CIS: Remove always tag from include_role tasks#1220
Merged
Conversation
If we have the CIS hardening hook enabled and run a command such as the
following:
kayobe overcloud host configure -t foo
where 'cis' is not in the specified tags, we see the following error:
PLAY [Security hardening] *****************************************
TASK [include_role : ansible-lockdown.rhel9_cis] ******************
fatal: [controller-01]: FAILED! =>
msg: |-
The conditional check 'ansible_facts.os_family == 'RedHat' and
ansible_facts.distribution_major_version == '9'' failed. The error
was: error while evaluating conditional (ansible_facts.os_family
== 'RedHat' and ansible_facts.distribution_major_version == '9'):
'dict object' has no attribute 'os_family'. 'dict object' has no
attribute 'os_family'
The error appears to be in 'etc/kayobe/ansible/cis.yml': line 35,
column 7, but may be elsewhere in the file depending on the exact
syntax problem.
The offending line appears to be:
- include_role:
^ here
This is because the include_role task has the 'always' tag, so runs
despite no facts having been gathered.
The always tag is not required for this task - specifying the 'cis' tag
causes the role to be included. This change fixes the issue by removing
the always tags from these tasks.
Alex-Welsh
approved these changes
Aug 16, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If we have the CIS hardening hook enabled and run a command such as the
following:
kayobe overcloud host configure -t foo
where 'cis' is not in the specified tags, we see the following error:
PLAY [Security hardening] *****************************************
TASK [include_role : ansible-lockdown.rhel9_cis] ******************
fatal: [controller-01]: FAILED! =>
msg: |-
The conditional check 'ansible_facts.os_family == 'RedHat' and
ansible_facts.distribution_major_version == '9'' failed. The error
was: error while evaluating conditional (ansible_facts.os_family
== 'RedHat' and ansible_facts.distribution_major_version == '9'):
'dict object' has no attribute 'os_family'. 'dict object' has no
attribute 'os_family'
This is because the include_role task has the 'always' tag, so runs
despite no facts having been gathered.
The always tag is not required for this task - specifying the 'cis' tag
causes the role to be included. This change fixes the issue by removing
the always tags from these tasks.