From 3d1e72c4cbafead2cdcb904a376d9293b1d7b18c 2024-03-04 00:01:37 From: Branko Majic Date: 2024-03-04 00:01:37 Subject: [PATCH] MAR-192: Drop rsyslog/logrotate configuration for ldap_server role under Debian 12 Bookworm: - Default installations of Debian 12 Bookworm no longer come with rsyslog pre-installed (and it is considered to be deprecated as default system logger under Debian 12 Bookworm). --- diff --git a/docs/releasenotes.rst b/docs/releasenotes.rst index 19d3015c7d0c911855736c6123bc09fff3ee971e..0c409bae0032d5dcea53ec9f53f39f5a0facef35 100644 --- a/docs/releasenotes.rst +++ b/docs/releasenotes.rst @@ -46,6 +46,16 @@ Dropped support for Debian 10 (Buster). servers. Parameter ``ntp_servers`` has been deprecated and replaced with parameter ``ntp_pools``. +* ``ldap_server`` role + + * Starting with Debian 12 Bookworm, the role no longer deploys + *rsyslog* and *logrotate* configuration for writing and rotating + the LDAP servers logs under ``/var/log/slapd.log``. Primary + reason is that Debian 12 Bookworm no longer installs *rsyslog* by + default, and it is considered to be deprecated at this point. The + LDAP server logs can be read via ``journalctl -u slapd`` when + necessary. + * ``mail_server`` role * Parameter ``mail_server_tls_protocols`` has been dropped and diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 5d699a4cbd9b4a8f43b07b40fc3de2c4236c4155..a21b98b6edf52cb8bd66b46e88181ab4d9b111d6 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -603,8 +603,10 @@ The role implements the following: * Configures TLS versions and ciphers suppported by the server. * Installs OpenLDAP server (package ``slapd``). * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels). -* Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with - log rotation included). +* Sets-up separate log file for OpenLDAP server at + ``/var/log/slapd.log`` (with log rotation included), but *only* on + Debian 11 Bullseye. Starting with Debian 12 Bookworm, the use of + rsyslog is considered to be deprecated by Majic Ansible Roles. * Enables the ``misc`` LDAP schema (from ``/etc/ldap/schema/misc.ldif``). This is necessary for the mail server role. * Enables the ``memberof`` overlay on top of default database. The overlay is diff --git a/roles/ldap_server/handlers/main.yml b/roles/ldap_server/handlers/main.yml index d4a3749b9bdff6b05685ccc6270f61da23d3e076..4968d3587ba97f8f3d69b8b59b2dbc45d9c33954 100644 --- a/roles/ldap_server/handlers/main.yml +++ b/roles/ldap_server/handlers/main.yml @@ -4,6 +4,7 @@ service: name: rsyslog state: restarted + when: "ansible_distribution_release == 'bullseye'" - name: Restart slapd service: diff --git a/roles/ldap_server/molecule/default/tests/test_default.py b/roles/ldap_server/molecule/default/tests/test_default.py index 7e72f017534511049532f96e942ec198a9fc318e..c40eba37ddf947e663700944c5113d468bae163d 100644 --- a/roles/ldap_server/molecule/default/tests/test_default.py +++ b/roles/ldap_server/molecule/default/tests/test_default.py @@ -48,42 +48,6 @@ def test_ldap_server_service(host): assert service.is_running -def test_syslog_configuration(host): - """ - Tests if syslog configuration file has been deployed, and log file was - created correctly (and is being logged to). - """ - - config = host.file('/etc/rsyslog.d/slapd.conf') - assert config.is_file - assert config.user == 'root' - assert config.group == 'root' - assert config.mode == 0o644 - - with host.sudo(): - log = host.file('/var/log/slapd.log') - assert log.is_file - assert 'slapd' in log.content_string - - -def test_log_rotation_configuration(host): - """ - Tests if log rotation configuration file has been deployed correctly and has - valid syntax. - """ - - config = host.file('/etc/logrotate.d/slapd') - - assert config.is_file - assert config.user == 'root' - assert config.group == 'root' - assert config.mode == 0o644 - - with host.sudo(): - - assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0 - - def test_misc_schema_presence(host): """ Tests if the misc LDAP schema has been imported. diff --git a/roles/ldap_server/molecule/default/tests/test_default_bookworm.py b/roles/ldap_server/molecule/default/tests/test_default_bookworm.py new file mode 100644 index 0000000000000000000000000000000000000000..3348949aa120cecadbeec4cc9da2604e86f794ac --- /dev/null +++ b/roles/ldap_server/molecule/default/tests/test_default_bookworm.py @@ -0,0 +1,25 @@ +import os + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-bookworm') + + +def test_log_rotation_configuration(host): + """ + Tests if log rotation configuration file is absent. + """ + + config = host.file('/etc/logrotate.d/slapd') + assert not config.exists + + +def test_syslog_configuration(host): + """ + Tests if syslog configuration file is absent. + """ + + config = host.file('/etc/rsyslog.d/slapd.conf') + assert not config.exists diff --git a/roles/ldap_server/molecule/default/tests/test_default_bullseye.py b/roles/ldap_server/molecule/default/tests/test_default_bullseye.py new file mode 100644 index 0000000000000000000000000000000000000000..474a17a83b95ba8a8019801853c382fd6d34af7f --- /dev/null +++ b/roles/ldap_server/molecule/default/tests/test_default_bullseye.py @@ -0,0 +1,43 @@ +import os + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*-bullseye') + + +def test_log_rotation_configuration(host): + """ + Tests if log rotation configuration file has been deployed correctly and has + valid syntax. + """ + + config = host.file('/etc/logrotate.d/slapd') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + + with host.sudo(): + + assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0 + + +def test_syslog_configuration(host): + """ + Tests if syslog configuration file has been deployed, and log file was + created correctly (and is being logged to). + """ + + config = host.file('/etc/rsyslog.d/slapd.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + + with host.sudo(): + log = host.file('/var/log/slapd.log') + assert log.is_file + assert 'slapd' in log.content_string diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 757f822f69533fdc8a6785cf1feb3cae13557fcc..efa0ce21e1bb0c3e1619351923541e4d3e6c8a60 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -64,6 +64,7 @@ owner: root group: root mode: 0644 + when: "ansible_distribution_release == 'bullseye'" notify: - Restart rsyslog @@ -74,6 +75,7 @@ owner: root group: root mode: 0644 + when: "ansible_distribution_release == 'bullseye'" - name: Change log level for slapd ldap_attr: