search

ansible-lockdown / RHEL7-CIS

Ansible role for Red Hat 7 CIS Baseline
https://ansible-lockdown.readthedocs.io/en/latest/
MIT License
473 stars 303 forks source link

Tasks using selectattr (section 6) fail on CentOS 7, Python 2.7.5, jinja2-2.7.2 #285

Closed dmk1000 closed 2 years ago

dmk1000 commented 2 years ago

Describe the Issue Running any test from section 6 that uses selectattr on CentOS 7 install with Python 2.7.5 and Jinja2 2.7.2 fails and excution of the playbook stops with the follow or equvalent for the other tests:

# ansible-playbook local.yml --tags rule_6.2.1
...
TASK [/root/src/git/RHEL7-CIS : 6.2.1 | L1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords] *********************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TemplateRuntimeError: no test named '!='
fatal: [localhost]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}

Expected Behavior I would expect these tests pass, or documentation on what to install on CentOS 7 to get the newer jinja2 pip to install.

Actual Behavior When run with -vvv the output is this:

# ansible-playbook local.yml --tags rule_6.2.1
...
TASK [/root/src/git/RHEL7-CIS : 6.2.1 | L1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords] *********************************************************************************************************************************************************************
task path: /root/src/git/RHEL7-CIS/tasks/section_6/cis_6.2.x.yml:5
The full traceback is:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 105, in run
    items = self._get_loop_items()
  File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 251, in _get_loop_items
    items = templar.template(self._task.loop)
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 618, in template
    disable_lookups=disable_lookups,
  File "/usr/lib/python2.7/site-packages/ansible/template/__init__.py", line 877, in do_template
    res = j2_concat(rf)
  File "<template>", line 10, in root
  File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 740, in do_list
    return list(value)
  File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 931, in _select_or_reject
    if modfunc(func(transfunc(item))):
  File "/usr/lib/python2.7/site-packages/jinja2/filters.py", line 925, in <lambda>
    name, item, args, kwargs)
  File "/usr/lib/python2.7/site-packages/jinja2/environment.py", line 438, in call_test
    raise TemplateRuntimeError('no test named %r' % name)
TemplateRuntimeError: no test named '!='
fatal: [localhost]: FAILED! => {
    "msg": "Unexpected failure during module execution.",
    "stdout": ""
}

I understand this is due to an old version of jinja2.

Control(s) Affected What controls are being affected by the issue

Environment (please complete the following information):

Additional Notes

# rpm -qa python python3 python-jinja2 ansible
ansible-2.9.27-1.el7.noarch
python-2.7.5-90.el7.x86_64
python-jinja2-2.7.2-4.el7.noarch
python3-3.6.8-18.el7.x86_64

Possible Solution Sorry, none found yet other than commenting out the tests. I tried pip installing jinja2-2.9 or jinja2-2.11 but that tried bringing in an update version of markupsafe and ansible wouldn't run any playbook. I had to manually remove them & reinstall the CentOS 7 python-jinja2 & python-markupsafe packages

PS. Thanks for this project. Having stumbled across it it's a real eye opener.

dmk1000 commented 2 years ago

I should better read the Technical Dependencies: section. Sorry for the noise.

uk-bolly commented 2 years ago

hi @dmk1000

Thank you for taking the time to raise the issue, i noticed you have since closed it and while we would advice very much towards using python3 you are using python 2. I am hoping that if you add the following lines to the controls you are having issues with setting a var for the whole task/block. This "MAY" fix your problem.

vars: ansible_python_interpreter: "{{ python2_bin }}" when: ansible_python.version.major == 2

Please let me know.

uk-bolly