Skip to content

Make Ansible in grub2_argument_absent template idempotent #13976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mab879 merged 1 commit into from
Oct 3, 2025
Merged

Make Ansible in grub2_argument_absent template idempotent #13976

Mab879 merged 1 commit into from
Oct 3, 2025

Conversation

@jan-cerny
Copy link
Collaborator

@jan-cerny jan-cerny commented Oct 3, 2025

This commit will make Ansible remediations in the grub2_argument_absent template idempotent. The grubby command will be executed only if the GRUB2 argument is present in /etc/default/grub or is present in the /boot/loader/entries.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6251

Review Hints:

  • ./build_product --playbook-per-rule rhel9
  • manually replace hosts by hosts: all in rhel9/playbooks/anssi_bp28_high/grub2_nosmap_argument_absent.yml`
  • ssh to YOUR_IP and run there: grubby --update-kernel=ALL --args="nosmap"
  • Back on the host, run ansible-playbook -u root -i YOUR_IP, rhel9/playbooks/anssi_bp28_high/grub2_nosmap_argument_absent.yml at least twice and compare the output of the first run with the second run and so on, verify that the second and next runs don't change anything and that the output contains only "ok" or "skipping"
  • apart from that, run automatus Tss with --remediate-using ansible

@jan-cerny
Make Ansible in grub2_argument_absent template idempotent
9bc25e4 
This commit will make Ansible remediations in the grub2_argument_absent
template idempotent. The grubby command will be executed only if
the GRUB2 argument is present in /etc/default/grub or is present
in the /boot/loader/entries.

Resolves: https://issues.redhat.com/browse/OPENSCAP-6251
@jan-cerny jan-cerny added this to the 0.1.79 milestone Oct 3, 2025
@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Oct 3, 2025
@openshift-ci
Copy link

openshift-ci bot commented Oct 3, 2025

@jan-cerny: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-aws-openshift-node-compliance 9bc25e4 link true /test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Mab879 Mab879 self-assigned this Oct 3, 2025
Mab879
Mab879 approved these changes Oct 3, 2025
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I would like to see the task name in the task name, that problem is for another day.

@Mab879 Mab879 merged commit fd638b7 into ComplianceAsCode:master Oct 3, 2025
133 of 136 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

Assignees

@Mab879 Mab879

Labels

Ansible Ansible remediation update.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@jan-cerny @Mab879