search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
473 stars 303 forks source link

Make role compatible with Ansible 2.10 and beyond #258

Closed jlosito closed 1 year ago

jlosito commented 3 years ago

Describe the Issue I'm currently in the process of upgrading my personal Ansible galaxy roles and playbooks to use version 2.10 of Ansible. Some of my roles and playbooks leverage this role as a dependency. I'd still like to leverage this role once my roles are upgraded to use 2.10, but I believe some steps are needed to upgrade this role to be compatible or at least be ready for when breaking changes are introduced in >2.10.

I believe one of the main issues is Ansible is moving almost everything to a collection and modules will be required to use their FQCN. In other words, eventually Ansible will require a module such as yum to be invoked using ansible.builtin.yum. Most, if not all, Ansible modules within this role are written using their shortname.

In Ansible 2.10, modules are recommend to use their FQCN equivalence. Below is a snippet from the Ansible documentation.

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html

This module is part of ansible-core and included in all Ansible installations. In most cases, you can use the short module name lineinfile even without specifying the collections: keyword. However, we recommend you use the FQCN for easy linking to the module documentation and to avoid conflicting with other collections that may have the same module name.

Expected Behavior I expect to be able to use this role and be compatible with Ansible 2.10 and beyond.

Actual Behavior Ansible 2.10 states that modules should start using their FQCN equivalence. In other words, a module such as lineinfile because ansible.builtin.lineinfile.

Control(s) Affected I wouldn't say that any controls are affected. It's more about the role as a whole.

Environment (please complete the following information):

Additional Notes N/A

Possible Solution Convert all Ansible modules to use their FQCN equivalence.

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/lineinfile_module.html

Here's an example where the lineinfile module is not using the FQCN. https://github.com/ansible-lockdown/RHEL7-CIS/blob/devel/tasks/section_1/cis_1.1.1.x.yml#L6

uk-bolly commented 2 years ago

hi @jlosito

Thank as always for the feedback, this is something we are aware of going forward and have it on the roadmap to resolve and look into releasing collections in the future. With quite a few users still using pre 2.9 this has the potential to introduce issues for some. I will leave the issue open to follow up.

Many thanks

uk-bolly

uk-bolly commented 2 years ago

Hi @jlosito

Thank you for you patience on this. We are still aware of this issue and are discussing the approach due to the number of benchmarks OSs/Apps/Audits (more to come) on how we wish to line up the namespaces going forward. As well as rewriting all the repositories for the new layout.

We are aiming for this quarter to have the approach (subject to other work) and hopefully released.

regards

uk-bolly

uk-bolly commented 2 years ago

hi @jlosito

I have added the collection requirements to the role itself. This includes the collections/requirements.yml and the update to meta/main.yml, without having to change to all FQCN on the module. This appears to be working as expected and i hope to get this pushed into devel early next week.

many thanks again

uk-bolly

uk-bolly commented 1 year ago

Closing issue as covered by collections and meta