From 0bc4c54e2300761b18fb52b7bafb6c6dccaee8db Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Fri, 8 Oct 2021 00:20:13 +0200 Subject: [PATCH] Always update NAP dependencies to the latest available version (#133) --- CHANGELOG.md | 10 +++++ molecule/Dockerfile.j2 | 8 ++-- molecule/advanced/requirements.yml | 2 +- molecule/default/requirements.yml | 2 +- molecule/dos/molecule.yml | 21 +++++++++ molecule/dos/requirements.yml | 2 +- molecule/specific-version/requirements.yml | 2 +- .../prerequisites/install-dependencies.yml | 45 +++++++------------ vars/main.yml | 42 +++++++---------- 9 files changed, 71 insertions(+), 63 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35b1ed7e..9a0e6021 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## 0.6.2 (Unreleased) + +ENHANCEMENTS: + +Move non NGINX App Protect specific dependencies from the role into the Molecule Dockerfile. + +BUG FIXES: + +Always update NGINX App Protect dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates). + ## 0.6.1 (September 30, 2021) KNOWN ISSUES: diff --git a/molecule/Dockerfile.j2 b/molecule/Dockerfile.j2 index d3548ff8..fc2cfd35 100644 --- a/molecule/Dockerfile.j2 +++ b/molecule/Dockerfile.j2 @@ -17,7 +17,7 @@ ENV {{ var }} {{ value }} RUN \ if [ $(command -v apt-get) ]; then \ apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \ && apt-get clean; \ elif [ $(command -v dnf) ]; then \ dnf makecache \ @@ -25,7 +25,7 @@ RUN \ && dnf clean all; \ elif [ $(command -v yum) ]; then \ yum makecache fast \ - && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl initscripts \ + && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ && yum clean all; \ elif [ $(command -v zypper) ]; then \ @@ -34,10 +34,10 @@ RUN \ && zypper clean -a; \ elif [ $(command -v apk) ]; then \ apk update \ - && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \ + && apk add --no-cache bash curl openrc python3 sudo vim; \ echo 'rc_provide="loopback net"' >> /etc/rc.conf; \ elif [ $(command -v xbps-install) ]; then \ xbps-install -Syu \ - && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \ + && xbps-install -y bash iproute2 python3 sudo vim \ && xbps-remove -O; \ fi diff --git a/molecule/advanced/requirements.yml b/molecule/advanced/requirements.yml index 7ca87b2b..4b241943 100644 --- a/molecule/advanced/requirements.yml +++ b/molecule/advanced/requirements.yml @@ -1,6 +1,6 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 - name: robertdebock.rsyslog version: 3.2.0 diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/molecule/dos/molecule.yml b/molecule/dos/molecule.yml index 400a0d15..d6345886 100644 --- a/molecule/dos/molecule.yml +++ b/molecule/dos/molecule.yml @@ -10,6 +10,13 @@ lint: | yamllint . ansible-lint --force-color platforms: + - name: centos-7 + image: centos:7 + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" - name: debian-buster image: debian:buster-slim dockerfile: ../Dockerfile.j2 @@ -17,6 +24,20 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: diff --git a/molecule/dos/requirements.yml b/molecule/dos/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/dos/requirements.yml +++ b/molecule/dos/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/molecule/specific-version/requirements.yml b/molecule/specific-version/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/specific-version/requirements.yml +++ b/molecule/specific-version/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index f9ee130c..94490141 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -3,27 +3,26 @@ apk: name: "{{ nginx_app_protect_alpine_dependencies }}" update_cache: true - ignore_errors: "{{ ansible_check_mode }}" + state: latest # noqa package-latest when: ansible_os_family == "Alpine" - name: (Debian/Ubuntu) Install package dependencies apt: name: "{{ nginx_app_protect_debian_dependencies }}" update_cache: true + state: latest # noqa package-latest when: ansible_os_family == "Debian" -- name: (CentOS) Install package dependencies +- name: (Amazon Linux/CentOS/RHEL) Install package dependencies yum: - name: "{{ nginx_app_protect_centos_dependencies }}" - when: ansible_distribution == "CentOS" + name: "{{ nginx_app_protect_redhat_dependencies }}" + update_cache: true + state: latest # noqa package-latest + when: ansible_os_family == "RedHat" -- name: (RHEL) Install dependencies +- name: (RHEL) Set up RHEL specific repositories block: - - name: (RHEL) Install package dependencies - yum: - name: "{{ nginx_app_protect_rhel_dependencies }}" - - - name: (RHEL) Set up RHEL repository + - name: (RHEL) Install extended dependencies from CentOS repositories yum_repository: name: CentOS-7 baseurl: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/" @@ -35,28 +34,16 @@ state: "{{ nginx_app_protect_license_status | default ('present') }}" when: not nginx_app_protect_use_rhel_subscription_repos | bool - - name: (RHEL) Install package dependencies from your RHEL subscription - yum: + - name: (RHEL) Install extended dependencies from RHEL subscription repositories + rhsm_repository: name: - - rhel-7-server-optional-rpms - rhel-7-server-rpms + - rhel-7-server-optional-rpms when: nginx_app_protect_use_rhel_subscription_repos | bool when: ansible_distribution == "RedHat" -- name: (Amazon Linux) Install dependencies - block: - - name: (Amazon Linux) Enable amazon-linux-extras packages - command: "amazon-linux-extras enable {{ item }}" - changed_when: false - loop: "{{ nginx_app_protect_amazon_extras_packages }}" - - - name: (Amazon Linux) Clean Yum Metadata - command: yum clean metadata - changed_when: false - args: - warn: false - - - name: (Amazon Linux) Install package dependencies - yum: - name: "{{ nginx_app_protect_amazon_dependencies }}" +- name: (Amazon Linux) Set up Amazon Linux Extras repositories + command: "amazon-linux-extras enable {{ item }}" + changed_when: false + loop: "{{ nginx_app_protect_amazon_extras }}" when: ansible_distribution == "Amazon" diff --git a/vars/main.yml b/vars/main.yml index d41734b4..e842167f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,64 +2,54 @@ # NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts nginx_app_protect_waf_linux_families: alpine: [ - "3.10", + '3.10', ] amazon: [ - "2", + '2', ] debian: [ - "10", + '10', ] centos: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] redhat: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] ubuntu: [ - "18.04", "20.04", + '18.04', '20.04', ] # NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts nginx_app_protect_dos_linux_families: centos: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] debian: [ - "10", + '10', ] ubuntu: [ - "18.04", "20.04", + '18.04', '20.04', ] # Alpine Linux dependencies nginx_app_protect_alpine_dependencies: [ - "python3", + 'ca-certificates', ] # Debian dependencies nginx_app_protect_debian_dependencies: [ - "apt-transport-https", "ca-certificates", "dirmngr", + 'apt-transport-https', 'ca-certificates', ] -# CentOS dependencies -nginx_app_protect_centos_dependencies: [ - "ca-certificates", "epel-release", "openssl", -] - -# RHEL dependencies -nginx_app_protect_rhel_dependencies: [ - "ca-certificates", "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", "openssl", -] - -# Amazon Linux 2 dependencies -nginx_app_protect_amazon_dependencies: [ - "ca-certificates", "epel-release", +# Red Hat dependencies +nginx_app_protect_redhat_dependencies: [ + 'ca-certificates', 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', ] # Amazon Linux 2 extras -nginx_app_protect_amazon_extras_packages: [ - "epel", "selinux-ng", +nginx_app_protect_amazon_extras: [ + 'selinux-ng', ] # Choose where to fetch the NGINX App Protect and Security Updates signing keys from.