Add remediate role to collection

README.md

@@ -16,6 +16,7 @@ These are the roles included in the collection. Follow the links below to see th
 - [`common`](./roles/common/) - used for local logging, mutex locking, and common vars
 - [`parse_leapp_report`](./roles/parse_leapp_report/) - reads pre-upgrade results and checks for inhibitors
 - [`upgrade`](./roles/upgrade/) - executes the Leapp OS upgrade
+- [`remediate`](./roles/remediate/) - assists in the remediation of a system
 
 ## Supported RHEL versions
 

playbooks/remediate.yml

@@ -0,0 +1,15 @@
+---
+- name: Remediate
+  hosts: all
+  strategy: free
+  become: true
+  force_handlers: true
+  vars:
+    remediation_todo:
+      - LEAPP_FIREWALLD_ALLOWZONEDRIFTING
+      - LEAPP_MISSING_PKG
+  tasks:
+    - name: Perform remediations on the system
+      ansible.builtin.import_role:
+        name: infra.leapp.remediate
+...

roles/remediate/README.md

@@ -0,0 +1,78 @@
+# Remediations
+
+The `remediation` role is to assist in the remediation of a system. This role contains multiple playbooks that can be used to remediate a system for a specific inhibitors that are found during the pre-upgrade analysis.
+
+## Role variables
+
+| Name                    | Default value         | Description                                         |
+|-------------------------|-----------------------|-----------------------------------------------------|
+| leapp_report_location   | /var/log/leapp/leapp-report.json | Location of the leapp report file.       |
+| remediation_playbooks   | see [Remediation playbooks](#remediation-playbooks) | List of available remediation playbooks.|
+| remediation_todo        | []                    | List of remediation playbooks to run.               |
+
+`remediation_todo` is a list of remediation playbooks to run. The list is empty by default. The list can be populated by the titles from [Remediation playbooks](#remediation-playbooks) section. For example:
+
+```yaml
+remediation_todo:
+  - LEAPP_CIFS_DETECTED
+  - LEAPP_CORRUPTED_GRUBENV_FILE
+```
+
+## Remediation playbooks
+
+The list of available remediation playbooks with their corresponding inhibitors titles:
+
+- `LEAPP_CIFS_DETECTED`
+  - **Solves:** Use of CIFS detected. Upgrade can't proceed.  CIFS is currently not supported by the inplace upgrade.
+- `LEAPP_CORRUPTED_GRUBENV_FILE`
+  - **Solves:** Detected a corrupted grubenv file.
+- `LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED`
+  - **Solves:** custom network-scripts detected. RHEL 9 does not support the legacy network-scripts package that was deprecated in RHEL 8.
+- `LEAPP_DEPRECATED_SSHD_DIRECTIVE`
+  - **Solves:** A deprecated directive in the sshd configuration.
+- `LEAPP_FIREWALLD_ALLOWZONEDRIFTING`:
+  - **Solves:** Firewalld Configuration AllowZoneDrifting Is Unsupported.
+- `LEAPP_FIREWALLD_UNSUPPORTED_TFTP_CLIENT`
+  - **Solves:** Firewalld Service tftp-client Is Unsupported.
+- `LEAPP_LOADED_REMOVED_KERNEL_DRIVERS`
+  - **Solves:** Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
+- `LEAPP_MISSING_EFIBOOTMGR`
+  - **Solves:** efibootmgr package is required on EFI systems.
+- `LEAPP_MISSING_PKG`
+  - **Solves:** Leapp detected missing packages.
+- `LEAPP_MISSING_YUM_PLUGINS`
+  - **Solves:** Required DNF plugins are not being loaded.
+- `LEAPP_MULTIPLE_KERNELS`
+  - **Solves:** Multiple kernels installed.
+- `LEAPP_NEWEST_KERNEL_NOT_IN_USE`
+  - **Solves:** Newest installed kernel not in use.
+- `LEAPP_NFS_DETECTED`
+  - **Solves:** Use of NFS detected. Upgrade can't proceed.
+- `LEAPP_NON_PERSISTENT_PARTITIONS`
+  - **Solves:** Detected partitions mounted in a non-persistent fashion, preventing a successful in-place upgrade.
+- `LEAPP_NON_STANDARD_OPENSSL_CONFIG`
+  - **Solves:** Non-standard configuration of openssl.cnf.
+- `LEAPP_OLD_POSTGRESQL_DATA`
+  - **Solves:** Old PostgreSQL data found in `/var/lib/pgsql/data`.
+- `LEAPP_PARTITIONS_WITH_NOEXEC`
+  - **Solves:** Detected partitions mounted with the `noexec` option, preventing a successful in-place upgrade.
+- `LEAPP_RELATIVE_SYMLINKS`
+  - **Solves:** Upgrade requires links in root directory to be relative
+- `LEAPP_RPMS_WITH_RSA_SHA1_DETECTED`
+  - **Solves:** Detected RPMs with RSA/SHA1 signature.
+- `LEAPP_UNAVAILABLE_KDE`
+  - **Solves:** The installed KDE environment is unavailable on RHEL 8.
+- `LEAPP_VDO_CHECK_NEEDED`
+  - **Solves:** Cannot perform the VDO check of block devices.
+
+## Example playbook
+
+See [`remediate.yml`](../../playbooks/remediate.yml).
+
+## Authors
+
+Peter Zdravecký
+
+## License
+
+MIT

roles/remediate/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# defaults file for remedations
+
+leapp_report_location: "/var/log/leapp/leapp-report.json"
+remediation_playbooks:
+  - LEAPP_CIFS_DETECTED
+  - LEAPP_CORRUPTED_GRUBENV_FILE
+  - LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED
+  - LEAPP_DEPRECATED_SSHD_DIRECTIVE
+  - LEAPP_FIREWALLD_ALLOWZONEDRIFTING
+  - LEAPP_FIREWALLD_UNSUPPORTED_TFTP_CLIENT
+  - LEAPP_LOADED_REMOVED_KERNEL_DRIVERS
+  - LEAPP_MISSING_EFIBOOTMGR
+  - LEAPP_MISSING_PKG
+  - LEAPP_MISSING_YUM_PLUGINS
+  - LEAPP_MULTIPLE_KERNELS
+  - LEAPP_NEWEST_KERNEL_NOT_IN_USE
+  - LEAPP_NFS_DETECTED
+  - LEAPP_NON_PERSISTENT_PARTITIONS
+  - LEAPP_NON_STANDARD_OPENSSL_CONFIG
+  - LEAPP_OLD_POSTGRESQL_DATA
+  - LEAPP_PARTITIONS_WITH_NOEXEC
+  - LEAPP_RELATIVE_SYMLINKS
+  - LEAPP_RPMS_WITH_RSA_SHA1_DETECTED
+  - LEAPP_UNAVAILABLE_KDE
+  - LEAPP_VDO_CHECK_NEEDED
+remediation_toto: []
+
+...

roles/remediate/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+# handlers file for remedations
+
+# Keep this last so it's easy to find in the job output.
+- name: The remediations are now complete
+  ansible.builtin.debug:
+    msg: "The remediations are now complete."
+
+...

roles/remediate/meta/main.yml

@@ -0,0 +1,58 @@
+---
+galaxy_info:
+  author: Peter Zdravecký
+  description: Remedetation part of the leapp process
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license MIT
+
+  min_ansible_version: "2.11"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: EL
+      versions:
+        - "6"
+        - "7"
+        - "8"
+        - "9"
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+  # List tags for your role here, one per line. A tag is a keyword that describes
+  # and categorizes the role. Users find roles by searching for tags. Be sure to
+  # remove the '[]' above, if you add tags to this list.
+  #
+  # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+  #       Maximum 20 tags per role.
+
+dependencies: []
+# List your role dependencies here, one per line. Be sure to remove the '[]' above,
+# if you add dependencies to this list.
+
+...

roles/remediate/tasks/LEAPP_CIFS_DETECTED.yml

@@ -0,0 +1,10 @@
+---
+  - name: Comment cifs shares in /etc/fstab
+    block:
+      - name: Comment CIFS shares in /etc/fstab
+        ansible.builtin.replace:
+          path: /etc/fstab
+          regexp: (.*)cifs(.*)
+          replace: '# \1cifs\2'
+
+...

roles/remediate/tasks/LEAPP_CORRUPTED_GRUBENV_FILE.yml

@@ -0,0 +1,59 @@
+---
+  - name: Detected a corrupted grubenv file
+    vars:
+      entry_title: Detected a corrupted grubenv file
+      leapp_report_location: /var/log/leapp/leapp-report.json
+    block:
+      - name: Check that the leapp-report.json exists
+        ansible.builtin.stat:
+          path: '{{ leapp_report_location }}'
+        register: leapp_report_stat
+
+      - name: End play if no leapp report exists
+        ansible.builtin.meta: end_play
+        when: leapp_report_stat.stat.exists is false
+
+      - name: Read leapp report
+        ansible.builtin.slurp:
+          src: '{{ leapp_report_location }}'
+        register: leappreport
+
+      - name: Parse leapp report to json
+        ansible.builtin.set_fact:
+          leappreportdata: '{{ leappreport.content | b64decode | from_json }}'
+
+      - name: Find matching entries
+        ansible.builtin.set_fact:
+          hint: "{{ item.detail.remediations | selectattr('type', 'eq', 'hint') | first }}"
+        loop: '{{ leappreportdata.entries }}'
+        when: item.title is match(entry_title) and (item.detail.remediations | selectattr('type', 'eq', 'hint') | length > 0)
+
+      - name: Extract file(s) using regex
+        ansible.builtin.set_fact:
+          files_grub: "{{ hint.context | regex_findall('Delete (.+?) file', '\\1') | first | split(',') | map('trim') }}"
+
+      - name: Backup file(s)
+        ansible.builtin.copy:
+          src: '{{ item }}'
+          dest: '{{ item }}.backup'
+        with_items: '{{ files_grub }}'
+
+      - name: Find grub.cfg file
+        ansible.builtin.command: find /boot -name 'grub.cfg'
+        register: grub_cfg_path
+
+      - name: Backup grub.cfg file
+        ansible.builtin.copy:
+          src: '{{ grub_cfg_path.stdout }}'
+          dest: '{{ grub_cfg_path.stdout }}.backup'
+
+      - name: Delete file(s)
+        ansible.builtin.file:
+          path: '{{ item }}'
+          state: absent
+        with_items: '{{ files_grub }}'
+
+      - name: Regenerate grub config
+        ansible.builtin.command: grub2-mkconfig -o {{ grub_cfg_path.stdout }}
+
+...

roles/remediate/tasks/LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED.yml

@@ -0,0 +1,74 @@
+---
+  - name: Move custom network-scripts to NetworkManager dispatcher scripts
+    block:
+      - name: Create /opt/network-scripts/ directory if it does not exist
+        ansible.builtin.file:
+          path: /opt/network-scripts/
+          state: directory
+
+      - name: Check if pre up script exists
+        ansible.builtin.stat:
+          path: /sbin/ifup-pre-local
+        register: pre_up
+
+      - name: Check if pre down script exists
+        ansible.builtin.stat:
+          path: /sbin/ifdown-pre-local
+        register: pre_down
+
+      - name: Move scripts in /sbin to /opt/network-scripts/, end playbook if this fails
+        ansible.builtin.shell: mv /sbin/if*-local /opt/network-scripts/
+
+      - name: Create /etc/NetworkManager/dispatcher.d/20-if-local
+        ansible.builtin.copy:
+          dest: /etc/NetworkManager/dispatcher.d/20-if-local
+          content: >
+            #!/bin/bash
+
+            test -n "$DEVICE_IFACE" || exit 0
+
+            run() {
+                test -x "$1" || exit 0
+                "$1" "$DEVICE_IFACE"
+            }                
+
+            case "$2" in 
+                "up")   
+                    run /opt/network-scripts/ifup-local
+                    ;;      
+                "pre-up")
+                    run /opt/network-scripts/ifup-pre-local
+                    ;;      
+                "down") 
+                    run /opt/network-scripts/ifdown-local
+                    ;;      
+                "pre-down")
+                    run /opt/network-scripts/ifdown-pre-local
+                    ;;      
+            esac
+
+      - name: Set permissions on /etc/NetworkManager/dispatcher.d/20-if-local
+        ansible.builtin.file:
+          path: /etc/NetworkManager/dispatcher.d/20-if-local
+          owner: root
+          group: root
+          mode: +x
+
+      - name: Restore SELinux context on /etc/NetworkManager/dispatcher.d/20-if-local
+        ansible.builtin.shell: restorecon -v /etc/NetworkManager/dispatcher.d/20-if-local
+
+      - name: If pre up script exists, create symbolic link
+        ansible.builtin.file:
+          src: /etc/NetworkManager/dispatcher.d/20-if-local
+          dest: /etc/NetworkManager/dispatcher.d/pre-up.d/20-if-local
+          state: link
+        when: pre_up.stat.exists
+
+      - name: If pre down script exists, create symbolic link
+        ansible.builtin.file:
+          src: /etc/NetworkManager/dispatcher.d/20-if-local
+          dest: /etc/NetworkManager/dispatcher.d/pre-down.d/20-if-local
+          state: link
+        when: pre_down.stat.exists
+
+...

roles/remediate/tasks/LEAPP_DEPRECATED_SSHD_DIRECTIVE.yml

@@ -0,0 +1,39 @@
+---
+  - name: Remove the deprecated directives from the sshd configuration.
+    vars:
+      leapp_report_location: /var/log/leapp/leapp-report.json
+      entry_title: A deprecated directive in the sshd configuration
+    block:
+      - name: Check that the leapp-report.json with remediation command exists
+        ansible.builtin.stat:
+          path: '{{ leapp_report_location }}'
+        register: leapp_report_stat
+
+      - name: End execution of playbook if leapp report does not exist (not possible to remediate)
+        ansible.builtin.meta: end_host
+        when: leapp_report_stat.stat.exists is false
+
+      - name: Read leapp report
+        ansible.builtin.slurp:
+          src: '{{ leapp_report_location }}'
+        register: leappreport
+
+      - name: Parse leapp report to json
+        ansible.builtin.set_fact:
+          leappreportdata: '{{ leappreport.content | b64decode | from_json }}'
+
+      - name: Find matching entries
+        ansible.builtin.set_fact:
+          remediation: "{{ item.detail.remediations | selectattr('type', 'eq', 'command') | first }}"
+        loop: '{{ leappreportdata.entries }}'
+        when: item.title == entry_title and (item.detail.remediations | selectattr('type', 'eq', 'command') | list | length > 0)
+
+      - name: Output command to be executed
+        ansible.builtin.debug:
+          msg: "{{ remediation.context | join(' ') }}"
+
+      - name: Execute the remediation command - remove the deprecated directives from the sshd configuration
+        ansible.builtin.command: "{{ remediation.context | join(' ') }}"
+        when: remediation is defined
+
+...

roles/remediate/tasks/LEAPP_FIREWALLD_ALLOWZONEDRIFTING.yml

@@ -0,0 +1,11 @@
+---
+  - name: Set the "AllowZoneDrifting" in firewalld.conf to "no"
+    block:
+      - name: Set the "AllowZoneDrifting" in firewalld.conf to "no"
+        ansible.builtin.lineinfile:
+          path: /etc/firewalld/firewalld.conf
+          regexp: ^AllowZoneDrifting=.*
+          line: AllowZoneDrifting=no
+          backup: true
+
+...