Commit d1c589b
committed
CIS: Remove always tag from include_role tasks
If we have the CIS hardening hook enabled and run a command such as the
following:
kayobe overcloud host configure -t foo
where 'cis' is not in the specified tags, we see the following error:
PLAY [Security hardening] *****************************************
TASK [include_role : ansible-lockdown.rhel9_cis] ******************
fatal: [controller-01]: FAILED! =>
msg: |-
The conditional check 'ansible_facts.os_family == 'RedHat' and
ansible_facts.distribution_major_version == '9'' failed. The error
was: error while evaluating conditional (ansible_facts.os_family
== 'RedHat' and ansible_facts.distribution_major_version == '9'):
'dict object' has no attribute 'os_family'. 'dict object' has no
attribute 'os_family'
The error appears to be in 'etc/kayobe/ansible/cis.yml': line 35,
column 7, but may be elsewhere in the file depending on the exact
syntax problem.
The offending line appears to be:
- include_role:
^ here
This is because the include_role task has the 'always' tag, so runs
despite no facts having been gathered.
The always tag is not required for this task - specifying the 'cis' tag
causes the role to be included. This change fixes the issue by removing
the always tags from these tasks.1 parent f8ed8c1 commit d1c589b
1 file changed
+0
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
36 | 35 | | |
37 | 36 | | |
38 | 37 | | |
39 | 38 | | |
40 | | - | |
41 | 39 | | |
42 | 40 | | |
43 | 41 | | |
44 | 42 | | |
45 | | - | |
0 commit comments