diff --git a/README.md b/README.md index b9baa43..7bb8b87 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ supported by ansible. The role was tested on: * RHEL/CentOS 6, 7, 8, 9, 10 * Fedora +* SUSE/openSUSE * Debian * Ubuntu diff --git a/meta/collection-requirements.yml b/meta/collection-requirements.yml index 78f93d3..fd235bd 100644 --- a/meta/collection-requirements.yml +++ b/meta/collection-requirements.yml @@ -2,3 +2,5 @@ --- collections: - name: ansible.posix + - name: community.general + version: ">=6.6.0,<12.0.0" diff --git a/meta/main.yml b/meta/main.yml index 8cf707b..c457766 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -44,6 +44,7 @@ galaxy_info: - el9 - el10 - fedora + - leap - networking - openssh - redhat diff --git a/tests/tasks/setup.yml b/tests/tasks/setup.yml index 2eaa022..50140df 100644 --- a/tests/tasks/setup.yml +++ b/tests/tasks/setup.yml @@ -20,7 +20,7 @@ vars: __ssh_test_packages: >- {{ - "openssh-clients" if ansible_facts['os_family'] == 'RedHat' + "openssh-clients" if ansible_facts['os_family'] in ['RedHat', 'Suse'] else "openssh-client" }} package: @@ -41,7 +41,7 @@ main_ssh_config_name: 00-ansible.conf main_ssh_config_path: /etc/ssh/ssh_config.d/ when: - - (ansible_facts['os_family'] == 'RedHat' + - (ansible_facts['os_family'] in ['RedHat', 'Suse'] and ansible_facts['distribution_major_version'] | int >= 8) or (ansible_facts['distribution'] == 'Ubuntu' and ansible_facts['distribution_major_version'] | int >= 20) diff --git a/tests/tests_additional_packages.yml b/tests/tests_additional_packages.yml index 9fa1da6..096eec5 100644 --- a/tests/tests_additional_packages.yml +++ b/tests/tests_additional_packages.yml @@ -9,6 +9,8 @@ openssh-ldap {% elif ansible_facts['os_family'] == 'RedHat' %} openssh-keycat + {% elif ansible_facts['os_family'] == 'Suse' %} + openssh-helpers {% else %} openssh-tests {% endif %} diff --git a/tests/tests_all_options.yml b/tests/tests_all_options.yml index 1c4955c..2619508 100644 --- a/tests/tests_all_options.yml +++ b/tests/tests_all_options.yml @@ -22,7 +22,7 @@ set_fact: ssh_test_package: openssh-client when: > - ansible_facts['os_family'] != 'RedHat' + ansible_facts['os_family'] not in ['RedHat', 'Suse'] - name: Determine if system is ostree and set flag when: not __ssh_is_ostree is defined @@ -67,6 +67,16 @@ use: "{{ (__ssh_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" + - name: Check if ssh_config man page is available + command: man -w ssh_config + register: __ssh_man_check + failed_when: false + changed_when: false + + - name: Skip if ssh_config man page is not available + meta: end_host + when: __ssh_man_check.rc != 0 + - name: Get list of options from manual page shell: >- set -o pipefail && man ssh_config \ diff --git a/tests/tests_custom_drop_in.yml b/tests/tests_custom_drop_in.yml index a240c81..16484ab 100644 --- a/tests/tests_custom_drop_in.yml +++ b/tests/tests_custom_drop_in.yml @@ -10,7 +10,8 @@ - name: Skip if the system does not support drop in directory meta: end_host when: - - ansible_facts['distribution'] != 'Fedora' and + - ansible_facts['os_family'] != 'Suse' and + ansible_facts['distribution'] != 'Fedora' and not (ansible_facts['distribution'] in ['RedHat','CentOS'] and ansible_facts['distribution_version'] | int >= 8) and not (ansible_facts['distribution'] in ['Ubuntu'] and diff --git a/tests/tests_global_config_mode.yml b/tests/tests_global_config_mode.yml index f367d44..a417c7e 100644 --- a/tests/tests_global_config_mode.yml +++ b/tests/tests_global_config_mode.yml @@ -6,6 +6,10 @@ __ssh_test_backup_files: - /etc/ssh/ssh_config.d/00-ansible.conf - /etc/ssh/ssh_config + # SUSE Minimal VM images do not have the daemon user + __ssh_test_owner: >- + {{ 'nobody' if ansible_facts['os_family'] == 'Suse' + else 'daemon' }} tasks: - name: Backup configuration files @@ -19,8 +23,8 @@ Compression: true GSSAPIAuthentication: false # bad example - ssh_config_owner: daemon - ssh_config_group: daemon + ssh_config_owner: "{{ __ssh_test_owner }}" + ssh_config_group: "{{ __ssh_test_owner }}" ssh_config_mode: 600 - name: Verify the configuration file was created with right content @@ -46,8 +50,8 @@ assert: that: - config_mode.stat.exists - - config_mode.stat.gr_name == 'daemon' - - config_mode.stat.pw_name == 'daemon' + - config_mode.stat.gr_name == __ssh_test_owner + - config_mode.stat.pw_name == __ssh_test_owner - config_mode.stat.mode == '0600' - name: Restore configuration files diff --git a/tests/tests_global_drop_in.yml b/tests/tests_global_drop_in.yml index 70bd64e..01f6138 100644 --- a/tests/tests_global_drop_in.yml +++ b/tests/tests_global_drop_in.yml @@ -11,7 +11,8 @@ - name: Skip if the system does not support drop in directory meta: end_host when: - - ansible_facts['distribution'] != 'Fedora' and + - ansible_facts['os_family'] != 'Suse' and + ansible_facts['distribution'] != 'Fedora' and not (ansible_facts['distribution'] in ['RedHat','CentOS'] and ansible_facts['distribution_version'] | int >= 8) @@ -56,10 +57,16 @@ - "'Include' not in config.content | b64decode" - "'SendEnv' not in config.content | b64decode" + - name: Check if main configuration file exists + stat: + path: "/etc/ssh/ssh_config" + register: global_config_stat + - name: Download the main configuration file too slurp: src: "/etc/ssh/ssh_config" register: global_config + when: global_config_stat.stat.exists - name: Verify the options are NOT in the global configuration file assert: @@ -69,6 +76,7 @@ - "'User somebody' not in content" vars: content: "{{ global_config.content | b64decode }}" + when: global_config_stat.stat.exists - name: Verify the file has default sensible permissions assert: diff --git a/tests/tests_global_drop_in_role.yml b/tests/tests_global_drop_in_role.yml index 8f653dc..b6d5161 100644 --- a/tests/tests_global_drop_in_role.yml +++ b/tests/tests_global_drop_in_role.yml @@ -29,7 +29,8 @@ - name: Skip if the system does not support drop in directory meta: end_host when: - - ansible_facts['distribution'] != 'Fedora' and + - ansible_facts['os_family'] != 'Suse' and + ansible_facts['distribution'] != 'Fedora' and not (ansible_facts['distribution'] in ['RedHat','CentOS'] and ansible_facts['distribution_version'] | int >= 8) @@ -59,10 +60,16 @@ - "'Include' not in config.content | b64decode" - "'SendEnv' not in config.content | b64decode" + - name: Check if main configuration file exists + stat: + path: "/etc/ssh/ssh_config" + register: global_config_stat + - name: Download the main configuration file too slurp: src: "/etc/ssh/ssh_config" register: global_config + when: global_config_stat.stat.exists - name: Verify the options are NOT in the global configuration file assert: @@ -72,6 +79,7 @@ - "'User somebody' not in content" vars: content: "{{ global_config.content | b64decode }}" + when: global_config_stat.stat.exists - name: Verify the file has default sensible permissions assert: diff --git a/tests/tests_no_skip_defaults.yml b/tests/tests_no_skip_defaults.yml index f8cfd59..a1a1ec7 100644 --- a/tests/tests_no_skip_defaults.yml +++ b/tests/tests_no_skip_defaults.yml @@ -9,7 +9,8 @@ __ssh_test_option: >- {% if ansible_facts['os_family'] in ['Ubuntu', 'Debian'] %} HashKnownHosts yes - {% elif ansible_facts['distribution'] == 'Fedora' or + {% elif ansible_facts['os_family'] == 'Suse' or + ansible_facts['distribution'] == 'Fedora' or (ansible_facts['distribution'] in ['RedHat', 'CentOS'] and ansible_facts['distribution_version'] | int >= 8) %} Include /etc/ssh/ssh_config.d/*.conf diff --git a/tests/tests_regenerate_defaults.yml b/tests/tests_regenerate_defaults.yml index cceae10..bfbd4f0 100644 --- a/tests/tests_regenerate_defaults.yml +++ b/tests/tests_regenerate_defaults.yml @@ -13,6 +13,15 @@ - ansible_facts['distribution'] in ['CentOS', 'RedHat'] and ansible_facts['distribution_version'] | int < 7 + # SUSE uses /usr/etc/ssh/ssh_config as vendor config with settings + # beyond what __ssh_defaults provides (ForwardX11Trusted, SendEnv, + # etc). The role cannot regenerate the vendor config identically, + # and should use drop-in configs on SUSE instead. + - name: SUSE vendor config cannot be regenerated by the role + meta: end_host + when: + - ansible_facts['os_family'] == 'Suse' + - name: Backup configuration files include_tasks: tasks/backup.yml diff --git a/tests/tests_user_config.yml b/tests/tests_user_config.yml index 8404087..5c4ac4d 100644 --- a/tests/tests_user_config.yml +++ b/tests/tests_user_config.yml @@ -118,10 +118,16 @@ - ansible_facts['distribution'] not in ['CentOS', 'RedHat'] or ansible_facts['distribution_version'] | int > 6 + - name: Check if global configuration file exists + stat: + path: /etc/ssh/ssh_config + register: global_config_stat + - name: Download the global configuration files too slurp: src: /etc/ssh/ssh_config register: global_config + when: global_config_stat.stat.exists - name: Verify the options are NOT in the global configuration file assert: @@ -132,6 +138,7 @@ - "'User somebody' not in content" vars: content: "{{ global_config.content | b64decode }}" + when: global_config_stat.stat.exists - name: Restore configuration files include_tasks: tasks/restore.yml diff --git a/vars/SL-Micro.yml b/vars/Suse.yml similarity index 100% rename from vars/SL-Micro.yml rename to vars/Suse.yml