Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use failed_when:false for Ansible register: checks #11782

Merged
merged 1 commit into from
Apr 3, 2024

Conversation

comps
Copy link
Collaborator

@comps comps commented Apr 2, 2024

Description:

Using ignore_errors leads to user-visible fatal errors produced by ansible-playbook:

TASK [Enable FIPS Mode - Check to See the Current Status of FIPS Mode] *********
fatal: [192.168.122.178]: FAILED! => {"changed": false, "cmd": ["/usr/bin/fips-mode-setup", "--check"] ...

These are indistinguishable from actually terminating fatal errors (to a log-reading script) that need to be investigated.

Using failed_when avoids those, while still registering the output for use by other checks, as done by many other checks:

$ grep -i 'failed_when: false' -r linux_os/ | wc -l
25

$ grep -i 'failed_when: false' -r linux_os/ 
linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_permissions_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/file_group_ownership_var_log_audit/ansible/shared.yml:  failed_when: false
linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_suid_auid_privilege_function/ansible/shared.yml:  failed_when: false
linux_os/guide/system/permissions/restrictions/enable_execshield_settings/sysctl_kernel_exec_shield/ansible/shared.yml:  failed_when: False
linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_ownership_binary_dirs/ansible/shared.yml:  failed_when: False
linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_binary_dirs/ansible/shared.yml:  failed_when: Fals
linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_groupownership_system_commands_dirs/ansible/shared.yml:  failed_when: False
linux_os/guide/system/permissions/files/permissions_within_important_dirs/file_permissions_system_commands_dirs/ansible/shared.yml:  failed_when: False
linux_os/guide/system/permissions/files/dir_system_commands_group_root_owned/ansible/shared.yml:  failed_when: False
linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml:  failed_when: False
linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml:  failed_when: false
linux_os/guide/system/accounts/enable_authselect/ansible/shared.yml:  failed_when: false
linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml:  failed_when: False
linux_os/guide/system/software/integrity/fips/grub2_enable_fips_mode/ansible/shared.yml:  failed_when: False
linux_os/guide/system/network/network-nftables/set_nftables_base_chain/ansible/shared.yml:  failed_when: false
linux_os/guide/services/ssh/file_permissions_sshd_private_key/ansible/shared.yml:  failed_when: False
linux_os/guide/services/ssh/file_permissions_sshd_private_key/ansible/shared.yml:  failed_when: False

Review Hints:

Double-check that this is sane, please. I'm not an Ansible expert, so I don't know if this may have side-effects, but I did some preliminary testing and it seems to be working as intended.

Using ignore_errors leads to user-visible fatal errors
produced by ansible-playbook:

  TASK [Enable FIPS Mode - Check to See the Current Status of FIPS Mode] *********
  fatal: [192.168.122.178]: FAILED! => {"changed": false, "cmd": ["/usr/bin/fips-mode-setup", "--check"] ...

These are indistinguishable from actually terminating
fatal errors (to a log-reading script) that need to be
investigated.

Using failed_when avoids those, while still registering
the output for use by other checks, as done by many other
checks:

  $ grep -i 'failed_when: false' -r linux_os/ | wc -l
  25

Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Copy link

github-actions bot commented Apr 2, 2024

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

github-actions bot commented Apr 2, 2024

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -7,7 +7,7 @@
 - name: Enable FIPS Mode - Check to See the Current Status of FIPS Mode
   ansible.builtin.command: /usr/bin/fips-mode-setup --check
   register: is_fips_enabled
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   when:
   - ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -697,7 +697,7 @@
     cmd: semanage fcontext -a -t faillog_t "{{ var_accounts_passwords_pam_faillock_dir
       }}(/.*)?"
   register: result_accounts_passwords_pam_faillock_dir_semanage
-  ignore_errors: true
+  failed_when: false
   changed_when:
   - result_accounts_passwords_pam_faillock_dir_semanage.rc == 0
   when: '"pam" in ansible_facts.packages'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -15,7 +15,7 @@
 - name: Test for domain group
   command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: false
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -20,7 +20,7 @@
 - name: Test for domain group
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: false
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -16,7 +16,7 @@
 - name: Test for domain group
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: false
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -20,7 +20,7 @@
 - name: Test for domain group
   command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
   register: test_grep_domain
-  ignore_errors: true
+  failed_when: false
   changed_when: false
   check_mode: false
   when:

Copy link

github-actions bot commented Apr 2, 2024

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:11782
This image was built from commit: 40fdde4

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:11782

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:11782 make deploy-local

Copy link

codeclimate bot commented Apr 2, 2024

Code Climate has analyzed commit 40fdde4 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.3% (0.0% change).

View more on Code Climate.

Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It makes sense to me.

We use failed_when more often than ignore_errors.

There is an informed person who advertises failed_when.
https://medium.com/@sbarnea/why-ansible-ignore-errors-is-evil-500fb6e81229
https://www.reddit.com/r/ansible/comments/j3rtwt/beware_of_illusive_ansible_ignore_errors_when/

@jan-cerny
Copy link
Collaborator

/retest

@jan-cerny jan-cerny merged commit 18608b6 into ComplianceAsCode:master Apr 3, 2024
44 of 45 checks passed
@Mab879 Mab879 added the Ansible Ansible remediation update. label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants