Add support for RHEL 7 remediate (#237)

* Add support for RHEL 7 remediate
* Refactor to remove ansible.builtin.meta: end_host directives
* changing dnf to package to work across both rhel 7 and 8+
* fix some shell command change statuses
* Add additional playbook to resolve remote login with root issue
* Update the checks for leapp_report_missing
* Fixing issues with network scripts when no scripts defined
* Add logic to prevent issues with undefined mount points
* Avoiding an unnecessary reboot
* Refactor remediate tasks that have undefined prerequisites
* Removing unnecessary sudo commands
* Updating fail conditions for better error handling
* rewrite tar command to use archive
* Rewrite openssl_config remediation to follow support guidance

Author: bontreger

.gitignore

@@ -131,3 +131,6 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+# Local collection testing builds
+*.tar.gz

README.md

@@ -16,7 +16,7 @@ These are the roles included in the collection. Follow the links below to see th
 - [`common`](./roles/common/) - used for local logging, mutex locking, and common vars
 - [`parse_leapp_report`](./roles/parse_leapp_report/) - reads pre-upgrade results and checks for inhibitors
 - [`upgrade`](./roles/upgrade/) - executes the Leapp OS upgrade
-- [`remediate`](./roles/remediate/) - assists in the remediation of a system (RHEL 8 only)
+- [`remediate`](./roles/remediate/) - assists in the remediation of a system (RHEL 7->8 and 8->9 only)
 
 ## Supported RHEL versions
 
@@ -30,6 +30,13 @@ The collection may be used for the RHEL upgrade paths and minor versions support
 
 The roles in this collection have been successfully used in a number of different environments including on-prem bare metal servers and VMs pulling RHEL packages from Red Hat CDN repos, Satellite content views, or mirrored repos internal to disconnected networks. Upgrading RHEL on Amazon EC2 instances pulling from bring-your-own-subscription CDN repos or pay-as-you-go RHUI repos have also been tested. Upgrading RHEL on other public clouds should be possible as well after setting the documented role variables as required.
 
+> [!IMPORTANT]
+> Targeting RHEL 6 nodes requires an Ansible-core version <= 2.12
+>
+> Targeting RHEL 7 nodes requires an Ansible-core version <= 2.16
+>
+> See [this knowledgebase article](https://access.redhat.com/articles/6977724) for details
+
 ## Not in scope
 
 Third-party products and packages are not upgraded by the `upgrade` role. To achieve a complete end-to-end server upgrade, you may need to implement custom automation beyond the scope of this collection to perform tasks required for the upgrade or removal/reinstall of any impacted third-party tools and agents, for example [Veritas Cluster](https://www.veritas.com/support/en_US/doc/infoscale_wp_upgradewithRedHat), [SAP HANA](https://access.redhat.com/solutions/5154031), etc. Likewise, the role does not upgrade packages installed from non-RHEL repositories such as [Red Hat Software Collections](https://access.redhat.com/support/policy/updates/rhscl), [EPEL](https://docs.fedoraproject.org/en-US/epel/), [RPM Fusion](https://rpmfusion.org/), etc.

changelogs/fragments/rhel7-remediate.yml

@@ -0,0 +1,7 @@
+---
+major_changes:
+- Added support for RHEL 7 -> 8 in the infra.leapp.remediate role
+- Rewrote the remediate playbooks to use conditional logic and skip tasks that do not need to run
+minor_changes:
+- Added pam_tally2 remediation for RHEL 7
+- Updated documentation in support of the extended remediate role

galaxy.yml

@@ -3,7 +3,7 @@
 
 namespace: infra
 name: leapp
-version: 1.4.1
+version: 1.5.0
 readme: README.md
 authors:
   - Bob Mader (github.com/swapdisk)

roles/remediate/README.md

@@ -1,6 +1,6 @@
 # Remediations
 
-**IMPORTANT:** This role is only supported for RHEL 8 systems.
+**IMPORTANT:** This role is only supported for RHEL 7 and 8 systems. Not all remediations are applicable to both, and are noted in the remediation playbooks list below.
 
 The `remediation` role is to assist in the remediation of a system. This role contains multiple playbooks that can be used to remediate a system for a specific inhibitors that are found during the pre-upgrade analysis.
 
@@ -31,12 +31,16 @@ The list of available remediation playbooks with their corresponding inhibitors
 - `leapp_corrupted_grubenv_file`
   - **Solves:** Detected a corrupted grubenv file.
 - `leapp_custom_network_scripts_detected`
+  - RHEL 8 Only
   - **Solves:** custom network-scripts detected. RHEL 9 does not support the legacy network-scripts package that was deprecated in RHEL 8.
 - `leapp_deprecated_sshd_directive`
+  - RHEL 8 Only
   - **Solves:** A deprecated directive in the sshd configuration.
-- `leapp_firewalld_allowzonedrifting`:
+- `leapp_firewalld_allowzonedrifting`
+  - RHEL 8 Only
   - **Solves:** Firewalld Configuration AllowZoneDrifting Is Unsupported.
 - `leapp_firewalld_unsupported_tftp_client`
+  - RHEL 8 Only
   - **Solves:** Firewalld Service tftp-client Is Unsupported.
 - `leapp_loaded_removed_kernel_drivers`
   - **Solves:** Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
@@ -55,18 +59,27 @@ The list of available remediation playbooks with their corresponding inhibitors
 - `leapp_non_persistent_partitions`
   - **Solves:** Detected partitions mounted in a non-persistent fashion, preventing a successful in-place upgrade.
 - `leapp_non_standard_openssl_config`
+  - RHEL 8 Only
   - **Solves:** Non-standard configuration of openssl.cnf.
 - `leapp_old_postgresql_data`
   - **Solves:** Old PostgreSQL data found in `/var/lib/pgsql/data`.
+- `leapp_pam_tally2`
+  - RHEL 7 Only
+  - **Solves:** The pam_tally2 pam module(s) no longer available
 - `leapp_partitions_with_noexec`
   - **Solves:** Detected partitions mounted with the `noexec` option, preventing a successful in-place upgrade.
 - `leapp_relative_symlinks`
   - **Solves:** Upgrade requires links in root directory to be relative
+- `leapp_remote_using_root`
+  - RHEL 7 Only
+  - **Solves:** Possible problems with remote login using root account
 - `leapp_rpms_with_rsa_sha1_detected`
+  - RHEL 8 Only
   - **Solves:** Detected RPMs with RSA/SHA1 signature.
 - `leapp_unavailable_kde`
   - **Solves:** The installed KDE environment is unavailable on RHEL 8.
 - `leapp_vdo_check_needed`
+  - RHEL 8 Only
   - **Solves:** Cannot perform the VDO check of block devices.
 
 ## Example playbook
@@ -75,7 +88,7 @@ See [`remediate.yml`](../../playbooks/remediate.yml).
 
 ## Authors
 
-Peter Zdravecký
+Peter Zdravecký, Ryan Bontreger
 
 ## License
 

roles/remediate/defaults/main.yml

@@ -21,8 +21,10 @@ remediation_playbooks:
   - leapp_non_persistent_partitions
   - leapp_non_standard_openssl_config
   - leapp_old_postgresql_data
+  - leapp_pam_tally2
   - leapp_partitions_with_noexec
   - leapp_relative_symlinks
+  - leapp_remote_using_root
   - leapp_rpms_with_rsa_sha1_detected
   - leapp_unavailable_kde
   - leapp_vdo_check_needed

roles/remediate/handlers/main.yml

@@ -2,7 +2,13 @@
 # handlers file for remedations
 
 # Keep this last so it's easy to find in the job output.
+- name: "Restart sshd"
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
 - name: The remediations are now complete
   ansible.builtin.debug:
     msg: The remediations are now complete.
+
 ...

roles/remediate/meta/main.yml

@@ -1,6 +1,6 @@
 ---
 galaxy_info:
-  author: Peter Zdravecký
+  author: Peter Zdravecký, Ryan Bontreger
   description: Remedetation part of the leapp process
   company: Red Hat
 
@@ -31,6 +31,7 @@ galaxy_info:
   platforms:
     - name: EL
       versions:
+        - "7"
         - "8"
   #   - 25
   # - name: SomePlatform

roles/remediate/tasks/leapp_corrupted_grubenv_file.yml

@@ -10,8 +10,10 @@
       register: leapp_report_stat
 
     - name: leapp_corrupted_grubenv_file | End play if no leapp report exists
-      ansible.builtin.meta: end_host
+      ansible.builtin.set_fact:
+        leapp_report_missing: true
       when: leapp_report_stat.stat.exists is false
+      failed_when: leapp_report_stat.stat.exists is false
 
     - name: leapp_corrupted_grubenv_file | Read leapp report
       ansible.builtin.slurp:
@@ -29,8 +31,9 @@
       when: item.title is match(entry_title) and (item.detail.remediations | selectattr('type', 'eq', 'hint') | length > 0)
 
     - name: leapp_corrupted_grubenv_file | End execution of playbook if no entry found in leapp report
-      ansible.builtin.meta: end_host
-      when: hint is not defined
+      ansible.builtin.set_fact:
+        leapp_report_missing: true
+      failed_when: hint is not defined
 
     - name: leapp_corrupted_grubenv_file | Extract file(s) using regex
       ansible.builtin.set_fact:
@@ -65,4 +68,9 @@
       register: grub_mkconfig
       changed_when: grub_mkconfig.rc == 0
 
+  rescue:
+    - name: leapp_corrupted_grubenv_file | Continue when leapp report is missing
+      ansible.builtin.debug:
+        msg: "Leapp report missing or did not contain any matches. Skipping this task."
+      when: leapp_report_missing is defined and leapp_report_missing is true
 ...

roles/remediate/tasks/leapp_custom_network_scripts_detected.yml

@@ -1,12 +1,7 @@
 ---
 - name: leapp_custom_network_scripts_detected | Move custom network-scripts to NetworkManager dispatcher scripts
+  when: ansible_distribution == 'RedHat' and ansible_distribution_major_version|int == 8
   block:
-    - name: leapp_custom_network_scripts_detected | Create /opt/network-scripts/ directory if it does not exist
-      ansible.builtin.file:
-        path: /opt/network-scripts/
-        state: directory
-        mode: "0755"
-
     - name: leapp_custom_network_scripts_detected | Check if pre up script exists
       ansible.builtin.stat:
         path: /sbin/ifup-pre-local
@@ -17,9 +12,23 @@
         path: /sbin/ifdown-pre-local
       register: pre_down
 
+    # If neither script exists, fail out and do not create unnecessary directories
+    - name: leapp_custom_network_scripts_detected | Skip playbook if no custom scripts are found
+      ansible.builtin.set_fact:
+        leapp_report_missing: true
+      when: pre_down.stat.exists is false and pre_up.stat.exists is false
+      failed_when: pre_down.stat.exists is false and pre_up.stat.exists is false
+
+    - name: leapp_custom_network_scripts_detected | Create /opt/network-scripts/ directory if it does not exist
+      ansible.builtin.file:
+        path: /opt/network-scripts/
+        state: directory
+        mode: "0755"
+
     - name: leapp_custom_network_scripts_detected | Move scripts in /sbin to /opt/network-scripts/, end playbook if this fails
       ansible.builtin.command: mv /sbin/if*-local /opt/network-scripts/
       register: move_scripts
+      when: pre_up.stat.exists or pre_down.stat.exists
       changed_when: move_scripts.rc == 0
 
     - name: leapp_custom_network_scripts_detected | Create /etc/NetworkManager/dispatcher.d/20-if-local
@@ -77,4 +86,10 @@
         state: link
       when: pre_down.stat.exists
 
+  rescue:
+    - name: leapp_custom_network_scripts_detected | Continue when no custom scripts are found
+      ansible.builtin.debug:
+        msg: "No custom network scripts detected. Skipping this task."
+      when: leapp_custom_scripts_missing is defined and leapp_custom_scripts_missing is true
+
 ...