Merge "Conditionally install EPEL if needed"

2017-07-12 18:41:48 +00:00 · 2017-07-12 18:41:48 +00:00 · 3fe83a0d24
commit 3fe83a0d24
parent e4142c2894 a64c833a71
6 changed files with 48 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -28,6 +28,12 @@ cache_timeout: 600
 # Options are 'present' and 'latest'
 security_package_state: present

+## EPEL
+# Set the following variable to `no` to prevent the EPEL repository from being
+# installed by the role. This may prevent certain packages from installing,
+# such as ClamAV.
+security_epel_install_repository: yes
+
 ###############################################################################
 #   ____  _   _ _____ _        __     ____ _____ ___ ____
 #  |  _ \| | | | ____| |      / /_   / ___|_   _|_ _/ ___|
--- a/doc/metadata/rhel7/V-72213.rst
+++ b/doc/metadata/rhel7/V-72213.rst
@ -18,3 +18,9 @@ variable:
 .. code-block:: yaml

    security_enable_virus_scanner: yes
+
+.. warning::
+
+    The ClamAV packages are provided in the EPEL repository. Setting the
+    ``security_enable_virus_scanner`` will also cause the EPEL repository to
+    be installed by the role.
--- a/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml
+++ b/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml
@ -0,0 +1,16 @@
+---
+upgrade:
+  - |
+    The EPEL repository is only installed and configured when the deployer sets
+    ``security_enable_virus_scanner`` to ``yes``. This allows the ClamAV
+    packages to be installed. If ``security_enable_virus_scanner`` is set to
+    ``no`` (the default), the EPEL repository will not be added.
+
+    See
+    `Bug 1702167 <https://bugs.launchpad.net/openstack-ansible/+bug/1702167>`_
+    for more details.
+  - |
+    Deployers now have the option to prevent the EPEL repository from being
+    installed by the role. Setting ``security_epel_install_repository`` to
+    ``no`` prevents EPEL from being installed. This setting may prevent certain
+    packages from installing, such as ClamAV.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -52,11 +52,4 @@
    tags:
      - always

-  - name: Install EPEL repository
-    yum:
-      name: epel-release
-      state: "{{ security_package_state }}"
-    when:
-      - ansible_pkg_mgr == 'yum'
-
  - include: "{{ stig_version }}stig/main.yml"
--- a/tasks/rhel6stig/main.yml
+++ b/tasks/rhel6stig/main.yml
@ -13,6 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+  - name: Install EPEL repository
+    yum:
+      name: epel-release
+      state: "{{ security_package_state }}"
+    when:
+      - ansible_pkg_mgr == 'yum'
+
  - include: apt.yml
    static: no
    when: ansible_pkg_mgr == 'apt'
--- a/tasks/rhel7stig/main.yml
+++ b/tasks/rhel7stig/main.yml
@ -51,6 +51,19 @@
  tags:
    - always

+# NOTE(mhayden): EPEL is only needed for the clamav packages. We should only
+# install EPEL if the deployer asked for clamav to be installed.
+- name: Install EPEL repository
+  yum:
+    name: epel-release
+    state: "{{ security_package_state }}"
+  when:
+    - ansible_pkg_mgr == 'yum'
+    - security_epel_install_repository | bool
+    - security_enable_virus_scanner | bool
+  tags:
+    - always
+
 # Package installations and removals must come first so that configuration
 # changes can be made later.
 - include: packages.yml