ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

ssh_hardening - ansible_pkg wrongly selects atomic_container as packagemanager for rpm_ostree systems

Open millerthegorilla opened this issue 8 months ago • 2 comments

Description

Hi, when using ssh-hardening on a rpm_ostree system, the installation of openssh fails due to an underlying issue with the ansible_pkg module, which returns 'atomic_container' as the package manager for rpm-ostree systems, when that module only allows installation of containers and is deprecated. The correct module is rpm_ostree_pkg. The ansible_pkg module exposes a configuration override (ansible_package_use) where one can specify the exact package manager used in those instances, as per the reply to my issue opened in ansible.
https://github.com/ansible/ansible/issues/84820

ansible_package_use: '{{ ansible_facts.pkg_mgr if ansible_facts.pkg_mgr != "atomic_container" else "community.general.rpm_ostree_pkg" }}'

I can make a pull request to fix the underlying issue if necessary.

Reproduction steps

...
- hosts: "{{ hostvars['localhost']['remote_ip'] }}"
  remote_user: core
  become: yes
  roles:
    - role: devsec.hardening.ssh_hardening

Current Behavior

... ssh_hardening fails when trying to install openssh as the atomic_container packagemanager is not capable of installing packages (it only install containers)

Expected Behavior

... For ssh_hardening to continue and complete, including checking that openssh is installed and installing it if necessary

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc. ansible-playbook running on a fedora silverblue vm provisioning a coreos install on a raspberry pi.

Ansible Version

Paste verbatim output from "ansible --version" between quotes. This will be automatically formatted into code, so no need for backticks.
ansible [core 2.18.3]
  config file = /var/home/user/src/motioncore/ansible.cfg
  configured module search path = ['/var/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/home/user/src/motioncore/.motioncore_venv/lib64/python3.13/site-packages/ansible
  ansible collection location = /var/home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /var/home/user/src/motioncore/.motioncore_venv/bin/ansible
  python version = 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] (/var/home/user/src/motioncore/.motioncore_venv/bin/python)
  jinja version = 3.1.6
  libyaml = True

Collection Version

Paste version of the collection. This will be automatically formatted into code, so no need for backticks.
10.3.0

Additional information

...

millerthegorilla avatar Mar 14 '25 19:03 millerthegorilla