-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set pipefail in Ansible shell commands with pipe #9123
Set pipefail in Ansible shell commands with pipe #9123
Conversation
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' differs:
--- old datastream
+++ new datastream
@@ -17,8 +17,11 @@
- rsyslog_files_permissions
- name: Get IncludeConfig directive
- shell: grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2
+ shell: |
+ set -o pipefail
+ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
register: include_config_output
+ changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80862-6
@@ -34,9 +37,11 @@
- rsyslog_files_permissions
- name: Get include files directives
- shell: grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\""
- -f 2
+ shell: |
+ set -o pipefail
+ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
register: include_files_output
+ changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80862-6
@@ -56,6 +61,7 @@
loop: '{{ include_config_output.stdout_lines + include_files_output.stdout_lines
}}'
register: rsyslog_config_files
+ changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80862-6
@@ -71,11 +77,13 @@
- rsyslog_files_permissions
- name: Extract log files
- shell: grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk
- '{print $NF}'|sed -e 's/^-//'
+ shell: |
+ set -o pipefail
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//'
loop: '{{ rsyslog_config_files.results|map(attribute=''stdout_lines'')|list|flatten|unique
+ [ rsyslog_etc_config ] }}'
register: log_files
+ changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-80862-6 |
It seems that Ansible remediation is failing for some test scenarios. I tested on RHEL8: |
2d0bb7d
to
502350e
Compare
This gets rid of the Ansible Role linting issue.
These tasks in rsyslog_files_permisions gather data whether we need to make changes and where.
502350e
to
855ff16
Compare
@vojtapolasek test scenarios should be passing now. Thanks |
Code Climate has analyzed commit 855ff16 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 42.7% (0.0% change). View more on Code Climate. |
@yuumasato: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good now, thank you.
Description:
So incorporated the same technique employed in pipefail not really compatible with grep #6779
Rationale: