From a546c5132aef0f7a661a18b34e21327a6267527e Mon Sep 17 00:00:00 2001 From: A Holt Date: Mon, 4 Dec 2023 16:54:05 -0500 Subject: [PATCH 1/3] Recommend ansible-core 2.16.1 --- scripts/ansible | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/ansible b/scripts/ansible index 48d337b19..0caaaef87 100755 --- a/scripts/ansible +++ b/scripts/ansible @@ -7,8 +7,8 @@ # https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide#female_detective-understanding-ansible APT_PATH=/usr/bin # Avoids problematic /usr/local/bin/apt on Linux Mint -CURR_VER=undefined # Ansible version you have installed, e.g. [core 2.16.0] -GOOD_VER=2.16.0 # Orig for 'yum install [rpm]' & XO laptops (pip install) +CURR_VER=undefined # Ansible version you have installed, e.g. [core 2.16.1] +GOOD_VER=2.16.1 # Orig for 'yum install [rpm]' & XO laptops (pip install) # 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and # .gpg key etc) are commented out with ### below. Associated guidance/comments From af9597d5b25e4f2b7322e830ffb0f856a71e8283 Mon Sep 17 00:00:00 2001 From: A Holt Date: Mon, 4 Dec 2023 17:11:07 -0500 Subject: [PATCH 2/3] iiab-install: Set MIN_ANSIBLE_VER=2.14.12 (2.13 EOL on 2023-11-06) --- iiab-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iiab-install b/iiab-install index bc887d659..e09527224 100755 --- a/iiab-install +++ b/iiab-install @@ -11,7 +11,7 @@ CWD=`pwd` OS=`grep ^ID= /etc/os-release | cut -d= -f2` OS=${OS//\"/} # Remove all '"' MIN_RPI_KERN=5.4.0 # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993 -MIN_ANSIBLE_VER=2.14.11 # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix 2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419. Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB. +MIN_ANSIBLE_VER=2.14.12 # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix 2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419. Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB. REINSTALL=false DEBUG=false From 9f00b7b41b69efe80641944b2b24c0dbee393c8e Mon Sep 17 00:00:00 2001 From: root Date: Mon, 4 Dec 2023 18:01:55 -0500 Subject: [PATCH 3/3] validate_vars.yml: ansible-core 2.16.1 req 'loop' not 'with_items' w/ 'assert' templating --- roles/0-init/tasks/validate_vars.yml | 42 ++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml index 3617715dd..383f911a3 100644 --- a/roles/0-init/tasks/validate_vars.yml +++ b/roles/0-init/tasks/validate_vars.yml @@ -158,20 +158,38 @@ when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn' # Exclude auto-installed dependencies loop: "{{ vars_checklist }}" + +- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked + set_fact: + vars_deprecated_list: + - dhcpd # Deprecated + - named # Deprecated + - wondershaper # Deprecated + - dansguardian # Deprecated + #- xo_services # Unmaintained + #- activity_server # Unmaintained + #- ejabberd_xs # Unmaintained + #- idmgr # Unmaintained + #- dokuwiki # Unmaintained + #- ejabberd # Unmaintained + #- elgg # Unmaintained + - name: 'DISALLOW "XYZ_install: True" if deprecated' assert: that: "{{ item }}_install is undefined or not {{ item }}_install" fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)" quiet: yes - with_items: - - dhcpd # Deprecated - - named # Deprecated - - wondershaper # Deprecated - - dansguardian # Deprecated - #- xo_services # Unmaintained - #- activity_server # Unmaintained - #- ejabberd_xs # Unmaintained - #- idmgr # Unmaintained - #- dokuwiki # Unmaintained - #- ejabberd # Unmaintained - #- elgg # Unmaintained + loop: "{{ vars_deprecated_list }}" + # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with + # 'with_items' below (whereas 'loop' construct above works!) BACKGROUND: + # + # 'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1, + # conditional expressions with embedded template blocks can fail with the + # message “Conditional is marked as unsafe, and cannot be evaluated.”' + # https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook + # + # with_items: + # - dhcpd # Deprecated + # - named # Deprecated + # - wondershaper # Deprecated + # - dansguardian # Deprecated