 5 ++++- tasks/rhel7stig/lsm.yml | 17 +++++++++++++++++ 4 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 46436cf8..7d8c27a0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -36,6 +36,10 @@ Vagrant.configure(2) do |config| leap422.vm.box = "opensuse/openSUSE-42.2-x86_64" end + config.vm.define "opensuse423" do |leap423| + leap423.vm.box = "opensuse/openSUSE-42.3-x86_64" + end + config.vm.define "centos7" do |centos7| centos7.vm.box = "centos/7" end diff --git a/bindep.txt b/bindep.txt index f2924a2a..d3ead940 100644 --- a/bindep.txt +++ b/bindep.txt @@ -30,6 +30,9 @@ libffi-dev [platform:dpkg] python2.7 [platform:dpkg] python-apt [platform:dpkg] python-dev [platform:dpkg] +python3 [platform:dpkg] +python3-apt [platform:dpkg] +python3-dev [platform:dpkg] # Base requirements for RPM distros gcc [platform:rpm] @@ -51,8 +54,7 @@ python-pyasn1 [platform:dpkg platform:suse] python-openssl [platform:dpkg] python-ndg-httpsclient [platform:ubuntu !platform:ubuntu-14] python2-pyasn1 [platform:redhat] -python2-pyOpenSSL [platform:redhat !platform:fedora] -pyOpenSSL [platform:fedora] +pyOpenSSL [platform:redhat] python-pyOpenSSL [platform:opensuseproject-42] python2-pyOpenSSL [platform:suse !platform:opensuseproject-42] python-ndg_httpsclient [platform:redhat !platform:fedora] diff --git a/run_tests.sh b/run_tests.sh index 969e3db0..e8f6f3ac 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -35,9 +35,12 @@ source /etc/os-release || source /usr/lib/os-release install_pkg_deps() { pkg_deps="git" + # Prefer dnf over yum for CentOS. + which dnf &>/dev/null && RHT_PKG_MGR='dnf' || RHT_PKG_MGR='yum' + case ${ID,,} in *suse*) pkg_mgr_cmd="zypper -n in" ;; - centos|rhel) pkg_mgr_cmd="yum install -y" ;; + centos|rhel) pkg_mgr_cmd="${RHT_PKG_MGR} install -y" ;; fedora) pkg_mgr_cmd="dnf -y install" ;; ubuntu|debian) pkg_mgr_cmd="apt-get install -y" ;; *) echo "unsupported distribution: ${ID,,}"; exit 1 ;; diff --git a/tasks/rhel7stig/lsm.yml b/tasks/rhel7stig/lsm.yml index 9471dee7..fd661b28 100644 --- a/tasks/rhel7stig/lsm.yml +++ b/tasks/rhel7stig/lsm.yml @@ -24,6 +24,22 @@ - high - V-71989 +# NOTE(mhayden): The systemd unit file for apparmor just calls an old SysV +# init script and exits. It's not possible to ask systemd if apparmor is +# running and if we tell systemd to start apparmor, it will tell us that it +# started apparmor each time. This breaks idempotency and we check +# apparmor_status directly as an alternative. +- name: Check if apparmor is running + command: apparmor_status + register: apparmor_status_output + changed_when: false + failed_when: false + when: + - ansible_pkg_mgr in ['apt', 'zypper'] + tags: + - high + - V-71989 + - name: Ensure AppArmor is running service: name: apparmor @@ -34,6 +50,7 @@ - security_rhel7_enable_linux_security_module | bool - not check_mode - '"AppArmor disabled by boot time parameter" not in dmesg_apparmor_output.stdout' + - '"apparmor module is loaded" in apparmor_status_output.stdout' tags: - high - V-71989