Prevent Ansible Playbook termination in check mode#14677
Merged
Mab879 merged 3 commits intoComplianceAsCode:masterfrom Apr 24, 2026
Merged
Prevent Ansible Playbook termination in check mode#14677Mab879 merged 3 commits intoComplianceAsCode:masterfrom
Mab879 merged 3 commits intoComplianceAsCode:masterfrom
Conversation
Some Ansible Playbooks are terminating prematurely on some Ansible
Tasks where the `when` statement assumes that a systemd service
is installed. In normal mode, the installation is performed by
other tasks, but in check mode, the installation isn't executed
and the service isn't installed at the moment of checking the
service state. This manifests in the test
`/scanning/host-os/ansible-check/check-mode`.
Addressing:
```
Configure Firewalld to Restrict Loopback Traffic - Ensure firewalld
trusted Zone Restricts IPv4 Loopback Traffic ({"msg": "The conditional
check 'ansible_facts.services['firewalld.service'].state == 'running''
failed. The error was: error while evaluating conditional
(ansible_facts.services['firewalld.service'].state == 'running'): 'dict
object' has no attribute 'firewalld.service'. 'dict object' has no
attribute 'firewalld.service'\n\nThe error appears to be in
'/usr/share/scap-security-guide/ansible/centos8-playbook-pci-dss.yml':
line 10070, column 7, but may\nbe elsewhere in the file depending on the
exact syntax problem.\n\nThe offending line appears to be:\n\n\n -
name: Configure Firewalld to Restrict Loopback Traffic - Ensure
firewalld trusted\n ^ here\n"})
```
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_restricted
@@ -79,7 +79,8 @@
is changed
when:
- '"kernel-core" in ansible_facts.packages'
- - ansible_facts.services['firewalld.service'].state == 'running'
+ - ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running')
tags:
- CCE-87272-1
- PCI-DSSv4-1.4
@@ -95,7 +96,8 @@
on Service State
ansible.builtin.assert:
that:
- - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
+ - (ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running'))
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
+++ xccdf_org.ssgproject.content_rule_firewalld_loopback_traffic_trusted
@@ -67,7 +67,8 @@
- result_lo_interface_assignment is changed
when:
- '"kernel-core" in ansible_facts.packages'
- - ansible_facts.services['firewalld.service'].state == 'running'
+ - ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running')
tags:
- CCE-87278-8
- PCI-DSSv4-1.4
@@ -83,7 +84,8 @@
on Service State
ansible.builtin.assert:
that:
- - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
+ - (ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running'))
fail_msg:
- firewalld service is not active. Remediation aborted!
- This remediation could not be applied because it depends on firewalld service
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces' differs.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -80,7 +80,8 @@
- ( not ( ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
) )
- '''NetworkManager'' in ansible_facts.packages'
- - ansible_facts.services['NetworkManager.service'].state == 'running'
+ - ('NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state
+ == 'running')
tags:
- CCE-83501-7
- DISA-STIG-RHEL-08-040110
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled' differs.
--- xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
+++ xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled
@@ -111,8 +111,8 @@
when:
- result_nmcli_cmd_zone_assignment is defined
- result_nmcli_cmd_zone_assignment is changed
- - result_nmcli_cmd_zone_assignment.results | selectattr('changed', 'equalto',
- true) | list | length > 0
+ - (result_nmcli_cmd_zone_assignment.results | selectattr('changed', 'equalto',
+ true) | list | length > 0)
- name: Enable SSH Server firewalld Firewall Exception - Collect firewalld active
zones
@@ -138,8 +138,10 @@
- result_firewall_cmd_zones_names.stdout_lines | length > 0
when:
- '"kernel-core" in ansible_facts.packages'
- - ansible_facts.services['firewalld.service'].state == 'running'
- - ansible_facts.services['NetworkManager.service'].state == 'running'
+ - ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running')
+ - ('NetworkManager.service' in ansible_facts.services and ansible_facts.services['NetworkManager.service'].state
+ == 'running')
tags:
- CCE-80820-4
- NIST-800-171-3.1.12
@@ -158,13 +160,14 @@
on services states
ansible.builtin.assert:
that:
- - ansible_check_mode or ansible_facts.services['firewalld.service'].state == 'running'
- - ansible_check_mode or ansible_facts.services['NetworkManager.service'].state
- == 'running'
+ - (ansible_check_mode or ('firewalld.service' in ansible_facts.services and ansible_facts.services['firewalld.service'].state
+ == 'running'))
+ - (ansible_check_mode or ('NetworkManager.service' in ansible_facts.services and
+ ansible_facts.services['NetworkManager.service'].state == 'running'))
fail_msg:
- firewalld and NetworkManager services are not active. Remediation aborted!
- - This remediation could not be applied because it depends on firewalld and NetworkManager
- services running.
+ - This remediation could not be applied because it depends on firewalld
+ - and NetworkManager services running.
- The service is not started by this remediation in order to prevent connection
issues.
success_msg:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_auid_privilege_function
@@ -110,7 +110,8 @@
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
- - ansible_facts.services["auditd.service"].state == "running"
+ - ("auditd.service" in ansible_facts.services and ansible_facts.services["auditd.service"].state
+ == "running")
tags:
- CCE-90209-8
- audit_rules_suid_auid_privilege_function
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function' differs.
--- xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
+++ xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function
@@ -146,7 +146,8 @@
- '"audit" in ansible_facts.packages'
- '"kernel-core" in ansible_facts.packages'
- (augenrules_audit_rules_privilege_function_update_result.changed or auditctl_audit_rules_privilege_function_update_result.changed)
- - ansible_facts.services["auditd.service"].state == "running"
+ - ("auditd.service" in ansible_facts.services and ansible_facts.services["auditd.service"].state
+ == "running")
tags:
- CCE-83556-1
- DISA-STIG-RHEL-08-030000 |
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@jan-cerny: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Mab879
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some Ansible Playbooks are terminating prematurely on some Ansible Tasks where the
whenstatement assumes that a systemd service is installed. In normal mode, the installation is performed by other tasks, but in check mode, the installation isn't executed and the service isn't installed at the moment of checking the service state. This manifests in the test/scanning/host-os/ansible-check/check-mode.Addressing:
Review Hints:
Check that the tests testing-farm:centos-stream-{8,9,10}-x86_64:contest-other pass.