From 773012d4dfde281b0a40758960c29a94c5a08055 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 4 Sep 2020 09:23:43 -0700 Subject: [PATCH] Uses platform-specific vars in common role In order to ease the transition to Focal, let's use different vars for packages depending on platform. When running the Xenial logic against Focal, the kernel removal tasks failed since several of the package names were not found. Also adding a "grsecurity" tag since the grsec story for Focal still needs work, so it's easy to skip now. --- .../ansible-base/roles/common/defaults/main.yml | 9 +++++++++ .../ansible-base/roles/common/tasks/install_ntp.yml | 8 -------- .../roles/common/tasks/install_packages.yml | 7 +++++++ .../ansible-base/roles/common/tasks/install_tmux.yml | 9 --------- install_files/ansible-base/roles/common/tasks/main.yml | 6 +++--- .../roles/common/tasks/remove_unused_packages.yml | 10 ++-------- .../ansible-base/roles/common/vars/Ubuntu_focal.yml | 4 ++++ .../ansible-base/roles/common/vars/Ubuntu_xenial.yml | 9 +++++++++ 8 files changed, 34 insertions(+), 28 deletions(-) delete mode 100644 install_files/ansible-base/roles/common/tasks/install_ntp.yml create mode 100644 install_files/ansible-base/roles/common/tasks/install_packages.yml delete mode 100644 install_files/ansible-base/roles/common/tasks/install_tmux.yml create mode 100644 install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml create mode 100644 install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml index a9de7da68a..1c2dda22b8 100644 --- a/install_files/ansible-base/roles/common/defaults/main.yml +++ b/install_files/ansible-base/roles/common/defaults/main.yml @@ -3,6 +3,15 @@ # and aid in clearing memory. Only the hour is configurable. daily_reboot_time: 4 # An integer between 0 and 23 +securedrop_common_packages: + - apt-transport-https + - aptitude + - cron-apt + - ntp + - ntpdate + - resolvconf + - tmux + disabled_kernel_modules: - btusb - bluetooth diff --git a/install_files/ansible-base/roles/common/tasks/install_ntp.yml b/install_files/ansible-base/roles/common/tasks/install_ntp.yml deleted file mode 100644 index 3e8b390e8d..0000000000 --- a/install_files/ansible-base/roles/common/tasks/install_ntp.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Install ntp for ntpd. - apt: - pkg: ['ntp', 'ntpdate'] - state: present - tags: - - apt - - ntp diff --git a/install_files/ansible-base/roles/common/tasks/install_packages.yml b/install_files/ansible-base/roles/common/tasks/install_packages.yml new file mode 100644 index 0000000000..5d48223a82 --- /dev/null +++ b/install_files/ansible-base/roles/common/tasks/install_packages.yml @@ -0,0 +1,7 @@ +--- +- name: Install base apt depedencies + apt: + name: "{{ securedrop_common_packages }}" + state: present + update_cache: yes + cache_valid_time: 3600 diff --git a/install_files/ansible-base/roles/common/tasks/install_tmux.yml b/install_files/ansible-base/roles/common/tasks/install_tmux.yml deleted file mode 100644 index 09638b53ea..0000000000 --- a/install_files/ansible-base/roles/common/tasks/install_tmux.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Install tmux. - apt: - pkg: tmux - state: present - update_cache: yes - cache_valid_time: 3600 - tags: - - apt diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml index 04d7cd881e..a2904ba03e 100644 --- a/install_files/ansible-base/roles/common/tasks/main.yml +++ b/install_files/ansible-base/roles/common/tasks/main.yml @@ -1,5 +1,7 @@ --- -- include: install_ntp.yml +- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_release }}.yml" + +- include: install_packages.yml - include: post_ubuntu_install_checks.yml @@ -9,8 +11,6 @@ - include: harden_dns.yml -- include: install_tmux.yml - - include: cron_apt.yml tags: - reboot diff --git a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml index 57b52a5913..d0a91c8bd1 100644 --- a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml +++ b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml @@ -13,14 +13,7 @@ # We must used command due to the use of wildcards - name: Remove generic kernel packages. command: apt-get remove -y {{ item }} - with_items: - - linux-signed-generic - - linux-signed-generic-lts-utopic - - linux-signed-image-generic - - linux-signed-image-generic-lts-utopic - - linux-image-generic-lts-xenial - - 'linux-image-.*generic' - - 'linux-headers-.*' + with_items: "{{ securedrop_kernel_packages_to_remove }}" register: apt_removed_kernels changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout" tags: @@ -41,6 +34,7 @@ with_items: "{{ apt_installed_kernels.stdout_lines }}" tags: - apt + - grsecurity - name: Remove dependencies that are no longer required apt: diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml new file mode 100644 index 0000000000..8c7c48b509 --- /dev/null +++ b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml @@ -0,0 +1,4 @@ +--- +securedrop_kernel_packages_to_remove: + - linux-virtual + - linux-generic diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml new file mode 100644 index 0000000000..ccc4279155 --- /dev/null +++ b/install_files/ansible-base/roles/common/vars/Ubuntu_xenial.yml @@ -0,0 +1,9 @@ +--- +securedrop_kernel_packages_to_remove: + - linux-signed-generic + - linux-signed-generic-lts-utopic + - linux-signed-image-generic + - linux-signed-image-generic-lts-utopic + - linux-image-generic-lts-xenial + - 'linux-image-.*generic' + - 'linux-headers-.*'