Possible issue with Ansible 2.7 and ssh_hardening_enabled flag
jcheroske opened this issue · 4 comments
I just upgraded to 2.7 and I ran into a bug where I needed to explicitly set the ssh_hardening_enabled
flag to true
to get the role to run. Previously, even if the role was listed as a dependency and the flag was set to false
, invoking the role for real without specifying the flag worked correctly. Now however, it seems that the value for the flag from the dependency section is "sticky" and shows up unless you explicitly override it. Obviously, this is not ideal. I don't have a fix in mind yet.
Example:
You set the dep like normal:
- name: dev-sec.ssh-hardening
scm: git
src: https://github.com/dev-sec/ansible-ssh-hardening.git
vars:
ssh_hardening_enabled: no
version: master
This should just work:
- name: 'Harden ssh client and server'
import_role:
name: dev-sec.ssh-hardening
become: yes
But it seems that you now have to do:
- name: 'Harden ssh client and server'
import_role:
name: dev-sec.ssh-hardening
vars:
ssh_hardening_enabled: yes
become: yes
Just FYI: I got so sick and tired of Ansible doing weird stuff with variables that I switched all of my roles over to accepting one variable. This variable is a dict that contains all of the roles variables. I name the top-level dict var something that relates to the role name. Here is an example using this role:
import_role:
name: dev-sec.ssh-hardening
vars:
ssh_hardening: # <--- This line is the magic!
allow_agent_forwarding: no
allow_tcp_forwarding: yes
allow_users: ubuntu
sftp_enabled: yes
become: yes
As you can see, all variables are effectively namespaced under the ssh_hardening
name, so they wouldn't need to be prefixed anymore. I've never seen Ansible do anything strange with this pattern; my vars always show up the way they are supposed to. All of my roles using this pattern continued working fine with 2.7.
Hello!
I am sorry, but I can not reproduce your issue.
I've set the following dependency like you:
- name: dev-sec.ssh-hardening
scm: git
src: https://github.com/dev-sec/ansible-ssh-hardening.git
vars:
ssh_hardening_enabled: no
version: master
And executed a playbook successfully using
- name: 'Harden ssh client and server'
import_role:
name: dev-sec.ssh-hardening
become: yes
Running Ansible version
ansible 2.7.0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]
If the issue still persists for you, could you please elaborate a bit further?
Thanks :)
@jcheroske please reopen, if the problem persists!