Bug 2054368

Summary: certificate - should consistently use ansible_managed in hook scripts
Product: Red Hat Enterprise Linux 9 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: CS System Management SST QE <rhel-cs-system-management-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: briasmit, jharuda, nhosoi, rhel-cs-system-management-subsystem-qe, spetrosi
Target Milestone: rcKeywords: Triaged
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:certificate
Fixed In Version: rhel-system-roles-1.15.0-1.el9 Doc Type: Enhancement
Doc Text:
Feature: The certificate role possibly generates pre- and post-scripts to support providers: /etc/certmonger/pre-scripts/script_name.sh /etc/certmonger/post-scripts/script_name.sh to which the role inserts the "Ansible managed" comment using the Ansible standard "ansible_managed" variable. Reason: The comment is helpful to indicate that the script files should not be directly edited because the certificate role may overwrite the file. Result: It is clearly declared the configuration files are managed by Ansible.
 Story Points: ---
Clone Of: 2054364 Environment:
Last Closed: 2022-05-17 13:03:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044640, 2054364, 2054365, 2054369, 2057645, 2057647, 2057651, 2057652, 2057656, 2057657, 2057661, 2057662, 2064690    
Bug Blocks: 2047504, 2047506, 2054363, 2054367    

Description Rich Megginson 2022-02-14 19:37:55 UTC 
+++ This bug was initially created as a clone of Bug #2054364 +++

+++ This bug was initially created as a clone of Bug #2044640 +++

Description of problem:
RHEL System Roles should consistently use ansible_managed to allow customers to customize the comment shown at the top of configuration files managed by RHEL System Roles.  Some roles do not use ansible_managed, or have hard coded comments.  For example, the kernel_settings role creates /etc/tuned/kernel_settings/tuned.conf with a hard coded comment.  


Version-Release number of selected component (if applicable):
rhel-system-roles-1.7.3-2.el8.noarch


Additional info:
This is likely not limited to the kernel_settings role.  All roles should be evaluated and updated as needed to use ansible_managed.  Any roles updated to use ansible_managed should refer to https://bugzilla.redhat.com/show_bug.cgi?id=2006230 to ensure multi-line ansible_managed comments are supported.

--- Additional comment from Rich Megginson on 2022-01-25 02:46:04 UTC ---

kernel_settings https://github.com/linux-system-roles/kernel_settings/pull/72
postfix - uses the `postconf` command to set configuration - so no template used to generate /etc/postfix/main.cf - we could use the "trick" developed by https://github.com/linux-system-roles/kernel_settings/pull/72/files#diff-3d0ff1709ca48add100327bb2a468e6c508fb92a159c64c4f99ad1df89d9bddeR79 to generate the ansible_managed value, then use something like `lineinfile` to ensure that value is in main.cf
logging - looks good, but need to confirm
vpn - needs ansible_managed
timesync - good
kdump - good
cockpit - good
ssh - good
ha_cluster - need to see if file format supports commenting
tlog - needs comments
certificate - not sure - says it generates scripts but I cannot find how
crypto_policies - good
firewall - good
metrics - needs comments - but this will involve changes to ansible-pcp
mssql - needs comments
nbde_client, nbde_server - uses json format - not sure about comments
network - needs comments
selinux - good
storage - I think /etc/crypttab is not "owned" by the role

in addition - there may be some of the roles that generate config files in a non-standard way (e.g. like postfix with postfix-conf - not using the template module or lookup) that we will have to do some more investigation to find out
Comment 8 errata-xmlrpc 2022-05-17 13:03:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: rhel-system-roles), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2443