Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set pipefail in Ansible shell commands with pipe #9123

Merged
merged 2 commits into from
Jul 13, 2022
Merged

Set pipefail in Ansible shell commands with pipe #9123

merged 2 commits into from
Jul 13, 2022

Conversation

yuumasato
Copy link
Member

@yuumasato yuumasato commented Jul 11, 2022
edited
Loading

Description:

  • Set pipefail, so that the task fails if any part of the shell command fails.
  • The shell commands can fail during the grep command, and that is fine.
    So incorporated the same technique employed in pipefail not really compatible with grep #6779

Rationale:

  • Fix Ansible role linting for rule rsyslog_files_permissions

@yuumasato yuumasato mentioned this pull request Jul 11, 2022
Merged
@github-actions
Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

@github-actions
Copy link

github-actions bot commented Jul 11, 2022
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff 
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions' differs:
--- old datastream
+++ new datastream
@@ -17,8 +17,11 @@
 - rsyslog_files_permissions
 
 - name: Get IncludeConfig directive
- shell: grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2
+ shell: |
+ set -o pipefail
+ grep -e '$IncludeConfig' {{ rsyslog_etc_config }} | cut -d ' ' -f 2 || true
 register: include_config_output
+ changed_when: false
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80862-6
@@ -34,9 +37,11 @@
 - rsyslog_files_permissions
 
 - name: Get include files directives
- shell: grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\""
- -f 2
+ shell: |
+ set -o pipefail
+ grep -oP '^\s*include\s*\(\s*file.*' {{ rsyslog_etc_config }} |cut -d"\"" -f 2 || true
 register: include_files_output
+ changed_when: false
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80862-6
@@ -56,6 +61,7 @@
 loop: '{{ include_config_output.stdout_lines + include_files_output.stdout_lines
 }}'
 register: rsyslog_config_files
+ changed_when: false
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80862-6
@@ -71,11 +77,13 @@
 - rsyslog_files_permissions
 
 - name: Extract log files
- shell: grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk
- '{print $NF}'|sed -e 's/^-//'
+ shell: |
+ set -o pipefail
+ grep -oP '^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$' {{ item }} |awk '{print $NF}'|sed -e 's/^-//'
 loop: '{{ rsyslog_config_files.results|map(attribute=''stdout_lines'')|list|flatten|unique
 + [ rsyslog_etc_config ] }}'
 register: log_files
+ changed_when: false
 when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - CCE-80862-6

@Mab879 Mab879 added the Ansible Ansible remediation update. label Jul 11, 2022
@Mab879 Mab879 added this to the 0.1.63 milestone Jul 11, 2022
@vojtapolasek vojtapolasek self-assigned this Jul 12, 2022
@vojtapolasek
Copy link
Collaborator

It seems that Ansible remediation is failing for some test scenarios. I tested on RHEL8:
INFO - Script include_perms_0601.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.
INFO - Script IncludeConfig_perms_0601.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.
INFO - Script include_perms_0600_IncludeConfig_perms_0601.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.
INFO - Script IncludeConfig_glob_perms_0601.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.
INFO - Script perms_0601.fail.sh using profile (all) OK
ERROR - Rule evaluation resulted in fail, instead of expected pass during final stage
ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_rsyslog_files_permissions'.

@yuumasato yuumasato force-pushed the fix_rsyslog_files_permisisons_ansible_lint branch from 2d0bb7d to 502350e Compare July 12, 2022 15:21
@yuumasato
Set pipefail in Ansible shell commands with pipe
170cb3d 
This gets rid of the Ansible Role linting issue.
@yuumasato
Mark tasks that don't make changes
855ff16 
These tasks in rsyslog_files_permisions gather data whether we need to
make changes and where.
@Mab879 Mab879 mentioned this pull request Jul 12, 2022
Merged
@yuumasato yuumasato force-pushed the fix_rsyslog_files_permisisons_ansible_lint branch from 502350e to 855ff16 Compare July 12, 2022 15:46
@yuumasato
Copy link
Member Author

@vojtapolasek test scenarios should be passing now. Thanks

@codeclimate
Copy link

codeclimate bot commented Jul 12, 2022

Code Climate has analyzed commit 855ff16 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 42.7% (0.0% change).

View more on Code Climate.

@openshift-ci
Copy link

openshift-ci bot commented Jul 12, 2022

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-rhcos4-high 855ff16 link true /test e2e-aws-rhcos4-high
ci/prow/e2e-aws-rhcos4-moderate 855ff16 link true /test e2e-aws-rhcos4-moderate

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

vojtapolasek
vojtapolasek approved these changes Jul 13, 2022
View reviewed changes
Copy link
Collaborator

@vojtapolasek vojtapolasek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now, thank you.

@vojtapolasek vojtapolasek merged commit 9e68c39 into ComplianceAsCode:master Jul 13, 2022
@yuumasato yuumasato deleted the fix_rsyslog_files_permisisons_ansible_lint branch July 18, 2022 12:38
@yuumasato yuumasato mentioned this pull request Jul 19, 2022
Merged
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vojtapolasek vojtapolasek vojtapolasek approved these changes

Assignees

@vojtapolasek vojtapolasek

Labels
Ansible Ansible remediation update.
Projects
None yet
Milestone
0.1.63
Development

Successfully merging this pull request may close these issues.
3 participants
@yuumasato @vojtapolasek @Mab879