Merge pull request #1582 from edx/jarv/security-role

switches the security task file to a role that is included by common

Merge pull request #1582 from edx/jarv/security-role
switches the security task file to a role that is included by common
3ea24ec6 · John Jarvis · 3bb7c9d4 · 7d896c0a · 3ea24ec6 · 3ea24ec6
Commit 3ea24ec6 authored Sep 24, 2014 by John Jarvis
6 changed files
--- a/playbooks/roles/common/meta/main.yml
+++ b/playbooks/roles/common/meta/main.yml
@@ -2,5 +2,5 @@
 dependencies:
  - role: user
    user_info: "{{ COMMON_USER_INFO }}"
-
-
+  - role: security
+    when: COMMON_SECURITY_UPDATES
--- a/playbooks/roles/common/tasks/main.yml
+++ b/playbooks/roles/common/tasks/main.yml
 ---
- include: security-ubuntu.yml
-  when:
-    - COMMON_SECURITY_UPDATES|bool
-    - ansible_distribution == 'Ubuntu'    
-
 - name: Add user www-data
  # This is the default user for nginx
  user: >

--- a/playbooks/roles/security/defaults/main.yml
+++ b/playbooks/roles/security/defaults/main.yml
+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+##
+# Defaults for role security
+# 
+
+#
+# vars are namespace with the module name.
+#
+security_role_name: security
+
+#
+# OS packages
+#
+
+security_debian_pkgs: []
+
+security_redhat_pkgs: []
--- a/playbooks/roles/security/tasks/main.yml
+++ b/playbooks/roles/security/tasks/main.yml
+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://github.com/edx/configuration/wiki
+# code style: https://github.com/edx/configuration/wiki/Ansible-Coding-Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+#
+#
+# Tasks for role security
+#
+# Overview:
+#
+#
+# Dependencies:
+#
+#
+# Example play:
+#
+#
+
+- include: security-ubuntu.yml
+  when:
+    - ansible_distribution == 'Ubuntu'
--- a/playbooks/roles/common/tasks/security-ubuntu.yml
+++ b/playbooks/roles/common/tasks/security-ubuntu.yml
+#### Bash security vulnerability

 - name: Check if we are vulnerable
-  shell: executable=bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
+  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  register: test_vuln

 - name: Apply bash security update if we are vulnerable
@@ -8,7 +9,7 @@
  when: "'vulnerable' in test_vuln.stdout"

 - name: Check again and fail if we are still vulnerable
-  shell: executable=bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
+  shell: executable=/bin/bash env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
  when: "'vulnerable' in test_vuln.stdout"
  register: test_vuln
  failed_when: "'vulnerable' in test_vuln.stdout"
--- a/playbooks/security.yml
+++ b/playbooks/security.yml
- name: Apply Upgrade for bash vulnerability in Ubuntu
+- name: Apply security role
  hosts: all
  sudo: yes
-  vars:
-    COMMON_SECURITY_UPDATES: yes
  roles:
-    - common
+    - security