refactor: Support with-tlog authselect feature #120
Conversation
|
Hi @richm Could you help me with this implementation of this PR? I imagine there is a better way than what I have proposed here. The role needs to execute 'authselect select sssd with-tlog' in F40+/RHEL10+ only. |
tasks/main.yml
Outdated
| command: authselect select sssd with-tlog --force | ||
| when: | ||
| - not ansible_check_mode | ||
| - tlog_use_sssd |
There was a problem hiding this comment.
| - tlog_use_sssd | |
| - tlog_use_sssd | bool |
I think this is pretty good - I think you are using "duck typing" to see if authselect has the The only thing I would suggest is to first do the - name: Check appropriate authselect features exists
command: authselect list-features sssd
register: __tlog_authselect_features
changed_when: falsethen have a |
justin-stephenson
force-pushed
the
authselect_with_tlog
branch
from
890ad1f
to
05ec765
Compare
Thank you, please check the updated version. |
|
@jakub-vavra-cz For your information. |
tasks/main.yml
Outdated
| - tlog_use_sssd | bool | ||
| - '"with-tlog" in __tlog_authselect_features.stdout' | ||
|
|
||
| - name: Check which authselect features are currently enabled | ||
| command: authselect current | ||
| register: __tlog_authselect_current | ||
| changed_when: false | ||
| failed_when: __tlog_authselect_current.rc not in [0, 2] | ||
|
|
There was a problem hiding this comment.
extra blank line
| @@ -0,0 +1,28 @@ | |||
| --- | |||
There was a problem hiding this comment.
Test should be a playbook, and you have a list of tasks. Check https://github.com/linux-system-roles/tlog/blob/main/tests/tests_cockpit.yml
There was a problem hiding this comment.
Test playbook filenames must match named tests_*.yml
I thought perhaps that check_sssd_with_tlog.yml was going to be a task file called from other playbooks because it does not call the tlog role, and you just had not yet changed the other test playbooks to use check_sssd_with_tlog.yml
There was a problem hiding this comment.
Ahh okay, I see now. I fixed it so that check_sssd_with_tlog is called from tests/tests_sssd.yml
tests/check_sssd_with_tlog.yml
Outdated
| that: | ||
| - __nsswitch_contents | regex_search('^passwd:\\s+sss', multiline=True) | ||
| - '"with-tlog" in __tlog_authselect_current.stdout' | ||
| when: |
There was a problem hiding this comment.
| when: | |
| when: '"with-tlog" in __tlog_authselect_features.stdout' |
tests/check_sssd_with_tlog.yml
Outdated
| - __nsswitch_contents | regex_search('^passwd:\\s+sss', multiline=True) | ||
| - '"with-tlog" in __tlog_authselect_current.stdout' | ||
| when: | ||
| - '"with-tlog" in __tlog_authselect_features.stdout' |
There was a problem hiding this comment.
| - '"with-tlog" in __tlog_authselect_features.stdout' |
tests/check_sssd_with_tlog.yml
Outdated
| set_fact: | ||
| __nsswitch_contents: "{{ __nsswitch_slurp['content'] | b64decode }}" | ||
|
|
||
| - name: Check if files domain enabled and nsswitch set correctly |
There was a problem hiding this comment.
Should there be an opposite check for systems where "with-tlog" not in __tlog_authselect_features.stdout?
There was a problem hiding this comment.
If with-tlog feature is not available then we fallback to with-files-domain feature, which we already have a test for tests/check_sssd_files_provider.yml
justin-stephenson
force-pushed
the
authselect_with_tlog
branch
3 times, most recently
from
c73d8de
to
9003a4e
Compare
tests/check_sssd_with_tlog.yml
Outdated
| that: | ||
| - __nsswitch_contents | regex_search('^passwd:\\s+sss', multiline=True) | ||
| - '"with-tlog" in __tlog_authselect_current.stdout' | ||
| when: - '"with-tlog" in __tlog_authselect_features.stdout' |
There was a problem hiding this comment.
| when: - '"with-tlog" in __tlog_authselect_features.stdout' | |
| when: '"with-tlog" in __tlog_authselect_features.stdout' |
justin-stephenson
force-pushed
the
authselect_with_tlog
branch
from
9003a4e
to
9499118
Compare
tasks/main.yml
Outdated
| command: authselect current | ||
| register: __tlog_authselect_current | ||
| changed_when: false | ||
| failed_when: __tlog_authselect_current.rc not in [0, 2] | ||
| notify: Handler tlog_handler restart sssd | ||
| changed_when: true |
There was a problem hiding this comment.
You have both changed_when: false and changed_when: true - if this command doesn't change anything, you should have changed_when: false and no notify
justin-stephenson
force-pushed
the
authselect_with_tlog
branch
from
9499118
to
069262e
Compare
tests/check_sssd_with_tlog.yml
Outdated
| src: /etc/nsswitch.conf | ||
| register: __nsswitch_slurp | ||
|
|
||
| - name: Decode nsswitch content |
There was a problem hiding this comment.
since you are using vars below, you can get rid of this task
|
@justin-stephenson how should we document this change? Is this something users should know about, or is just something that the role takes care of for the user that the user doesn't have to know about? This doesn't seem like a bug fix or a new feature - could it be considered a refactoring? |
authselect removes with-files-domain feature in F40+/RHEL10+, it is replace with the 'with-tlog' feature.
justin-stephenson
force-pushed
the
authselect_with_tlog
branch
from
f5c6f6e
to
11ad0c8
Compare
It might be worthwhile to mention this change briefly, but I don't think it is important to users of this role to know about. It is mostly changing internals here(how session recording is configured to work with SSSD + tlog). |
richm
changed the title
|
[citest] |
authselect removes
with-files-domainfeature in F40+/RHEL10+, it is replaced by 'with-tlog' feature because the SSSD files domain is removed entirely there. This will not be backported to RHEL9 therefore we still need to execute 'authselect select sssd with-files-domain' on RHEL9 and older Fedora versions.