Add remediate role to collection (#150)

* Add remediate role to collection

* Change name of the playbooks from upper to lower case.

* Update remediation role to work only on RHEL 8

* Fix the playbooks commands, update readme with required reboot, replace reboot commands

* Add changelog fragment for remediation role

---------

Co-authored-by: Peter Zdravecký <[email protected]>

README.md

@@ -16,6 +16,7 @@ These are the roles included in the collection. Follow the links below to see th
 - [`common`](./roles/common/) - used for local logging, mutex locking, and common vars
 - [`parse_leapp_report`](./roles/parse_leapp_report/) - reads pre-upgrade results and checks for inhibitors
 - [`upgrade`](./roles/upgrade/) - executes the Leapp OS upgrade
+- [`remediate`](./roles/remediate/) - assists in the remediation of a system (RHEL 8 only)
 
 ## Supported RHEL versions
 

changelogs/fragments/add_remediation__role.yml

@@ -0,0 +1,4 @@
+---
+major_changes:
+  - Add remediation role to remediate the system based on available remediation playbooks.
+...

playbooks/remediate.yml

@@ -0,0 +1,15 @@
+---
+- name: Remediate
+  hosts: all
+  strategy: free
+  become: true
+  force_handlers: true
+  vars:
+    remediation_todo:
+      - leapp_firewalld_allowzonedrifting
+      - leapp_missing_pkg
+  tasks:
+    - name: Perform remediations on the system
+      ansible.builtin.import_role:
+        name: infra.leapp.remediate
+...

roles/remediate/README.md

@@ -0,0 +1,80 @@
+# Remediations
+
+**IMPORTANT:** This role is only supported for RHEL 8 systems.
+
+The `remediation` role is to assist in the remediation of a system. This role contains multiple playbooks that can be used to remediate a system for a specific inhibitors that are found during the pre-upgrade analysis.
+
+## Role variables
+
+| Name                    | Default value         | Description                                         |
+|-------------------------|-----------------------|-----------------------------------------------------|
+| leapp_report_location   | /var/log/leapp/leapp-report.json | Location of the leapp report file.       |
+| remediation_playbooks   | see [Remediation playbooks](#remediation-playbooks) | List of available remediation playbooks.|
+| remediation_todo        | []                    | List of remediation playbooks to run.               |
+
+`remediation_todo` is a list of remediation playbooks to run. The list is empty by default. The list can be populated by the titles from [Remediation playbooks](#remediation-playbooks) section. For example:
+
+```yaml
+remediation_todo:
+  - leapp_cifs_detected
+  - leapp_corrupted_grubenv_file
+```
+
+## Remediation playbooks
+
+The list of available remediation playbooks with their corresponding inhibitors titles:
+
+- `leapp_cifs_detected`
+  - **Solves:** Use of CIFS detected. Upgrade can't proceed.  CIFS is currently not supported by the inplace upgrade.
+- `leapp_corrupted_grubenv_file`
+  - **Solves:** Detected a corrupted grubenv file.
+- `leapp_custom_network_scripts_detected`
+  - **Solves:** custom network-scripts detected. RHEL 9 does not support the legacy network-scripts package that was deprecated in RHEL 8.
+- `leapp_deprecated_sshd_directive`
+  - **Solves:** A deprecated directive in the sshd configuration.
+- `leapp_firewalld_allowzonedrifting`:
+  - **Solves:** Firewalld Configuration AllowZoneDrifting Is Unsupported.
+- `leapp_firewalld_unsupported_tftp_client`
+  - **Solves:** Firewalld Service tftp-client Is Unsupported.
+- `leapp_loaded_removed_kernel_drivers`
+  - **Solves:** Leapp detected loaded kernel drivers which have been removed in RHEL 8. Upgrade cannot proceed.
+- `leapp_missing_efibootmgr`
+  - **Solves:** efibootmgr package is required on EFI systems.
+- `leapp_missing_pkg`
+  - **Solves:** Leapp detected missing packages.
+- `leapp_missing_yum_plugins`
+  - **Solves:** Required DNF plugins are not being loaded.
+- `leapp_multiple_kernels`
+  - **Solves:** Multiple kernels installed. **Requires reboot.**
+- `leapp_newest_kernel_not_in_use`
+  - **Solves:** Newest installed kernel not in use. **Requires reboot.**
+- `leapp_nfs_detected`
+  - **Solves:** Use of NFS detected. Upgrade can't proceed.
+- `leapp_non_persistent_partitions`
+  - **Solves:** Detected partitions mounted in a non-persistent fashion, preventing a successful in-place upgrade.
+- `leapp_non_standard_openssl_config`
+  - **Solves:** Non-standard configuration of openssl.cnf.
+- `leapp_old_postgresql_data`
+  - **Solves:** Old PostgreSQL data found in `/var/lib/pgsql/data`.
+- `leapp_partitions_with_noexec`
+  - **Solves:** Detected partitions mounted with the `noexec` option, preventing a successful in-place upgrade.
+- `leapp_relative_symlinks`
+  - **Solves:** Upgrade requires links in root directory to be relative
+- `leapp_rpms_with_rsa_sha1_detected`
+  - **Solves:** Detected RPMs with RSA/SHA1 signature.
+- `leapp_unavailable_kde`
+  - **Solves:** The installed KDE environment is unavailable on RHEL 8.
+- `leapp_vdo_check_needed`
+  - **Solves:** Cannot perform the VDO check of block devices.
+
+## Example playbook
+
+See [`remediate.yml`](../../playbooks/remediate.yml).
+
+## Authors
+
+Peter Zdravecký
+
+## License
+
+MIT

roles/remediate/defaults/main.yml

@@ -0,0 +1,29 @@
+---
+# defaults file for remedations
+
+post_reboot_delay: 120
+leapp_report_location: /var/log/leapp/leapp-report.json
+remediation_playbooks:
+  - leapp_cifs_detected
+  - leapp_corrupted_grubenv_file
+  - leapp_custom_network_scripts_detected
+  - leapp_deprecated_sshd_directive
+  - leapp_firewalld_allowzonedrifting
+  - leapp_firewalld_unsupported_tftp_client
+  - leapp_loaded_removed_kernel_drivers
+  - leapp_missing_efibootmgr
+  - leapp_missing_pkg
+  - leapp_missing_yum_plugins
+  - leapp_multiple_kernels
+  - leapp_newest_kernel_not_in_use
+  - leapp_nfs_detected
+  - leapp_non_persistent_partitions
+  - leapp_non_standard_openssl_config
+  - leapp_old_postgresql_data
+  - leapp_partitions_with_noexec
+  - leapp_relative_symlinks
+  - leapp_rpms_with_rsa_sha1_detected
+  - leapp_unavailable_kde
+  - leapp_vdo_check_needed
+remediation_todo: []
+...

roles/remediate/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for remedations
+
+# Keep this last so it's easy to find in the job output.
+- name: The remediations are now complete
+  ansible.builtin.debug:
+    msg: The remediations are now complete.
+...

roles/remediate/meta/main.yml

@@ -0,0 +1,52 @@
+---
+galaxy_info:
+  author: Peter Zdravecký
+  description: Remedetation part of the leapp process
+  company: Red Hat
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license MIT
+
+  min_ansible_version: "2.14"
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  platforms:
+    - name: EL
+      versions:
+        - "8"
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+  # List tags for your role here, one per line. A tag is a keyword that describes
+  # and categorizes the role. Users find roles by searching for tags. Be sure to
+  # remove the '[]' above, if you add tags to this list.
+  #
+  # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+  #       Maximum 20 tags per role.
+
+dependencies: []
+...

roles/remediate/tasks/leapp_cifs_detected.yml

@@ -0,0 +1,10 @@
+---
+- name: leapp_cifs_detected | Comment cifs shares in /etc/fstab
+  block:
+    - name: leapp_cifs_detected | Comment CIFS shares in /etc/fstab
+      ansible.builtin.replace:
+        path: /etc/fstab
+        regexp: (.*)cifs(.*)
+        replace: "# \\1cifs\\2"
+
+...

roles/remediate/tasks/leapp_corrupted_grubenv_file.yml

@@ -0,0 +1,68 @@
+---
+- name: leapp_corrupted_grubenv_file | Detected a corrupted grubenv file
+  vars:
+    entry_title: Detected a corrupted grubenv file
+    leapp_report_location: /var/log/leapp/leapp-report.json
+  block:
+    - name: leapp_corrupted_grubenv_file | Check that the leapp-report.json exists
+      ansible.builtin.stat:
+        path: "{{ leapp_report_location }}"
+      register: leapp_report_stat
+
+    - name: leapp_corrupted_grubenv_file | End play if no leapp report exists
+      ansible.builtin.meta: end_host
+      when: leapp_report_stat.stat.exists is false
+
+    - name: leapp_corrupted_grubenv_file | Read leapp report
+      ansible.builtin.slurp:
+        src: "{{ leapp_report_location }}"
+      register: leappreport
+
+    - name: leapp_corrupted_grubenv_file | Parse leapp report to json
+      ansible.builtin.set_fact:
+        leappreportdata: "{{ leappreport.content | b64decode | from_json }}"
+
+    - name: leapp_corrupted_grubenv_file | Find matching entries
+      ansible.builtin.set_fact:
+        hint: "{{ item.detail.remediations | selectattr('type', 'eq', 'hint') | first }}"
+      loop: "{{ leappreportdata.entries }}"
+      when: item.title is match(entry_title) and (item.detail.remediations | selectattr('type', 'eq', 'hint') | length > 0)
+
+    - name: leapp_corrupted_grubenv_file | End execution of playbook if no entry found in leapp report
+      ansible.builtin.meta: end_host
+      when: hint is not defined
+
+    - name: leapp_corrupted_grubenv_file | Extract file(s) using regex
+      ansible.builtin.set_fact:
+        files_grub: "{{ hint.context | regex_findall('Delete (.+?) file', '\\1') | first | split(',') | map('trim') }}"
+
+    - name: leapp_corrupted_grubenv_file | Backup file(s)
+      ansible.builtin.copy:
+        src: "{{ item }}"
+        dest: "{{ item }}.backup"
+        mode: "0644"
+      with_items: "{{ files_grub }}"
+
+    - name: leapp_corrupted_grubenv_file | Find grub.cfg file
+      ansible.builtin.command: find /boot -name 'grub.cfg'
+      register: grub_cfg_path
+      changed_when: grub_cfg_path.rc == 0
+
+    - name: leapp_corrupted_grubenv_file | Backup grub.cfg file
+      ansible.builtin.copy:
+        src: "{{ grub_cfg_path.stdout }}"
+        dest: "{{ grub_cfg_path.stdout }}.backup"
+        mode: "0644"
+
+    - name: leapp_corrupted_grubenv_file | Delete file(s)
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: absent
+      with_items: "{{ files_grub }}"
+
+    - name: leapp_corrupted_grubenv_file | Regenerate grub config
+      ansible.builtin.command: grub2-mkconfig -o {{ grub_cfg_path.stdout }}
+      register: grub_mkconfig
+      changed_when: grub_mkconfig.rc == 0
+
+...

roles/remediate/tasks/leapp_custom_network_scripts_detected.yml

@@ -0,0 +1,80 @@
+---
+- name: leapp_custom_network_scripts_detected | Move custom network-scripts to NetworkManager dispatcher scripts
+  block:
+    - name: leapp_custom_network_scripts_detected | Create /opt/network-scripts/ directory if it does not exist
+      ansible.builtin.file:
+        path: /opt/network-scripts/
+        state: directory
+        mode: "0755"
+
+    - name: leapp_custom_network_scripts_detected | Check if pre up script exists
+      ansible.builtin.stat:
+        path: /sbin/ifup-pre-local
+      register: pre_up
+
+    - name: leapp_custom_network_scripts_detected | Check if pre down script exists
+      ansible.builtin.stat:
+        path: /sbin/ifdown-pre-local
+      register: pre_down
+
+    - name: leapp_custom_network_scripts_detected | Move scripts in /sbin to /opt/network-scripts/, end playbook if this fails
+      ansible.builtin.command: mv /sbin/if*-local /opt/network-scripts/
+      register: move_scripts
+      changed_when: move_scripts.rc == 0
+
+    - name: leapp_custom_network_scripts_detected | Create /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.copy:
+        dest: /etc/NetworkManager/dispatcher.d/20-if-local
+        mode: +x
+        content: >
+          #!/bin/bash
+
+          test -n "$DEVICE_IFACE" || exit 0
+
+          run() {
+              test -x "$1" || exit 0
+              "$1" "$DEVICE_IFACE"
+          }
+
+          case "$2" in
+              "up")
+                  run /opt/network-scripts/ifup-local
+                  ;;
+              "pre-up")
+                  run /opt/network-scripts/ifup-pre-local
+                  ;;
+              "down")
+                  run /opt/network-scripts/ifdown-local
+                  ;;
+              "pre-down")
+                  run /opt/network-scripts/ifdown-pre-local
+                  ;;
+          esac
+
+    - name: leapp_custom_network_scripts_detected | Set permissions on /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.file:
+        path: /etc/NetworkManager/dispatcher.d/20-if-local
+        owner: root
+        group: root
+        mode: +x
+
+    - name: leapp_custom_network_scripts_detected | Restore SELinux context on /etc/NetworkManager/dispatcher.d/20-if-local
+      ansible.builtin.command: restorecon -v /etc/NetworkManager/dispatcher.d/20-if-local
+      register: restorecon
+      changed_when: restorecon.rc == 0
+
+    - name: leapp_custom_network_scripts_detected | If pre up script exists, create symbolic link
+      ansible.builtin.file:
+        src: /etc/NetworkManager/dispatcher.d/20-if-local
+        dest: /etc/NetworkManager/dispatcher.d/pre-up.d/20-if-local
+        state: link
+      when: pre_up.stat.exists
+
+    - name: leapp_custom_network_scripts_detected | If pre down script exists, create symbolic link
+      ansible.builtin.file:
+        src: /etc/NetworkManager/dispatcher.d/20-if-local
+        dest: /etc/NetworkManager/dispatcher.d/pre-down.d/20-if-local
+        state: link
+      when: pre_down.stat.exists
+
+...