Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Ubuntu noble #290

Merged
merged 31 commits into from
Jun 21, 2024
Merged
Show file tree
Hide file tree
Changes from 25 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
1f0d814
fix: Add missing PrintMotd to Ubuntu 22.04
mattwillsher Jun 2, 2024
175f004
feat: Add support for Ubuntu Nobel/24.04 LTS
mattwillsher Jun 2, 2024
fc87009
docs: Correct spelling
mattwillsher Jun 2, 2024
e612e63
fix(tests): use patched action working around pip changes in Ubuntu 2…
mattwillsher Jun 2, 2024
3880aa4
fix(tests): Exclude Tatu from output during test
mattwillsher Jun 2, 2024
91b57fc
fix: Capitalise handler to conform with linting
mattwillsher Jun 2, 2024
8b22e08
fix: correct spelling of 'noble'
mattwillsher Jun 2, 2024
710fd64
fix(tests): Exclude text Aaron from sshd_config options
mattwillsher Jun 2, 2024
aedaac0
fix(tests): Exclude Each from manpage parsing
mattwillsher Jun 3, 2024
31fb99f
fix(ci): Remove obsolete CentOS versions
mattwillsher Jun 4, 2024
548cf00
chore: update pre-commit config
mattwillsher Jun 5, 2024
22b562b
fix: update meta
mattwillsher Jun 5, 2024
dd68e95
fix(tests): re-instate centos and ubuntu actions
mattwillsher Jun 7, 2024
d0cbdb6
fix(tests): Update to remove warnings
mattwillsher Jun 7, 2024
dbf59af
fix(tests): correct name of runtime.yml
mattwillsher Jun 7, 2024
e68be48
fix: Accomodate Ubuntu 24.04 changes
mattwillsher Jun 7, 2024
97ff913
fix(tests): skip requires ansible check
mattwillsher Jun 7, 2024
da558f1
fix(tests): Ubuntu 24.04 ssh service has no at in the name
mattwillsher Jun 7, 2024
c677481
fix(tests): skip sshd unit file tests for now
mattwillsher Jun 11, 2024
c1b4c95
fix(tests): remove at check, not needed
mattwillsher Jun 11, 2024
86acd06
fix(tests): replace missing @
mattwillsher Jun 11, 2024
c22b54f
fix(doc): typo
mattwillsher Jun 11, 2024
34892fa
fix(doc): typo
mattwillsher Jun 11, 2024
003a20a
fix: order Ubuntu releases by name
mattwillsher Jun 13, 2024
8f483a4
fix: ssh socket template
mattwillsher Jun 13, 2024
9818765
fix: socket template
mattwillsher Jun 13, 2024
7fcc9c4
fix: typo
mattwillsher Jun 13, 2024
178ba8d
fix: Ignore @ tests for Ubuntu 24.04
mattwillsher Jun 21, 2024
3af1491
fix: base @ tests on socket accept as the code does
mattwillsher Jun 21, 2024
f5ac537
fix: variables not present in tests, id os from facts
mattwillsher Jun 21, 2024
3be1fbb
fix: move os test to whole block
mattwillsher Jun 21, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .ansible-lint
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ exclude_paths:
- .markdownlint.yaml
skip_list:
- var-naming[no-role-prefix]
- meta-runtime[unsupported-version]
mock_roles:
- willshersystems.sshd.ansible-sshd
mock_modules:
Expand Down
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
---
repos:
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.27.1
rev: 81e9f98ffd059efe8aa9c1b1a42e5cce61b640c6 # frozen: v1.35.1
hooks:
- id: yamllint
files: \.(yaml|yml)$
types: [file, yaml]
entry: yamllint --strict
- repo: https://github.com/ansible/ansible-lint.git
rev: v6.5.2
rev: 2d9f1ed1e6d08e1f6a18e50f789ab1580220c7db # frozen: v24.6.0
hooks:
- id: ansible-lint
files: \.(yaml|yml)$
8 changes: 7 additions & 1 deletion .yamllint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,12 @@ ignore: |
/.tox/
/.github/
/tests/roles/
# skip checking line length
rules:
comments-indentation: false
document-start: disable
line-length: disable
braces:
max-spaces-inside: 1
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true
2 changes: 1 addition & 1 deletion CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, sex characteristics, gender identity and expression,
level of experience, education, socio-economic status, nationality, personal
level of experience, education, socioeconomic status, nationality, personal
appearance, race, religion, or sexual identity and orientation.

## Our Standards
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ via simple password. If you need this functionality, be sure to set

Tested on:

* Ubuntu precise, trusty, xenial, bionic, focal, jammy
* Ubuntu precise, trusty, xenial, bionic, focal, jammy, noble
* [![Run tests on Ubuntu latest](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-ubuntu.yml)
* Debian wheezy, jessie, stretch, buster, bullseye, bookworm
* [![Run tests on Debian](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml/badge.svg)](https://github.com/willshersystems/ansible-sshd/actions/workflows/ansible-debian-check.yml)
Expand Down
6 changes: 3 additions & 3 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
- ansible_connection != 'chroot'
- ansible_facts['os_family'] != 'AIX'
- ansible_facts['os_family'] != 'OpenWrt'
listen: reload_sshd
listen: Reload_sshd

# sshd on AIX cannot be 'reloaded', it must be Stopped+Started.
# It's dangerous to do this in two tasks.. you're stopping SSH and then trying to SSH back in to start it.
Expand All @@ -25,7 +25,7 @@
stopsrc -s sshd
until $(lssrc -s sshd | grep -q inoperative); do sleep 1; done
startsrc -s sshd
listen: reload_sshd
listen: Reload_sshd
changed_when: false
when:
- sshd_allow_reload|bool
Expand All @@ -39,4 +39,4 @@
when:
- sshd_allow_reload|bool
- ansible_facts['os_family'] == 'OpenWrt'
listen: reload_sshd
listen: Reload_sshd
3 changes: 2 additions & 1 deletion meta/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,9 @@ galaxy_info:
- bionic
- focal
- jammy
- noble
- name: FreeBSD
version:
versions:
- "10.1"
- name: EL
versions:
Expand Down
2 changes: 2 additions & 0 deletions meta/runtime.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
---
requires_ansible: ">=2.15.0"
2 changes: 1 addition & 1 deletion tasks/install.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
when:
- sshd_sysconfig | bool
- __sshd_sysconfig_supports_use_strong_rng or __sshd_sysconfig_supports_crypto_policy
notify: reload_sshd
notify: Reload_sshd

- name: Check FIPS mode
ansible.builtin.include_tasks: check_fips.yml
Expand Down
4 changes: 2 additions & 2 deletions tasks/install_config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
{{ sshd_binary }} -t -f %s
{% endif %}
backup: "{{ sshd_backup }}"
notify: reload_sshd
notify: Reload_sshd

- name: Make sure the include path is present in the main sshd_config
ansible.builtin.lineinfile:
Expand All @@ -43,7 +43,7 @@
{{ sshd_binary }} -t -f %s
{% endif %}
backup: "{{ sshd_backup }}"
notify: reload_sshd
notify: Reload_sshd
when:
- sshd_main_config_file is not none
- sshd_config_file | dirname == sshd_main_config_file ~ '.d'
2 changes: 1 addition & 1 deletion tasks/install_namespace.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@
{{ sshd_binary }} -t -f %s
{% endif %}
backup: "{{ sshd_backup }}"
notify: reload_sshd
notify: Reload_sshd
6 changes: 3 additions & 3 deletions tasks/install_service.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
owner: root
group: root
mode: "0644"
notify: reload_sshd
notify: Reload_sshd

- name: Install instanced service unit file
ansible.builtin.template:
Expand All @@ -21,7 +21,7 @@
owner: root
group: root
mode: "0644"
notify: reload_sshd
notify: Reload_sshd
when:
- __sshd_socket_accept | bool

Expand All @@ -32,7 +32,7 @@
owner: root
group: root
mode: "0644"
notify: reload_sshd
notify: Reload_sshd

- name: Service enabled and running
ansible.builtin.service:
Expand Down
6 changes: 6 additions & 0 deletions templates/sshd.socket.j2
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ Accept=yes
{% else %}
Accept=no
{% endif %}
{% if __sshd_socket_freebind is not none %}
FreeBind={{ __sshd_socket_freebind }}
{% endif %}

[Install]
WantedBy=sockets.target
{% if __ssh_socket_required_by is not none %}
RequiredBy=ssh.service
{% endif %}
2 changes: 1 addition & 1 deletion tests/tests_all_options.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@
| grep -o '^\( \| \)[A-Z][A-Za-z0-9]*\(.\| \)' \
| grep -v "[A-Za-z0-9] $" | grep -v "[^A-Za-z0-9 ]$" \
| awk '{ print $1 }' \
| grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\)$"
| grep -v '^$' | grep -v "^\(Match\|OpenSSH\|The\|Arguments\|Theo\|Tatu\|Aaron\|Each\)$"
args:
executable: /bin/bash
register: sshd_options
Expand Down
1 change: 1 addition & 0 deletions tests/tests_systemd_services.yml
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@
- ansible_facts['service_mgr'] == 'systemd' or
(ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '7')
- ansible_facts['distribution'] != "Debian" or ansible_facts['distribution_major_version'] | int < 12
- not (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_version'] is version('24.04', '>=')) # 24.04 has no [email protected] in the package
block:
- name: Read the distribution instantiated service file
ansible.builtin.slurp:
Expand Down
1 change: 1 addition & 0 deletions vars/Ubuntu_22.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ __sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: false
UsePAM: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"

Expand Down
32 changes: 32 additions & 0 deletions vars/Ubuntu_24.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
__sshd_os_supported: true

__sshd_service: ssh
__sshd_packages:
- openssh-server
- openssh-sftp-server
# Ubuntu 22.04 shipped with drop-in directory support so we touch
# just included file with highest priority by default
__sshd_config_file: /etc/ssh/sshd_config.d/00-ansible_system_role.conf
__sshd_config_mode: "0644"
# the defaults here represent the defaults shipped in the main sshd_config
__sshd_defaults:
Include: /etc/ssh/sshd_config.d/*.conf
KbdInteractiveAuthentication: false
UsePAM: true
PrintMotd: false
AcceptEnv: LANG LC_*
Subsystem: "sftp /usr/lib/openssh/sftp-server"

__sshd_runtime_directory: sshd

__sshd_drop_in_dir_mode: '0755'
__sshd_main_config_file: /etc/ssh/sshd_config

__sshd_environment_file: /etc/default/ssh
__sshd_environment_variable: $SSHD_OPTS
__sshd_service_after: auditd.service
__sshd_service_alias: sshd

__sshd_socket_freebind: 'yes'
mattwillsher marked this conversation as resolved.
Show resolved Hide resolved
__sshd_socket_required_by: ssh.service
6 changes: 6 additions & 0 deletions vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,9 @@ __sshd_service_restart_timeout: ~

# The systemd socket file does not accept the connection
__sshd_socket_accept: true

# Boolean to control if the systemd socket can be bound to non-local IP addresses
__sshd_socket_freebind: ~

# Space separated list of service names that this socket is required by
__sshd_socket_required_by: ~