From b0f73f88347222ff7765a916a5606b771d6afbb8 Mon Sep 17 00:00:00 2001 From: alessfg Date: Wed, 6 Oct 2021 14:46:40 +0200 Subject: [PATCH 1/6] Always update NAP dependencies to the latest available version --- CHANGELOG.md | 10 ++++++++++ molecule/Dockerfile.j2 | 8 ++++---- tasks/common/prerequisites/install-dependencies.yml | 6 ++++++ vars/main.yml | 10 ++++------ 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 35b1ed7e..6d3eccf7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## 0.6.2 (Unreleased) + +ENHANCEMENTS: + +Move non NGINX specific dependencies from the role into the Molecule Dockerfile. + +BUG FIXES: + +Always update NGINX dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates). + ## 0.6.1 (September 30, 2021) KNOWN ISSUES: diff --git a/molecule/Dockerfile.j2 b/molecule/Dockerfile.j2 index d3548ff8..fc2cfd35 100644 --- a/molecule/Dockerfile.j2 +++ b/molecule/Dockerfile.j2 @@ -17,7 +17,7 @@ ENV {{ var }} {{ value }} RUN \ if [ $(command -v apt-get) ]; then \ apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash ca-certificates curl iproute2 python-apt python3 python3-apt procps sudo systemd systemd-sysv vim \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y aptitude bash curl dirmngr iproute2 python3 python3-apt procps sudo systemd systemd-sysv vim \ && apt-get clean; \ elif [ $(command -v dnf) ]; then \ dnf makecache \ @@ -25,7 +25,7 @@ RUN \ && dnf clean all; \ elif [ $(command -v yum) ]; then \ yum makecache fast \ - && yum install -y bash iproute sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl initscripts \ + && yum install -y bash iproute initscripts sudo /usr/bin/python /usr/bin/python2-config vim yum-plugin-ovl \ && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf \ && yum clean all; \ elif [ $(command -v zypper) ]; then \ @@ -34,10 +34,10 @@ RUN \ && zypper clean -a; \ elif [ $(command -v apk) ]; then \ apk update \ - && apk add --no-cache bash ca-certificates curl openrc python3 sudo vim; \ + && apk add --no-cache bash curl openrc python3 sudo vim; \ echo 'rc_provide="loopback net"' >> /etc/rc.conf; \ elif [ $(command -v xbps-install) ]; then \ xbps-install -Syu \ - && xbps-install -y bash ca-certificates iproute2 python3 sudo vim \ + && xbps-install -y bash iproute2 python3 sudo vim \ && xbps-remove -O; \ fi diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index f9ee130c..4543bbd3 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -3,6 +3,7 @@ apk: name: "{{ nginx_app_protect_alpine_dependencies }}" update_cache: true + state: latest # noqa package-latest ignore_errors: "{{ ansible_check_mode }}" when: ansible_os_family == "Alpine" @@ -10,11 +11,14 @@ apt: name: "{{ nginx_app_protect_debian_dependencies }}" update_cache: true + state: latest # noqa package-latest when: ansible_os_family == "Debian" - name: (CentOS) Install package dependencies yum: name: "{{ nginx_app_protect_centos_dependencies }}" + update_cache: true + state: latest # noqa package-latest when: ansible_distribution == "CentOS" - name: (RHEL) Install dependencies @@ -22,6 +26,8 @@ - name: (RHEL) Install package dependencies yum: name: "{{ nginx_app_protect_rhel_dependencies }}" + update_cache: true + state: latest # noqa package-latest - name: (RHEL) Set up RHEL repository yum_repository: diff --git a/vars/main.yml b/vars/main.yml index d41734b4..fe45114c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -33,23 +33,21 @@ nginx_app_protect_dos_linux_families: ] # Alpine Linux dependencies -nginx_app_protect_alpine_dependencies: [ - "python3", -] +nginx_app_protect_alpine_dependencies: [] # Debian dependencies nginx_app_protect_debian_dependencies: [ - "apt-transport-https", "ca-certificates", "dirmngr", + "apt-transport-https", "ca-certificates", ] # CentOS dependencies nginx_app_protect_centos_dependencies: [ - "ca-certificates", "epel-release", "openssl", + "ca-certificates", "epel-release", ] # RHEL dependencies nginx_app_protect_rhel_dependencies: [ - "ca-certificates", "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", "openssl", + "ca-certificates", "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", ] # Amazon Linux 2 dependencies From 036ceab6d501b4998b93eb67e125d9d17170f8c0 Mon Sep 17 00:00:00 2001 From: alessfg Date: Wed, 6 Oct 2021 14:47:02 +0200 Subject: [PATCH 2/6] Update CHANGELOG.md --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d3eccf7..9a0e6021 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,11 +4,11 @@ ENHANCEMENTS: -Move non NGINX specific dependencies from the role into the Molecule Dockerfile. +Move non NGINX App Protect specific dependencies from the role into the Molecule Dockerfile. BUG FIXES: -Always update NGINX dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates). +Always update NGINX App Protect dependencies to the latest available version to avoid outdated dependency issues (e.g. outdated CA certificates). ## 0.6.1 (September 30, 2021) From 7c073a9fc221c7d6f6312e5c6027bc9a2c016655 Mon Sep 17 00:00:00 2001 From: alessfg Date: Wed, 6 Oct 2021 19:18:56 +0200 Subject: [PATCH 3/6] Add more testing platforms --- molecule/dos/molecule.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/molecule/dos/molecule.yml b/molecule/dos/molecule.yml index 400a0d15..d6345886 100644 --- a/molecule/dos/molecule.yml +++ b/molecule/dos/molecule.yml @@ -10,6 +10,13 @@ lint: | yamllint . ansible-lint --force-color platforms: + - name: centos-7 + image: centos:7 + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/usr/sbin/init" - name: debian-buster image: debian:buster-slim dockerfile: ../Dockerfile.j2 @@ -17,6 +24,20 @@ platforms: volumes: - "/sys/fs/cgroup:/sys/fs/cgroup:rw" command: "/sbin/init" + - name: ubuntu-bionic + image: ubuntu:bionic + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" + - name: ubuntu-focal + image: ubuntu:focal + dockerfile: ../Dockerfile.j2 + privileged: true + volumes: + - "/sys/fs/cgroup:/sys/fs/cgroup:rw" + command: "/sbin/init" provisioner: name: ansible playbooks: From 3a9a669194c95a0668f2663112eb7d2bc04f26a6 Mon Sep 17 00:00:00 2001 From: alessfg Date: Thu, 7 Oct 2021 16:13:53 +0200 Subject: [PATCH 4/6] Multiple updates --- molecule/advanced/requirements.yml | 2 +- molecule/default/requirements.yml | 2 +- molecule/dos/requirements.yml | 2 +- molecule/specific-version/requirements.yml | 2 +- .../prerequisites/install-dependencies.yml | 49 ++++++------------- vars/main.yml | 24 +++------ 6 files changed, 27 insertions(+), 54 deletions(-) diff --git a/molecule/advanced/requirements.yml b/molecule/advanced/requirements.yml index 7ca87b2b..4b241943 100644 --- a/molecule/advanced/requirements.yml +++ b/molecule/advanced/requirements.yml @@ -1,6 +1,6 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 - name: robertdebock.rsyslog version: 3.2.0 diff --git a/molecule/default/requirements.yml b/molecule/default/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/default/requirements.yml +++ b/molecule/default/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/molecule/dos/requirements.yml b/molecule/dos/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/dos/requirements.yml +++ b/molecule/dos/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/molecule/specific-version/requirements.yml b/molecule/specific-version/requirements.yml index 315164c6..2badc967 100644 --- a/molecule/specific-version/requirements.yml +++ b/molecule/specific-version/requirements.yml @@ -1,4 +1,4 @@ --- roles: - name: nginxinc.nginx - version: 0.21.1 + version: 0.21.2 diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index 4543bbd3..168ebc4e 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -4,7 +4,6 @@ name: "{{ nginx_app_protect_alpine_dependencies }}" update_cache: true state: latest # noqa package-latest - ignore_errors: "{{ ansible_check_mode }}" when: ansible_os_family == "Alpine" - name: (Debian/Ubuntu) Install package dependencies @@ -14,31 +13,23 @@ state: latest # noqa package-latest when: ansible_os_family == "Debian" -- name: (CentOS) Install package dependencies - yum: - name: "{{ nginx_app_protect_centos_dependencies }}" - update_cache: true - state: latest # noqa package-latest - when: ansible_distribution == "CentOS" - -- name: (RHEL) Install dependencies +- name: (Amazon Linux/CentOS/RHEL) Install dependencies block: - - name: (RHEL) Install package dependencies + - name: (Amazon Linux/CentOS/RHEL) Install dependencies yum: - name: "{{ nginx_app_protect_rhel_dependencies }}" + name: "{{ nginx_app_protect_redhat_dependencies }}" update_cache: true state: latest # noqa package-latest - - name: (RHEL) Set up RHEL repository + - name: (Amazon Linux/CentOS/RHEL) Set up dependencies repository yum_repository: - name: CentOS-7 - baseurl: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/" + name: dependencies + baseurl: "https://pkgs.nginx.com/epel/7/$basearch/" description: NGINX App Protect dependencies enabled: true - gpgcheck: true - gpgkey: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/\ - RPM-GPG-KEY-CentOS-{{ ansible_distribution_major_version }}" - state: "{{ nginx_app_protect_license_status | default ('present') }}" + gpgcheck: false + sslclientcert: /etc/ssl/nginx/nginx-repo.crt + sslclientkey: /etc/ssl/nginx/nginx-repo.key when: not nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL) Install package dependencies from your RHEL subscription @@ -46,23 +37,13 @@ name: - rhel-7-server-optional-rpms - rhel-7-server-rpms + update_cache: true + state: latest # noqa package-latest when: nginx_app_protect_use_rhel_subscription_repos | bool - when: ansible_distribution == "RedHat" -- name: (Amazon Linux) Install dependencies - block: - - name: (Amazon Linux) Enable amazon-linux-extras packages + - name: (Amazon Linux) Enable Amazon Linux Extras dependencies command: "amazon-linux-extras enable {{ item }}" changed_when: false - loop: "{{ nginx_app_protect_amazon_extras_packages }}" - - - name: (Amazon Linux) Clean Yum Metadata - command: yum clean metadata - changed_when: false - args: - warn: false - - - name: (Amazon Linux) Install package dependencies - yum: - name: "{{ nginx_app_protect_amazon_dependencies }}" - when: ansible_distribution == "Amazon" + loop: "{{ nginx_app_protect_amazon_extras }}" + when: ansible_distribution == "Amazon" + when: ansible_os_family == "RedHat" diff --git a/vars/main.yml b/vars/main.yml index fe45114c..cc476800 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -33,31 +33,23 @@ nginx_app_protect_dos_linux_families: ] # Alpine Linux dependencies -nginx_app_protect_alpine_dependencies: [] +nginx_app_protect_alpine_dependencies: [ + "ca-certificates", +] # Debian dependencies nginx_app_protect_debian_dependencies: [ "apt-transport-https", "ca-certificates", ] -# CentOS dependencies -nginx_app_protect_centos_dependencies: [ - "ca-certificates", "epel-release", -] - -# RHEL dependencies -nginx_app_protect_rhel_dependencies: [ - "ca-certificates", "https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", -] - -# Amazon Linux 2 dependencies -nginx_app_protect_amazon_dependencies: [ - "ca-certificates", "epel-release", +# Red Hat dependencies +nginx_app_protect_redhat_dependencies: [ + "ca-certificates", ] # Amazon Linux 2 extras -nginx_app_protect_amazon_extras_packages: [ - "epel", "selinux-ng", +nginx_app_protect_amazon_extras: [ + "selinux-ng", ] # Choose where to fetch the NGINX App Protect and Security Updates signing keys from. From ca2d691c7c0af2098bf3db20e51b8e51191e818d Mon Sep 17 00:00:00 2001 From: alessfg Date: Thu, 7 Oct 2021 20:23:47 +0200 Subject: [PATCH 5/6] Updates --- .../prerequisites/install-dependencies.yml | 46 ++++++++++--------- vars/main.yml | 26 +++++------ 2 files changed, 37 insertions(+), 35 deletions(-) diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index 168ebc4e..6f3fd6bf 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -13,37 +13,39 @@ state: latest # noqa package-latest when: ansible_os_family == "Debian" -- name: (Amazon Linux/CentOS/RHEL) Install dependencies - block: - - name: (Amazon Linux/CentOS/RHEL) Install dependencies - yum: - name: "{{ nginx_app_protect_redhat_dependencies }}" - update_cache: true - state: latest # noqa package-latest +- name: (Amazon Linux/CentOS/RHEL) Install main dependencies + yum: + name: "{{ nginx_app_protect_redhat_dependencies }}" + update_cache: true + state: latest # noqa package-latest + when: ansible_os_family == "RedHat" - - name: (Amazon Linux/CentOS/RHEL) Set up dependencies repository +- name: (RHEL) Set up RHEL repository + block: + - name: (RHEL) Install package dependencies from CentOS repositories yum_repository: - name: dependencies - baseurl: "https://pkgs.nginx.com/epel/7/$basearch/" + name: CentOS-7 + baseurl: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/" description: NGINX App Protect dependencies enabled: true - gpgcheck: false - sslclientcert: /etc/ssl/nginx/nginx-repo.crt - sslclientkey: /etc/ssl/nginx/nginx-repo.key + gpgcheck: true + gpgkey: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/\ + RPM-GPG-KEY-CentOS-{{ ansible_distribution_major_version }}" + state: "{{ nginx_app_protect_license_status | default ('present') }}" when: not nginx_app_protect_use_rhel_subscription_repos | bool - name: (RHEL) Install package dependencies from your RHEL subscription - yum: + rhsm_repository: name: + - rhui-REGION-rhel-server-optional + - rhui-REGION-rhel-server-releases - rhel-7-server-optional-rpms - - rhel-7-server-rpms - update_cache: true state: latest # noqa package-latest when: nginx_app_protect_use_rhel_subscription_repos | bool + when: ansible_distribution == "RedHat" - - name: (Amazon Linux) Enable Amazon Linux Extras dependencies - command: "amazon-linux-extras enable {{ item }}" - changed_when: false - loop: "{{ nginx_app_protect_amazon_extras }}" - when: ansible_distribution == "Amazon" - when: ansible_os_family == "RedHat" +- name: (Amazon Linux) Enable Amazon Linux Extras dependencies + command: "amazon-linux-extras enable {{ item }}" + changed_when: false + loop: "{{ nginx_app_protect_amazon_extras }}" + when: ansible_distribution == "Amazon" diff --git a/vars/main.yml b/vars/main.yml index cc476800..e842167f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,54 +2,54 @@ # NGINX App Protect WAF platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts nginx_app_protect_waf_linux_families: alpine: [ - "3.10", + '3.10', ] amazon: [ - "2", + '2', ] debian: [ - "10", + '10', ] centos: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] redhat: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] ubuntu: [ - "18.04", "20.04", + '18.04', '20.04', ] # NGINX App Protect DoS platform matrix. Populate this dictionary of lists with appropriate values from ansible_distribution and ansible_distribution_version facts nginx_app_protect_dos_linux_families: centos: [ - "7.4", "7.5", "7.6", "7.7", "7.8", "7.9", + '7.4', '7.5', '7.6', '7.7', '7.8', '7.9', ] debian: [ - "10", + '10', ] ubuntu: [ - "18.04", "20.04", + '18.04', '20.04', ] # Alpine Linux dependencies nginx_app_protect_alpine_dependencies: [ - "ca-certificates", + 'ca-certificates', ] # Debian dependencies nginx_app_protect_debian_dependencies: [ - "apt-transport-https", "ca-certificates", + 'apt-transport-https', 'ca-certificates', ] # Red Hat dependencies nginx_app_protect_redhat_dependencies: [ - "ca-certificates", + 'ca-certificates', 'https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm', ] # Amazon Linux 2 extras nginx_app_protect_amazon_extras: [ - "selinux-ng", + 'selinux-ng', ] # Choose where to fetch the NGINX App Protect and Security Updates signing keys from. From eb0730bc9af516aa39ee96599d65ee0acd41afff Mon Sep 17 00:00:00 2001 From: alessfg Date: Thu, 7 Oct 2021 23:32:13 +0200 Subject: [PATCH 6/6] Update install-dependencies.yml --- .../common/prerequisites/install-dependencies.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/tasks/common/prerequisites/install-dependencies.yml b/tasks/common/prerequisites/install-dependencies.yml index 6f3fd6bf..94490141 100644 --- a/tasks/common/prerequisites/install-dependencies.yml +++ b/tasks/common/prerequisites/install-dependencies.yml @@ -13,16 +13,16 @@ state: latest # noqa package-latest when: ansible_os_family == "Debian" -- name: (Amazon Linux/CentOS/RHEL) Install main dependencies +- name: (Amazon Linux/CentOS/RHEL) Install package dependencies yum: name: "{{ nginx_app_protect_redhat_dependencies }}" update_cache: true state: latest # noqa package-latest when: ansible_os_family == "RedHat" -- name: (RHEL) Set up RHEL repository +- name: (RHEL) Set up RHEL specific repositories block: - - name: (RHEL) Install package dependencies from CentOS repositories + - name: (RHEL) Install extended dependencies from CentOS repositories yum_repository: name: CentOS-7 baseurl: "http://ftp.heanet.ie/pub/centos/{{ ansible_distribution_major_version }}/os/$basearch/" @@ -34,17 +34,15 @@ state: "{{ nginx_app_protect_license_status | default ('present') }}" when: not nginx_app_protect_use_rhel_subscription_repos | bool - - name: (RHEL) Install package dependencies from your RHEL subscription + - name: (RHEL) Install extended dependencies from RHEL subscription repositories rhsm_repository: name: - - rhui-REGION-rhel-server-optional - - rhui-REGION-rhel-server-releases + - rhel-7-server-rpms - rhel-7-server-optional-rpms - state: latest # noqa package-latest when: nginx_app_protect_use_rhel_subscription_repos | bool when: ansible_distribution == "RedHat" -- name: (Amazon Linux) Enable Amazon Linux Extras dependencies +- name: (Amazon Linux) Set up Amazon Linux Extras repositories command: "amazon-linux-extras enable {{ item }}" changed_when: false loop: "{{ nginx_app_protect_amazon_extras }}"