majic-ansible-roles Changeset

Changeset - 364c0adf308e

Parent rev.

Child rev.

[Not reviewed]

0 8 0

Branko Majic (branko) - 4 years ago 2020-05-06 00:42:56
branko@majic.rs

MAR-152: Drop support for Debian 8 Jessie from the backup_client role:

- Simplify the invocation of GnuPG commands (since we don't have to
massage output formats depending on distribution version anymore).

8 files changed with 23 insertions and 128 deletions:

docs/rolereference.rst

roles/backup_client/defaults/main.yml

roles/backup_client/handlers/main.yml

roles/backup_client/molecule/default/molecule.yml

roles/backup_client/molecule/default/tests/test_parameters_mandatory.py

roles/backup_client/molecule/default/tests/test_parameters_optional.py

roles/backup_client/tasks/main.yml

roles/backup_client/templates/duply_main_conf.j2

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -2299,7 +2299,6 @@ Distribution compatibility @@
 Role is compatible with the following distributions:
 - Debian 8 (Jessie)
 - Debian 9 (Stretch)

roles/backup_client/defaults/main.yml

➞

Show inline comments

@@ @@ -4,20 +4,3 @@ backup_additional_encryption_keys: [] @@
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_server_destination: /duplicity
 backup_server_port: 2222
 # Internal parameters.
 # GnuPG 2 binary in Debian Jessie and Debian Stretch is different. Additionally,
 # Debian Jessie duply configuration expects short keys, while Debian Stretch
 # expects long keys. We set-up parameters for this here in a bit of a workaround
 # way instead of setting facts within the playbook.
 backup_client_gnupg_details:
   jessie:
     binary: gpg2
     cutoff: '8'
   stretch:
     binary: gpg
     cutoff: '0'
 gnupg_binary: "{{ backup_client_gnupg_details[ansible_distribution_release]['binary'] }}"
 gnupg_key_cutoff: "{{ backup_client_gnupg_details[ansible_distribution_release]['cutoff'] }}"

roles/backup_client/handlers/main.yml

➞

Show inline comments

@@ @@ -23,7 +23,7 @@ @@
     mode: 0700
 - name: Import private keys
-  command: "{{ gnupg_binary }} --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"
+  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"
   tags:
     # [ANSIBLE0012] Commands should not change things if nothing needs doing
     #   This task is invoked only if user is very specific about requiring to
@@ @@ -32,5 +32,5 @@ @@
     - skip_ansible_lint
 - name: Import public keys
-  command: "{{ gnupg_binary }} --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"
+  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"
   when: backup_additional_encryption_keys | length > 0

roles/backup_client/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -18,7 +18,7 @@ lint: @@
 # stupid legacy design decisions!
 platforms:
   - name: backup-server
-    box: debian/contrib-jessie64
+    box: debian/contrib-stretch64
     memory: 512
     cpus: 1
     interfaces:
@@ @@ -27,30 +27,6 @@ platforms: @@
         network_name: private_network
         type: static
   - name: parameters-mandatory-j64
     groups:
       - parameters-mandatory
     box: debian/contrib-jessie64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.20
         network_name: private_network
         type: static
   - name: parameters-optional-j64
     groups:
       - parameters-optional
     box: debian/contrib-jessie64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 10.31.127.21
         network_name: private_network
         type: static
   - name: parameters-mandatory-s64
     groups:
       - parameters-mandatory

roles/backup_client/molecule/default/tests/test_parameters_mandatory.py

➞

Show inline comments

@@ @@ -64,25 +64,13 @@ def test_duply_configuration_content(host): @@
     with host.sudo():
         ansible_facts = host.ansible("setup")["ansible_facts"]
         duply_configuration = host.file('/etc/duply/main/conf')
         if ansible_facts['ansible_distribution_release'] == 'jessie':
             assert "GPG_KEYS_ENC='1A129C54'" in duply_configuration.content
             assert "GPG_KEY_SIGN='1A129C54'" in duply_configuration.content
             assert "TARGET='sftp://bak-parameters-mandatory-j64@10.31.127.10:2222//duplicity'" in duply_configuration.content
             assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
                 "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
         elif ansible_facts['ansible_distribution_release'] == 'stretch':
             assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content
             assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content
             assert "TARGET='pexpect+sftp://bak-parameters-mandatory-s64@10.31.127.10:2222//duplicity'" in duply_configuration.content
             assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
                 "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
         else:
             raise Exception("Failed to execute content check for: %s" % ansible_facts['ansible_distribution_release'])
         assert "GPG_KEYS_ENC='59C26F031A129C54'" in duply_configuration.content
         assert "GPG_KEY_SIGN='59C26F031A129C54'" in duply_configuration.content
         assert "TARGET='pexpect+sftp://bak-parameters-mandatory-s64@10.31.127.10:2222//duplicity'" in duply_configuration.content
         assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
             "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
 def test_duply_gnupg_keyring_private_keys(host):
@@ @@ -92,18 +80,7 @@ def test_duply_gnupg_keyring_private_keys(host): @@
     """
     with host.sudo():
         ansible_facts = host.ansible("setup")["ansible_facts"]
         if ansible_facts['ansible_distribution_release'] == 'jessie':
             gpg_binary = 'gpg2'
             key_offset = 8
         elif ansible_facts['ansible_distribution_release'] == 'stretch':
             gpg_binary = 'gpg'
             key_offset = 8
         else:
             raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release'])
         private_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary)
         private_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys')
         assert private_key_listing.rc == 0
-        assert '59C26F031A129C54'[key_offset:] in private_key_listing.stdout
         assert '59C26F031A129C54' in private_key_listing.stdout

roles/backup_client/molecule/default/tests/test_parameters_optional.py

➞

Show inline comments

@@ @@ -63,24 +63,13 @@ def test_duply_configuration_content(host): @@
     with host.sudo():
         ansible_facts = host.ansible("setup")["ansible_facts"]
         duply_configuration = host.file('/etc/duply/main/conf')
         if ansible_facts['ansible_distribution_release'] == 'jessie':
             assert "TARGET='sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-j64'" in duply_configuration.content
             assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
                 "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
             assert "GPG_KEYS_ENC='7A4F400A,C3A9444B,28063B3F,71223B72'" in duply_configuration.content
             assert "GPG_KEY_SIGN='7A4F400A'" in duply_configuration.content
         elif ansible_facts['ansible_distribution_release'] == 'stretch':
             assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content
             assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content
             assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-s64'" in duply_configuration.content
             assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
                 "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
         else:
             raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release'])
         assert "GPG_KEYS_ENC='C4B2AE9F7A4F400A,3093C91BC3A9444B,86816FD928063B3F,8A14CD6C71223B72'" in duply_configuration.content
         assert "GPG_KEY_SIGN='C4B2AE9F7A4F400A'" in duply_configuration.content
         assert "TARGET='pexpect+sftp://backupuser@10.31.127.10:3333//duplicity/parameters-optional-s64'" in duply_configuration.content
         assert "DUPL_PARAMS=\"$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null " \
             "-oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'\"" in duply_configuration.content
 def test_duply_gnupg_keyring_private_keys(host):
@@ @@ -90,21 +79,11 @@ def test_duply_gnupg_keyring_private_keys(host): @@
     """
     with host.sudo():
         ansible_facts = host.ansible("setup")["ansible_facts"]
         if ansible_facts['ansible_distribution_release'] == 'jessie':
             gpg_binary = 'gpg2'
             key_offset = 8
         elif ansible_facts['ansible_distribution_release'] == 'stretch':
             gpg_binary = 'gpg'
             key_offset = 8
         else:
             raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release'])
-        private_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary)
+        private_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys')
         assert private_key_listing.rc == 0
-        assert 'C4B2AE9F7A4F400A'[key_offset:] in private_key_listing.stdout
         assert 'C4B2AE9F7A4F400A' in private_key_listing.stdout
 def test_duply_gnupg_keyring_public_keys(host):
@@ @@ -114,22 +93,11 @@ def test_duply_gnupg_keyring_public_keys(host): @@
     """
     with host.sudo():
         ansible_facts = host.ansible("setup")["ansible_facts"]
         if ansible_facts['ansible_distribution_release'] == 'jessie':
             gpg_binary = 'gpg2'
             key_offset = 8
         elif ansible_facts['ansible_distribution_release'] == 'stretch':
             gpg_binary = 'gpg'
             key_offset = 8
         else:
             raise Exception("Failed to execute check for distribution release: %s" % ansible_facts['ansible_distribution_release'])
         public_key_listing = host.run('%s --homedir /etc/duply/main/gnupg --list-public-keys' % gpg_binary)
         public_key_listing = host.run('gpg --homedir /etc/duply/main/gnupg --list-public-keys')
         keys = ['3093C91BC3A9444B', '86816FD928063B3F', '8A14CD6C71223B72']
         assert public_key_listing.rc == 0
         for key in keys:
-            assert key[key_offset:] in public_key_listing.stdout
             assert key in public_key_listing.stdout

roles/backup_client/tasks/main.yml

➞

Show inline comments

@@ @@ -55,8 +55,8 @@ @@
     - Import public keys
 - name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)
   shell: "set -o pipefail && {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: |
     head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//'"
   shell: "set -o pipefail && gpg --no-tty --list-packets /etc/duply/main/private_keys.asc | grep keyid: |
     head -n1 | sed -e 's/.*: //'"
   args:
     executable: /bin/bash
   register: backup_encryption_key_id
@@ @@ -64,8 +64,8 @@ @@
   failed_when: not backup_encryption_key_id.stdout
 - name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)
   shell: "set -o pipefail &&  {{ gnupg_binary }} --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: |
     sed -e 's/.*: //' | sort -u | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//' | tr '\n' ',' | sed -e 's/,$//'"
   shell: "set -o pipefail &&  gpg --no-tty --list-packets /etc/duply/main/public_keys.asc | grep keyid: |
     sed -e 's/.*: //' | sort -u | tr '\n' ',' | sed -e 's/,$//'"
   args:
     executable: /bin/bash
   when: backup_additional_encryption_keys | length > 0

roles/backup_client/templates/duply_main_conf.j2

➞

Show inline comments

@@ @@ -9,11 +9,7 @@ GPG_KEY_SIGN='{{ backup_encryption_key_id.stdout }}' @@
 GPG_OPTS="--homedir /etc/duply/main/gnupg/ --trust-model always"
 # Destination where the backups are stored at.
 {% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %}
 TARGET='pexpect+sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}'
 {% else %}
 TARGET='sftp://{{ backup_client_username }}@{{ backup_server }}:{{ backup_server_port }}/{{ backup_server_destination }}'
 {% endif %}
 # Base directory to backup (root). File selection is done via include/exclude
 # patterns.
@@ @@ -51,11 +47,7 @@ DUPL_PARAMS="$DUPL_PARAMS --use-agent" @@
 # ssh-options. Use dedicated known hosts and identity file when connecting over
 # SFTP. Using -oLogLevel=ERROR makes output a bit less verbose. This is mainly
 # to avoid output from sftp telling us it added IP address to known_hosts.
 {% if ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch' %}
 DUPL_PARAMS="$DUPL_PARAMS --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'"
 {% else %}
 DUPL_PARAMS="$DUPL_PARAMS --ssh-backend pexpect --ssh-options='-oLogLevel=ERROR -oUserKnownHostsFile=/dev/null -oGlobalKnownHostsFile=/etc/duply/main/ssh/known_hosts -oIdentityFile=/etc/duply/main/ssh/identity'"
 {% endif %}
 # By default we exclude everything, and then include only specific patterns.
 DUPL_PARAMS="$DUPL_PARAMS --include-globbing-filelist /etc/duply/main/include"

0 comments (0 inline, 0 general)