Skip to content

ssh_hardening - ansible_pkg wrongly selects atomic_container as packagemanager for rpm_ostree systems #855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
millerthegorilla opened this issue Mar 14, 2025 · 2 comments
Open

ssh_hardening - ansible_pkg wrongly selects atomic_container as packagemanager for rpm_ostree systems #855

millerthegorilla opened this issue Mar 14, 2025 · 2 comments
Labels
bug

Comments

@millerthegorilla
Copy link

Description

Hi, when using ssh-hardening on a rpm_ostree system, the installation of openssh fails due to an underlying issue with the ansible_pkg module, which returns 'atomic_container' as the package manager for rpm-ostree systems, when that module only allows installation of containers and is deprecated. The correct module is rpm_ostree_pkg.
The ansible_pkg module exposes a configuration override (ansible_package_use) where one can specify the exact package manager used in those instances, as per the reply to my issue opened in ansible.
ansible/ansible#84820

ansible_package_use: '{{ ansible_facts.pkg_mgr if ansible_facts.pkg_mgr != "atomic_container" else "community.general.rpm_ostree_pkg" }}'

I can make a pull request to fix the underlying issue if necessary.

Reproduction steps

...
- hosts: "{{ hostvars['localhost']['remote_ip'] }}"
  remote_user: core
  become: yes
  roles:
    - role: devsec.hardening.ssh_hardening

Current Behavior

...
ssh_hardening fails when trying to install openssh as the atomic_container packagemanager is not capable of installing packages (it only install containers)

Expected Behavior

...
For ssh_hardening to continue and complete, including checking that openssh is installed and installing it if necessary

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc.
ansible-playbook running on a fedora silverblue vm provisioning a coreos install on a raspberry pi.

Ansible Version

Paste verbatim output from "ansible --version" between quotes. This will be automatically formatted into code, so no need for backticks.
ansible [core 2.18.3]
  config file = /var/home/user/src/motioncore/ansible.cfg
  configured module search path = ['/var/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/home/user/src/motioncore/.motioncore_venv/lib64/python3.13/site-packages/ansible
  ansible collection location = /var/home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /var/home/user/src/motioncore/.motioncore_venv/bin/ansible
  python version = 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] (/var/home/user/src/motioncore/.motioncore_venv/bin/python)
  jinja version = 3.1.6
  libyaml = True

Collection Version

Paste version of the collection. This will be automatically formatted into code, so no need for backticks.
10.3.0

Additional information

...
@sdwilsh
Copy link
Contributor

sdwilsh commented May 12, 2025

Another workaround is if the packages are already installed, you can set ansible_package_use: ansible.builtin.dnf for the host/group and dnf will realize they are already installed and carry on.

@millerthegorilla
Copy link
Author

I ended up opening an issue against ansible_pkg which resulted in a pull request and code changes that allow ansible_package_use to function with custom action plugins. Its then relatively trivial to write a custom action plugin that installs the package and then reboots.

ansible/ansible#85021 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdwilsh @millerthegorilla