Bug 2054369

Summary: vpn - consistently use ansible_managed in configuration files managed by role
Product: Red Hat Enterprise Linux 9 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Jakub Haruda <jharuda>
Severity: unspecified Docs Contact: Eliane Ramos Pereira <elpereir>
Priority: unspecified    
Version: 9.0CC: briasmit, elpereir, gfialova, jharuda, nhosoi, rhel-cs-system-management-subsystem-qe, spetrosi
Target Milestone: rc   
Target Release: 9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:vpn
Fixed In Version: rhel-system-roles-1.15.0-1.el9 Doc Type: Enhancement
Doc Text:
.The VPN role consistently uses "Ansible_managed" comment in its managed configuration files The VPN role generates the following configuration file: * `/etc/ipsec.d/mesh.conf` * `/etc/ipsec.d/policies/clear` * `/etc/ipsec.d/policies/private` * `/etc/ipsec.d/policies/private-or-clear` With this update, the VPN role inserts the "Ansible managed" comment to the configuration files, using the Ansible standard `ansible_managed` variable. The comment indicates that the configuration files should not be directly edited because the VPN role can overwrite the file. As a result, the configuration files contain a declaration stating that the configuration files are managed by Ansible.
 Story Points: ---
Clone Of: 2054365 Environment:
Last Closed: 2022-05-17 13:03:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044640, 2054365, 2057645, 2057647, 2057651, 2057652, 2057656, 2057657, 2057661, 2057662, 2064690    
Bug Blocks: 2047504, 2047506, 2054363, 2054364, 2054367, 2054368    

Description Rich Megginson 2022-02-14 19:38:26 UTC 
+++ This bug was initially created as a clone of Bug #2054365 +++

+++ This bug was initially created as a clone of Bug #2044640 +++

Description of problem:
RHEL System Roles should consistently use ansible_managed to allow customers to customize the comment shown at the top of configuration files managed by RHEL System Roles.  Some roles do not use ansible_managed, or have hard coded comments.  For example, the kernel_settings role creates /etc/tuned/kernel_settings/tuned.conf with a hard coded comment.  


Version-Release number of selected component (if applicable):
rhel-system-roles-1.7.3-2.el8.noarch


Additional info:
This is likely not limited to the kernel_settings role.  All roles should be evaluated and updated as needed to use ansible_managed.  Any roles updated to use ansible_managed should refer to https://bugzilla.redhat.com/show_bug.cgi?id=2006230 to ensure multi-line ansible_managed comments are supported.

--- Additional comment from Rich Megginson on 2022-01-25 02:46:04 UTC ---

kernel_settings https://github.com/linux-system-roles/kernel_settings/pull/72
postfix - uses the `postconf` command to set configuration - so no template used to generate /etc/postfix/main.cf - we could use the "trick" developed by https://github.com/linux-system-roles/kernel_settings/pull/72/files#diff-3d0ff1709ca48add100327bb2a468e6c508fb92a159c64c4f99ad1df89d9bddeR79 to generate the ansible_managed value, then use something like `lineinfile` to ensure that value is in main.cf
logging - looks good, but need to confirm
vpn - needs ansible_managed
timesync - good
kdump - good
cockpit - good
ssh - good
ha_cluster - need to see if file format supports commenting
tlog - needs comments
certificate - not sure - says it generates scripts but I cannot find how
crypto_policies - good
firewall - good
metrics - needs comments - but this will involve changes to ansible-pcp
mssql - needs comments
nbde_client, nbde_server - uses json format - not sure about comments
network - needs comments
selinux - good
storage - I think /etc/crypttab is not "owned" by the role

in addition - there may be some of the roles that generate config files in a non-standard way (e.g. like postfix with postfix-conf - not using the template module or lookup) that we will have to do some more investigation to find out
Comment 9 errata-xmlrpc 2022-05-17 13:03:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: rhel-system-roles), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2443