ansible-hardening: provide method to skip epel-release check
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Low
|
Andy McCrae |
Bug Description
On the RHEL/CentOS platform an honest check for EPEL is being performed here:
* https:/
This fails in our environment as EPEL repo use is not always dictated by that exact package, nor any package at all (no local config file). We need a way to provide a variable to allow skipping over this check - or, perhaps, check for this package is *available* but does not have to be installed.
- if EPEL is not connected, it will fail anyways to install unless you've added to your own custom repo that isn't EPEL (possible for some folks)
- if epel-release is generically available (yum list epel-release) then EPEL is connected and does not need to have this package installed
EPEL uses a vast mirror system; for our high security customers, generically allowing egress to any IP on the mirror list is unacceptable. To solve this need, we mirror EPEL to our own infrastructure that has a defined IP list, then pull in the EPEL content to a RHN Satellite (RHEL servers) and Spacewalk (CentOS servers) for managing RHEL and CentOS systems. We then provide two methods for access:
1. a custom packaging of epel-release, renamed, that provides a yum config that only points at our local mirror (and the EPEL GPG key) of defined IPs
2. connecting it using the Satellite/Spacewalk mechanisms on the server side, which requires no 'release' package be installed on the client and uses defined IPs
Each method has it's use case (method #1 is good for a Cloud customer for instance), but in both cases the package 'epel-release' will not be installed and should not be by a playbook, so providing the task a variable to skip over this attempted package install would be enough.
A better solution might be to do something like "yum list epel-release" to ensure it's available (ergo, EPEL is connected) or similar, but it doesn't have to be installed. $0.02 on this part. :)
Changed in openstack-ansible: | |
assignee: | Major Hayden (rackerhacker) → Andy McCrae (andrew-mccrae) |
Completely agreed we should think about this and improve how it's done. /review. openstack. org/#/c/ 463845/ 3/tasks/ rhel7stig/ packages. yml).
I think I still have a patch pending on a similar topic (https:/
We agreed that we should check if epel is available + enabled and use this as a conditional for some package installation/ configuration modification.