Add remediate role to collection

README.md

@@ -16,6 +16,7 @@ These are the roles included in the collection. Follow the links below to see th
 - [`common`](./roles/common/) - used for local logging, mutex locking, and common vars
 - [`parse_leapp_report`](./roles/parse_leapp_report/) - reads pre-upgrade results and checks for inhibitors
 - [`upgrade`](./roles/upgrade/) - executes the Leapp OS upgrade
+- [`remediate`](./roles/remediate/) - assists in the remediation of a system
 
 ## Supported RHEL versions
 

playbooks/remediate.yml

@@ -0,0 +1,15 @@
+---
+- name: Remediate
+  hosts: all
+  strategy: free
+  become: true
+  force_handlers: true
+  vars:
+    remediation_todo:
+      - LEAPP_FIREWALLD_ALLOWZONEDRIFTING
+      - LEAPP_MISSING_PKG
+  tasks:
+    - name: Perform remediations on the system
+      ansible.builtin.import_role:
+        name: infra.leapp.remediate
+...

roles/remediate/README.md

@@ -0,0 +1,78 @@
+# Remediations
+
+The `remediation` role is to assist in the remediation of a system. This role contains multiple playbooks that can be used to remediate a system for a specific inhibitors that are found during the pre-upgrade analysis.
+
+## Role variables
+
+| Name                    | Default value         | Description                                         |
+|-------------------------|-----------------------|-----------------------------------------------------|
+| leapp_report_location   | /var/log/leapp/leapp-report.json | Location of the leapp report file.       |
+| remediation_playbooks   | see [Remediation playbooks](#remediation-playbooks) | List of available remediation playbooks.|
+| remediation_todo        | []                    | List of remediation playbooks to run.               |
+
+`remediation_todo` is a list of remediation playbooks to run. The list is empty by default. The list can be populated by the titles from [Remediation playbooks](#remediation-playbooks) section. For example:
+
+```yaml
+remediation_todo:
+  - LEAPP_CIFS_DETECTED
+  - LEAPP_CORRUPTED_GRUBENV_FILE
+```
+
+## Remediation playbooks
+
+The list of available remediation playbooks with their corresponding inhibitors titles:
+
+- `LEAPP_CIFS_DETECTED`
+  - **Solves:** Use of CIFS detected. Upgrade can't proceed.  CIFS is currently not supported by the inplace upgrade.
+- `LEAPP_CORRUPTED_GRUBENV_FILE`
+  - **Solves:** Detected a corrupted grubenv file.
+- `LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED`
+  - **Solves:** custom network-scripts detected. RHEL 9 does not support the legacy network-scripts package that was deprecated in RHEL 8.
+- `LEAPP_DEPRECATED_SSHD_DIRECTIVE`
+  - **Solves:** A deprecated directive in the sshd configuration.
+- `LEAPP_FIREWALLD_ALLOWZONEDRIFTING`:
+  - **Solves:** Firewalld Configuration AllowZoneDrifting Is Unsupported.
+- `LEAPP_FIREWALLD_UNSUPPORTED_TFTP_CLIENT`
+  - **Solves:** Firewalld Service tftp-client Is Unsupported.
+- `LEAPP_LOADED_REMOVED_KERNEL_DRIVERS`
+  - **Solves:** Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
+- `LEAPP_MISSING_EFIBOOTMGR`
+  - **Solves:** efibootmgr package is required on EFI systems.
+- `LEAPP_MISSING_PKG`
+  - **Solves:** Leapp detected missing packages.
+- `LEAPP_MISSING_YUM_PLUGINS`
+  - **Solves:** Required DNF plugins are not being loaded.
+- `LEAPP_MULTIPLE_KERNELS`
+  - **Solves:** Multiple kernels installed.
+- `LEAPP_NEWEST_KERNEL_NOT_IN_USE`
+  - **Solves:** Newest installed kernel not in use.
+- `LEAPP_NFS_DETECTED`
+  - **Solves:** Use of NFS detected. Upgrade can't proceed.
+- `LEAPP_NON_PERSISTENT_PARTITIONS`
+  - **Solves:** Detected partitions mounted in a non-persistent fashion, preventing a successful in-place upgrade.
+- `LEAPP_NON_STANDARD_OPENSSL_CONFIG`
+  - **Solves:** Non-standard configuration of openssl.cnf.
+- `LEAPP_OLD_POSTGRESQL_DATA`
+  - **Solves:** Old PostgreSQL data found in `/var/lib/pgsql/data`.
+- `LEAPP_PARTITIONS_WITH_NOEXEC`
+  - **Solves:** Detected partitions mounted with the `noexec` option, preventing a successful in-place upgrade.
+- `LEAPP_RELATIVE_SYMLINKS`
+  - **Solves:** Upgrade requires links in root directory to be relative
+- `LEAPP_RPMS_WITH_RSA_SHA1_DETECTED`
+  - **Solves:** Detected RPMs with RSA/SHA1 signature.
+- `LEAPP_UNAVAILABLE_KDE`
+  - **Solves:** The installed KDE environment is unavailable on RHEL 8.
+- `LEAPP_VDO_CHECK_NEEDED`
+  - **Solves:** Cannot perform the VDO check of block devices.
+
+## Example playbook
+
+See [`remediate.yml`](../../playbooks/remediate.yml).
+
+## Authors
+
+Peter Zdravecký
+
+## License
+
+MIT

roles/remediate/defaults/main.yml

@@ -0,0 +1,28 @@
+---
+# defaults file for remedations
+
+leapp_report_location: /var/log/leapp/leapp-report.json
+remediation_playbooks:
+  - LEAPP_CIFS_DETECTED
+  - LEAPP_CORRUPTED_GRUBENV_FILE
+  - LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED
+  - LEAPP_DEPRECATED_SSHD_DIRECTIVE
+  - LEAPP_FIREWALLD_ALLOWZONEDRIFTING
+  - LEAPP_FIREWALLD_UNSUPPORTED_TFTP_CLIENT
+  - LEAPP_LOADED_REMOVED_KERNEL_DRIVERS
+  - LEAPP_MISSING_EFIBOOTMGR
+  - LEAPP_MISSING_PKG
+  - LEAPP_MISSING_YUM_PLUGINS
+  - LEAPP_MULTIPLE_KERNELS
+  - LEAPP_NEWEST_KERNEL_NOT_IN_USE
+  - LEAPP_NFS_DETECTED
+  - LEAPP_NON_PERSISTENT_PARTITIONS
+  - LEAPP_NON_STANDARD_OPENSSL_CONFIG
+  - LEAPP_OLD_POSTGRESQL_DATA
+  - LEAPP_PARTITIONS_WITH_NOEXEC
+  - LEAPP_RELATIVE_SYMLINKS
+  - LEAPP_RPMS_WITH_RSA_SHA1_DETECTED
+  - LEAPP_UNAVAILABLE_KDE
+  - LEAPP_VDO_CHECK_NEEDED
+remediation_todo: []
+...

roles/remediate/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for remedations
+
+# Keep this last so it's easy to find in the job output.
+- name: The remediations are now complete
+  ansible.builtin.debug:
+    msg: The remediations are now complete.
+...

roles/remediate/meta/main.yml

@@ -0,0 +1,55 @@
+---
+galaxy_info:
+  author: Peter Zdravecký
+  description: Remedetation part of the leapp process
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license MIT
+
+  min_ansible_version: "2.11"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: EL
+      versions:
+        - "6"
+        - "7"
+        - "8"
+        - "9"
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+  # List tags for your role here, one per line. A tag is a keyword that describes
+  # and categorizes the role. Users find roles by searching for tags. Be sure to
+  # remove the '[]' above, if you add tags to this list.
+  #
+  # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+  #       Maximum 20 tags per role.
+
+dependencies: []
+...

roles/remediate/tasks/LEAPP_CIFS_DETECTED.yml

@@ -0,0 +1,10 @@
+---
+- name: LEAPP_CIFS_DETECTED | Comment cifs shares in /etc/fstab
+  block:
+    - name: LEAPP_CIFS_DETECTED | Comment CIFS shares in /etc/fstab
+      ansible.builtin.replace:
+        path: /etc/fstab
+        regexp: (.*)cifs(.*)
+        replace: "# \\1cifs\\2"
+
+...

roles/remediate/tasks/LEAPP_CORRUPTED_GRUBENV_FILE.yml

@@ -0,0 +1,64 @@
+---
+- name: LEAPP_CORRUPTED_GRUBENV_FILE | Detected a corrupted grubenv file
+  vars:
+    entry_title: Detected a corrupted grubenv file
+    leapp_report_location: /var/log/leapp/leapp-report.json
+  block:
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Check that the leapp-report.json exists
+      ansible.builtin.stat:
+        path: "{{ leapp_report_location }}"
+      register: leapp_report_stat
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | End play if no leapp report exists
+      ansible.builtin.meta: end_play
+      when: leapp_report_stat.stat.exists is false
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Read leapp report
+      ansible.builtin.slurp:
+        src: "{{ leapp_report_location }}"
+      register: leappreport
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Parse leapp report to json
+      ansible.builtin.set_fact:
+        leappreportdata: "{{ leappreport.content | b64decode | from_json }}"
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Find matching entries
+      ansible.builtin.set_fact:
+        hint: "{{ item.detail.remediations | selectattr('type', 'eq', 'hint') | first }}"
+      loop: "{{ leappreportdata.entries }}"
+      when: item.title is match(entry_title) and (item.detail.remediations | selectattr('type', 'eq', 'hint') | length > 0)
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Extract file(s) using regex
+      ansible.builtin.set_fact:
+        files_grub: "{{ hint.context | regex_findall('Delete (.+?) file', '\\1') | first | split(',') | map('trim') }}"
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Backup file(s)
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "{{ item }}.backup"
+        mode: "0644"
+      with_items: "{{ files_grub }}"
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Find grub.cfg file
+      ansible.builtin.command: find /boot -name 'grub.cfg'
+      register: grub_cfg_path
+      changed_when: grub_cfg_path.rc == 0
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Backup grub.cfg file
+      ansible.builtin.copy:
+        src: "{{ grub_cfg_path.stdout }}"
+        dest: "{{ grub_cfg_path.stdout }}.backup"
+        mode: "0644"
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Delete file(s)
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items: "{{ files_grub }}"
+
+    - name: LEAPP_CORRUPTED_GRUBENV_FILE | Regenerate grub config
+      ansible.builtin.command: grub2-mkconfig -o {{ grub_cfg_path.stdout }}
+      register: grub_mkconfig
+      changed_when: grub_mkconfig.rc == 0
+
+...

roles/remediate/tasks/LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED.yml

@@ -0,0 +1,80 @@
+---
+- name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Move custom network-scripts to NetworkManager dispatcher scripts
+  block:
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Create /opt/network-scripts/ directory if it does not exist
+      ansible.builtin.file:
+        path: /opt/network-scripts/
+        state: directory
+        mode: "0755"
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Check if pre up script exists
+      ansible.builtin.stat:
+        path: /sbin/ifup-pre-local
+      register: pre_up
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Check if pre down script exists
+      ansible.builtin.stat:
+        path: /sbin/ifdown-pre-local
+      register: pre_down
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Move scripts in /sbin to /opt/network-scripts/, end playbook if this fails
+      ansible.builtin.shell: mv /sbin/if*-local /opt/network-scripts/
+      register: move_scripts
+      changed_when: move_scripts.rc == 0
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Create /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.copy:
+        dest: /etc/NetworkManager/dispatcher.d/20-if-local
+        mode: +x
+        content: >
+          #!/bin/bash
+
+          test -n "$DEVICE_IFACE" || exit 0
+
+          run() {
+              test -x "$1" || exit 0
+              "$1" "$DEVICE_IFACE"
+          }
+
+          case "$2" in
+              "up")
+                  run /opt/network-scripts/ifup-local
+                  ;;
+              "pre-up")
+                  run /opt/network-scripts/ifup-pre-local
+                  ;;
+              "down")
+                  run /opt/network-scripts/ifdown-local
+                  ;;
+              "pre-down")
+                  run /opt/network-scripts/ifdown-pre-local
+                  ;;
+          esac
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Set permissions on /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.file:
+        path: /etc/NetworkManager/dispatcher.d/20-if-local
+        owner: root
+        group: root
+        mode: +x
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | Restore SELinux context on /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.command: restorecon -v /etc/NetworkManager/dispatcher.d/20-if-local
+      register: restorecon
+      changed_when: restorecon.rc == 0
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | If pre up script exists, create symbolic link
+      ansible.builtin.file:
+        src: /etc/NetworkManager/dispatcher.d/20-if-local
+        dest: /etc/NetworkManager/dispatcher.d/pre-up.d/20-if-local
+        state: link
+      when: pre_up.stat.exists
+
+    - name: LEAPP_CUSTOM_NETWORK_SCRIPTS_DETECTED | If pre down script exists, create symbolic link
+      ansible.builtin.file:
+        src: /etc/NetworkManager/dispatcher.d/20-if-local
+        dest: /etc/NetworkManager/dispatcher.d/pre-down.d/20-if-local
+        state: link
+      when: pre_down.stat.exists
+
+...

roles/remediate/tasks/LEAPP_DEPRECATED_SSHD_DIRECTIVE.yml

@@ -0,0 +1,41 @@
+---
+- name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Remove the deprecated directives from the sshd configuration.
+  vars:
+    leapp_report_location: /var/log/leapp/leapp-report.json
+    entry_title: A deprecated directive in the sshd configuration
+  block:
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Check that the leapp-report.json with remediation command exists
+      ansible.builtin.stat:
+        path: "{{ leapp_report_location }}"
+      register: leapp_report_stat
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | End execution of playbook if leapp report does not exist (not possible to remediate)
+      ansible.builtin.meta: end_host
+      when: leapp_report_stat.stat.exists is false
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Read leapp report
+      ansible.builtin.slurp:
+        src: "{{ leapp_report_location }}"
+      register: leappreport
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Parse leapp report to json
+      ansible.builtin.set_fact:
+        leappreportdata: "{{ leappreport.content | b64decode | from_json }}"
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Find matching entries
+      ansible.builtin.set_fact:
+        remediation: "{{ item.detail.remediations | selectattr('type', 'eq', 'command') | first }}"
+      loop: "{{ leappreportdata.entries }}"
+      when: item.title == entry_title and (item.detail.remediations | selectattr('type', 'eq', 'command') | list | length > 0)
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Output command to be executed
+      ansible.builtin.debug:
+        msg: "{{ remediation.context | join(' ') }}"
+
+    - name: LEAPP_DEPRECATED_SSHD_DIRECTIVE | Execute the remediation command - remove the deprecated directives from the sshd configuration
+      ansible.builtin.command: "{{ remediation.context | join(' ') }}"
+      when: remediation is defined
+      register: remediation_command_output
+      changed_when: remediation_command_output.rc == 0
+
+...