diff --git a/molecule/delegated/prepare/docker_compose.yml b/molecule/delegated/prepare/docker_compose.yml index e519f99c..609f02f2 100644 --- a/molecule/delegated/prepare/docker_compose.yml +++ b/molecule/delegated/prepare/docker_compose.yml @@ -42,8 +42,8 @@ name: docker-ce description: Docker CE Stable - $basearch baseurl: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/{{ ansible_distribution_version }}/{{ 'aarch64' if ansible_architecture == 'arm64' else ansible_architecture }}/stable" - gpgcheck: yes - enabled: yes + gpgcheck: true + enabled: true gpgkey: https://download.docker.com/linux/centos/gpg - name: Remove moby-compose package diff --git a/molecule/delegated/tests/resolvconf.py b/molecule/delegated/tests/resolvconf.py index bc124662..47ffa6cc 100644 --- a/molecule/delegated/tests/resolvconf.py +++ b/molecule/delegated/tests/resolvconf.py @@ -1,3 +1,5 @@ +import pytest + from .util.util import ( get_ansible, get_variable, @@ -19,8 +21,14 @@ def test_resolvconf_service_disabled(host): """Check if the resolvconf service is disabled.""" service = host.service("resolvconf") - assert not service.is_enabled - assert not service.is_running + cmd = host.run( + f'systemctl list-units --all | grep -q "^[[:space:]]*{service.name}"' + ) + if cmd.rc == 0: + assert not service.is_enabled + assert not service.is_running + else: + pytest.skip("The resolvconf service does not exist") def test_resolved_conf_file(host): diff --git a/molecule/delegated/tests/trivy/debian.py b/molecule/delegated/tests/trivy/debian.py index 9fd790a1..a49906ba 100644 --- a/molecule/delegated/tests/trivy/debian.py +++ b/molecule/delegated/tests/trivy/debian.py @@ -10,6 +10,17 @@ testinfra_runner, testinfra_hosts = get_ansible() +def check_ansible_distribution(host): + """Test on Ubuntu 24.04 skipped, because the repository + 'https://aquasecurity.github.io/trivy-repo/deb noble Release' + does not have a release file yet.""" + if ( + get_variable(host, "ansible_distribution", True) == "Ubuntu" + and get_variable(host, "ansible_distribution_version", True) == "24.04" + ): + pytest.skip("Skipping this test on Ubuntu 24.04") + + def check_ansible_os_family(host): if get_variable(host, "ansible_os_family", True) != "Debian": pytest.skip("ansible_os_family mismatch") @@ -22,6 +33,7 @@ def check_configure_repository(host): def test_package(host): """Check if the packages are installed.""" + check_ansible_distribution(host) check_ansible_os_family(host) if get_variable(host, "trivy_configure_repository"): @@ -36,6 +48,7 @@ def test_package(host): def test_trivy_gpg_key_present(host): """Check if the GPG key for the trivy repository is correctly added.""" + check_ansible_distribution(host) check_ansible_os_family(host) check_configure_repository(host) @@ -55,6 +68,7 @@ def test_trivy_gpg_key_present(host): def test_trivy_repository_configured(host): """Check if the Trivy repository is correctly configured.""" + check_ansible_distribution(host) check_ansible_os_family(host) check_configure_repository(host) diff --git a/roles/kubectl/tasks/install-RedHat-family.yml b/roles/kubectl/tasks/install-RedHat-family.yml index 4625e279..90d7e52a 100644 --- a/roles/kubectl/tasks/install-RedHat-family.yml +++ b/roles/kubectl/tasks/install-RedHat-family.yml @@ -5,8 +5,8 @@ name: kubectl description: "K8s repository" baseurl: "{{ kubectl_redhat_repository }}" - gpgcheck: yes - enabled: yes + gpgcheck: true + enabled: true gpgkey: "{{ kubectl_redhat_repository_key }}" file: /etc/yum.repos.d/kubernetes mode: 0644 diff --git a/roles/lynis/tasks/install-RedHat-family.yml b/roles/lynis/tasks/install-RedHat-family.yml index 6f84c656..0ec89fe7 100644 --- a/roles/lynis/tasks/install-RedHat-family.yml +++ b/roles/lynis/tasks/install-RedHat-family.yml @@ -2,7 +2,7 @@ - name: Update package cache become: true ansible.builtin.dnf: - update_cache: yes + update_cache: true - name: Install epel-release become: true diff --git a/roles/microcode/tasks/main.yml b/roles/microcode/tasks/main.yml index f17841a8..0d3c1d6e 100644 --- a/roles/microcode/tasks/main.yml +++ b/roles/microcode/tasks/main.yml @@ -4,7 +4,7 @@ dest: /etc/apt/sources.list.d/default.list regexp: '(.*)\s+non-free-firmware\s*(.*)$' state: absent - check_mode: yes + check_mode: true register: debian_repo_existing when: "ansible_distribution == 'Debian'" diff --git a/roles/network/tasks/netplan-RedHat-family.yml b/roles/network/tasks/netplan-RedHat-family.yml index 6b0be6cb..5c0fb669 100644 --- a/roles/network/tasks/netplan-RedHat-family.yml +++ b/roles/network/tasks/netplan-RedHat-family.yml @@ -88,23 +88,23 @@ when: network_interfaces_path_stat.stat.isdir is defined and network_interfaces_path_stat.stat.isdir # networkd-dispatcher is currently not being installed on CentOS -#- name: Copy dispatcher scripts -# become: true -# ansible.builtin.template: -# src: "{{ item.src }}" -# dest: "/etc/networkd-dispatcher/{{ item.dest }}" -# mode: 0755 -# owner: root -# group: root -# loop: "{{ network_dispatcher_scripts }}" +# - name: Copy dispatcher scripts +# become: true +# ansible.builtin.template: +# src: "{{ item.src }}" +# dest: "/etc/networkd-dispatcher/{{ item.dest }}" +# mode: 0755 +# owner: root +# group: root +# loop: "{{ network_dispatcher_scripts }}" -#- name: "Manage service {{ network_dispatcher_service_name }}" -# become: true -# ansible.builtin.service: -# name: "{{ network_dispatcher_service_name }}" -# enabled: true -# state: started -# register: network_service +# - name: "Manage service {{ network_dispatcher_service_name }}" +# become: true +# ansible.builtin.service: +# name: "{{ network_dispatcher_service_name }}" +# enabled: true +# state: started +# register: network_service - name: Include cleanup tasks ansible.builtin.include_tasks: cleanup-netplan.yml diff --git a/roles/network/vars/Debian-family.yml b/roles/network/vars/Debian-family.yml index 3cff32b6..91d8a0a8 100644 --- a/roles/network/vars/Debian-family.yml +++ b/roles/network/vars/Debian-family.yml @@ -1,3 +1,4 @@ +--- network_interface_required_packages: - bridge-utils - ifenslave diff --git a/roles/network/vars/RedHat-family.yml b/roles/network/vars/RedHat-family.yml index 6377a430..79b6e932 100644 --- a/roles/network/vars/RedHat-family.yml +++ b/roles/network/vars/RedHat-family.yml @@ -1,3 +1,4 @@ +--- network_interface_required_packages: - bridge-utils - teamd diff --git a/roles/systohc/tasks/main.yml b/roles/systohc/tasks/main.yml index 37576dd3..9deb1ef3 100644 --- a/roles/systohc/tasks/main.yml +++ b/roles/systohc/tasks/main.yml @@ -1,4 +1,14 @@ --- +- name: Install util-linux-extra package + ansible.builtin.apt: + name: util-linux-extra + state: present + update_cache: true + become: true + when: + - ansible_distribution == 'Ubuntu' + - ansible_distribution_version == '24.04' + - name: Sync hardware clock become: true ansible.builtin.command: hwclock --systohc diff --git a/roles/trivy/tasks/install-Debian-family.yml b/roles/trivy/tasks/install-Debian-family.yml index eab3f749..064912ad 100644 --- a/roles/trivy/tasks/install-Debian-family.yml +++ b/roles/trivy/tasks/install-Debian-family.yml @@ -1,45 +1,50 @@ --- -- name: Remove old architecture-dependent repository - become: true - ansible.builtin.apt_repository: - repo: "deb [ arch=amd64 ] https://aquasecurity.github.io/trivy-repo/deb {{ ansible_distribution_release }} main" - state: absent - filename: trivy - when: trivy_configure_repository|bool +# Installation on Ubuntu 24.04 skipped, because the repository +# 'https://aquasecurity.github.io/trivy-repo/deb noble Release' +# does not have a release file yet. +- name: Trivy installation + when: not ansible_distribution_version == '24.04' + block: # noqa osism-fqcn + - name: Remove old architecture-dependent repository + become: true + ansible.builtin.apt_repository: + repo: "deb [ arch=amd64 ] https://aquasecurity.github.io/trivy-repo/deb {{ ansible_distribution_release }} main" + state: absent + filename: trivy + when: trivy_configure_repository|bool -- name: Install apt-transport-https package - become: true - ansible.builtin.apt: - name: apt-transport-https - state: present - lock_timeout: "{{ apt_lock_timeout | default(300) }}" - when: trivy_configure_repository | bool - changed_when: false + - name: Install apt-transport-https package + become: true + ansible.builtin.apt: + name: apt-transport-https + state: present + lock_timeout: "{{ apt_lock_timeout | default(300) }}" + when: trivy_configure_repository | bool + changed_when: false -- name: Add repository gpg key - become: true - ansible.builtin.get_url: - url: "{{ trivy_debian_repository_key }}" - dest: /etc/apt/trusted.gpg.d/trivy.asc - mode: 0644 - owner: root - group: root - when: - - trivy_configure_repository | bool + - name: Add repository gpg key + become: true + ansible.builtin.get_url: + url: "{{ trivy_debian_repository_key }}" + dest: /etc/apt/trusted.gpg.d/trivy.asc + mode: 0644 + owner: root + group: root + when: trivy_configure_repository | bool -- name: Add repository - become: true - ansible.builtin.apt_repository: - repo: "{{ trivy_debian_repository }}" - state: present - filename: trivy - update_cache: true - mode: 0600 - when: trivy_configure_repository | bool + - name: Add repository + become: true + ansible.builtin.apt_repository: + repo: "{{ trivy_debian_repository }}" + state: present + filename: trivy + update_cache: true + mode: 0600 + when: trivy_configure_repository | bool -- name: Install trivy package - become: true - ansible.builtin.apt: - name: "{{ trivy_package_name }}" - state: present - lock_timeout: "{{ apt_lock_timeout | default(300) }}" + - name: Install trivy package + become: true + ansible.builtin.apt: + name: "{{ trivy_package_name }}" + state: present + lock_timeout: "{{ apt_lock_timeout | default(300) }}"