From 40fdde4a1bbf5910c09b8c3cb55ece562c095f3c Mon Sep 17 00:00:00 2001 From: Jiri Jaburek Date: Tue, 2 Apr 2024 20:24:37 +0200 Subject: [PATCH] use failed_when:false for Ansible register: checks Using ignore_errors leads to user-visible fatal errors produced by ansible-playbook: TASK [Enable FIPS Mode - Check to See the Current Status of FIPS Mode] ********* fatal: [192.168.122.178]: FAILED! => {"changed": false, "cmd": ["/usr/bin/fips-mode-setup", "--check"] ... These are indistinguishable from actually terminating fatal errors (to a log-reading script) that need to be investigated. Using failed_when avoids those, while still registering the output for use by other checks, as done by many other checks: $ grep -i 'failed_when: false' -r linux_os/ | wc -l 25 Signed-off-by: Jiri Jaburek --- .../services/sssd/sssd_enable_smartcards/ansible/shared.yml | 2 +- .../services/sssd/sssd_memcache_timeout/ansible/shared.yml | 2 +- .../sssd/sssd_offline_cred_expiration/ansible/shared.yml | 2 +- .../sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml | 2 +- .../accounts_passwords_pam_faillock_dir/ansible/shared.yml | 2 +- .../software/integrity/fips/enable_fips_mode/ansible/shared.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml index 80f17d83c51..1fec6976369 100644 --- a/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_enable_smartcards/ansible/shared.yml @@ -6,7 +6,7 @@ - name: "Test for domain group" command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain - ignore_errors: yes + failed_when: false changed_when: False check_mode: no diff --git a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml index 7cfba003b21..efd5408e476 100644 --- a/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_memcache_timeout/ansible/shared.yml @@ -8,7 +8,7 @@ - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain - ignore_errors: yes + failed_when: false changed_when: False check_mode: no diff --git a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml index d0c1f203801..aca00bc0ec5 100644 --- a/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_offline_cred_expiration/ansible/shared.yml @@ -6,7 +6,7 @@ - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain - ignore_errors: yes + failed_when: false changed_when: False check_mode: no diff --git a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml index 5996835678b..b92e1d3a69d 100644 --- a/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml +++ b/linux_os/guide/services/sssd/sssd_ssh_known_hosts_timeout/ansible/shared.yml @@ -8,7 +8,7 @@ - name: "Test for domain group" command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf register: test_grep_domain - ignore_errors: yes + failed_when: false changed_when: False check_mode: no diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml index e199dc3dca8..5928460d538 100644 --- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml +++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/ansible/shared.yml @@ -26,7 +26,7 @@ ansible.builtin.command: cmd: semanage fcontext -a -t faillog_t "{{ var_accounts_passwords_pam_faillock_dir }}(/.*)?" register: result_accounts_passwords_pam_faillock_dir_semanage - ignore_errors: yes + failed_when: false changed_when: - result_accounts_passwords_pam_faillock_dir_semanage.rc == 0 diff --git a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml index bd7bd5174b9..ffc7cacb0ae 100644 --- a/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml +++ b/linux_os/guide/system/software/integrity/fips/enable_fips_mode/ansible/shared.yml @@ -8,7 +8,7 @@ - name: "{{{ rule_title }}} - Check to See the Current Status of FIPS Mode" ansible.builtin.command: /usr/bin/fips-mode-setup --check register: is_fips_enabled - ignore_errors: yes + failed_when: false changed_when: false - name: "{{{ rule_title }}} - Enable FIPS Mode"