From d163d0a555b8b9d7c7066406426d4a09c525fd12 Mon Sep 17 00:00:00 2001 From: t2d Date: Wed, 24 May 2023 15:03:37 +0200 Subject: [PATCH] Move config to conf.d folder (#50) * Move custom blacklists to separate template. * Move custom config to separate template * Update molecule vagrant config * Allow to override needrestart.conf --- defaults/main.yml | 3 ++ .../needrestart.conf | 24 +++----------- molecule/default/molecule.yml | 4 --- tasks/main.yml | 33 ++++++++++++++++--- templates/custom_needrestart.conf.j2 | 6 ++++ templates/needrestart_blacklist.conf.j2 | 20 +++++++++++ 6 files changed, 61 insertions(+), 29 deletions(-) rename templates/needrestart.conf.j2 => files/needrestart.conf (92%) create mode 100644 templates/custom_needrestart.conf.j2 create mode 100644 templates/needrestart_blacklist.conf.j2 diff --git a/defaults/main.yml b/defaults/main.yml index 46401a2..fd5711d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,3 +35,6 @@ needrestart_blacklist_bin: [] needrestart_checkmk_localcheckdir: /usr/lib/check_mk_agent/local needrestart_checkmk_localcheck: False needrestart_checkmk_mrpe: False + +# Override old needrestart.conf +needrestart_update_needrestart_conf: False diff --git a/templates/needrestart.conf.j2 b/files/needrestart.conf similarity index 92% rename from templates/needrestart.conf.j2 rename to files/needrestart.conf index 66f33d8..4b2f6cb 100644 --- a/templates/needrestart.conf.j2 +++ b/files/needrestart.conf @@ -36,7 +36,7 @@ # ATTENTION: If needrestart is configured to run in interactive mode but is run # non-interactive (i.e. unattended-upgrades) it will fallback to list only mode. # -$nrconf{restart} = '{{ needrestart_action }}'; +#$nrconf{restart} = 'i'; # Use preferred UI package. #$nrconf{ui} = 'NeedRestart::UI::stdio'; @@ -60,20 +60,13 @@ $nrconf{blacklist} = [ # ignore apt-get (Debian Bug#784237) qr(^/usr/bin/apt-get(\.dpkg-new)?$), - -{% for blacklistbin in needrestart_blacklist_bin %} - qr(^{{ blacklistbin }}$), -{% endfor %} ]; # Blacklist services (list of regex) - USE WITH CARE. # You should prefere to put services to $nrconf{override_rc} instead. # Any service listed in $nrconf{blacklist_rc} will be ignored completely! -$nrconf{blacklist_rc} = [ -{% for blacklistrc in needrestart_blacklist_rc %} - qr(^{{ blacklistrc }}$), -{% endfor %} -]; +#$nrconf{blacklist_rc} = [ +#]; # Override service default selection (hash of regex). $nrconf{override_rc} = { @@ -173,15 +166,6 @@ $nrconf{blacklist_mappings} = [ # temporary stuff qr#^(/var)?/tmp/#, qr#^(/var)?/run/#, - - # Java Native Access - qr#/tmp/jna--#, - - # Java Foreign Function Interface - qr#^/tmp/jffi#, - - # elasticsearch - qr#^/tmp/elasticsearch\.#, ]; # Verify mapped files in fileystem: @@ -203,7 +187,7 @@ $nrconf{skip_mapfiles} = -1; # Enable/disable CPU microcode update hints: # 1: requires the user to acknowledge pending updates # 0: disable microcode checks completely -$nrconf{ucodehints} = {{ needrestart_ucodehints }}; +#$nrconf{ucodehints} = 0; # Nagios Plugin: configure return code use by nagios # as service status[1]. diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index f86c23f..6781c62 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -6,7 +6,3 @@ driver: platforms: - name: needrestart-bullseye64 box: debian/bullseye64 -lint: yamllint . -provisioner: - name: ansible - become: true diff --git a/tasks/main.yml b/tasks/main.yml index 563f1c9..2433236 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,16 +7,30 @@ state: present cache_valid_time: 600 +- name: Override outdated needrestart.conf + ansible.builtin.copy: + src: "needrestart.conf" + dest: "/etc/needrestart/needrestart.conf" + owner: root + group: root + mode: "0644" + when: needrestart_update_needrestart_conf + - name: Ensure needrestart config is latest ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/etc/needrestart/{{ item }}" + src: "notify.conf.j2" + dest: "/etc/needrestart/notify.conf" + owner: root + group: root + mode: "0644" + +- name: Ensure custom needrestart config is deployed + ansible.builtin.template: + src: "custom_needrestart.conf.j2" + dest: "/etc/needrestart/conf.d/custom_needrestart.conf" owner: root group: root mode: "0644" - with_items: - - notify.conf - - needrestart.conf - name: Ensure needrestart ignorelist config include is latest ansible.builtin.template: @@ -27,6 +41,15 @@ mode: "0644" when: needrestart_ignorelist | default() +- name: Ensure needrestart blacklist config include is latest + ansible.builtin.template: + src: "needrestart_blacklist.conf.j2" + dest: "/etc/needrestart/conf.d/blacklist.conf" + owner: root + group: root + mode: "0644" + when: ( needrestart_blacklist_bin | default() ) or ( needrestart_blacklist_rc | default() ) + - name: Configure needrestart mail ansible.builtin.template: src: 600-mail.j2 diff --git a/templates/custom_needrestart.conf.j2 b/templates/custom_needrestart.conf.j2 new file mode 100644 index 0000000..43c2cf6 --- /dev/null +++ b/templates/custom_needrestart.conf.j2 @@ -0,0 +1,6 @@ +# This file overrides needrestart.conf. +# It is managed by Ansible. + +$nrconf{restart} = '{{ needrestart_action }}'; +$nrconf{ucodehints} = {{ needrestart_ucodehints }}; + diff --git a/templates/needrestart_blacklist.conf.j2 b/templates/needrestart_blacklist.conf.j2 new file mode 100644 index 0000000..76c8d12 --- /dev/null +++ b/templates/needrestart_blacklist.conf.j2 @@ -0,0 +1,20 @@ +# This file overrides the blacklist from needrestart.conf. +# It is managed by Ansible. + +# Blacklist binaries +push ( @{$nrconf{blacklist}}, ( +{% for blacklistbin in needrestart_blacklist_bin %} + qr(^{{ blacklistbin }}$), +{% endfor %} + ) +); + + +#Blacklist services +push ( @{$nrconf{blacklist_rc}}, ( +{% for blacklistrc in needrestart_blacklist_rc %} + qr(^{{ blacklistrc }}$), +{% endfor %} + ) +); +