diff --git a/defaults/main.yml b/defaults/main.yml index 084ae8e5..584fe2c7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -28,6 +28,12 @@ cache_timeout: 600 # Options are 'present' and 'latest' security_package_state: present +## EPEL +# Set the following variable to `no` to prevent the EPEL repository from being +# installed by the role. This may prevent certain packages from installing, +# such as ClamAV. +security_epel_install_repository: yes + ############################################################################### # ____ _ _ _____ _ __ ____ _____ ___ ____ # | _ \| | | | ____| | / /_ / ___|_ _|_ _/ ___| diff --git a/doc/metadata/rhel7/V-72213.rst b/doc/metadata/rhel7/V-72213.rst index 15fc5de4..65f17733 100644 --- a/doc/metadata/rhel7/V-72213.rst +++ b/doc/metadata/rhel7/V-72213.rst @@ -18,3 +18,9 @@ variable: .. code-block:: yaml security_enable_virus_scanner: yes + +.. warning:: + + The ClamAV packages are provided in the EPEL repository. Setting the + ``security_enable_virus_scanner`` will also cause the EPEL repository to + be installed by the role. diff --git a/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml b/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml new file mode 100644 index 00000000..e38bb050 --- /dev/null +++ b/releasenotes/notes/conditionally-install-epel-9e8e1b67e5943019.yaml @@ -0,0 +1,16 @@ +--- +upgrade: + - | + The EPEL repository is only installed and configured when the deployer sets + ``security_enable_virus_scanner`` to ``yes``. This allows the ClamAV + packages to be installed. If ``security_enable_virus_scanner`` is set to + ``no`` (the default), the EPEL repository will not be added. + + See + `Bug 1702167 `_ + for more details. + - | + Deployers now have the option to prevent the EPEL repository from being + installed by the role. Setting ``security_epel_install_repository`` to + ``no`` prevents EPEL from being installed. This setting may prevent certain + packages from installing, such as ClamAV. diff --git a/tasks/main.yml b/tasks/main.yml index 6129de01..ac02466e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -52,11 +52,4 @@ tags: - always - - name: Install EPEL repository - yum: - name: epel-release - state: "{{ security_package_state }}" - when: - - ansible_pkg_mgr == 'yum' - - include: "{{ stig_version }}stig/main.yml" diff --git a/tasks/rhel6stig/main.yml b/tasks/rhel6stig/main.yml index 1144473c..3afb6997 100644 --- a/tasks/rhel6stig/main.yml +++ b/tasks/rhel6stig/main.yml @@ -13,6 +13,13 @@ # See the License for the specific language governing permissions and # limitations under the License. + - name: Install EPEL repository + yum: + name: epel-release + state: "{{ security_package_state }}" + when: + - ansible_pkg_mgr == 'yum' + - include: apt.yml static: no when: ansible_pkg_mgr == 'apt' diff --git a/tasks/rhel7stig/main.yml b/tasks/rhel7stig/main.yml index 94cbb83c..37bf3c26 100644 --- a/tasks/rhel7stig/main.yml +++ b/tasks/rhel7stig/main.yml @@ -65,6 +65,19 @@ tags: - always +# NOTE(mhayden): EPEL is only needed for the clamav packages. We should only +# install EPEL if the deployer asked for clamav to be installed. +- name: Install EPEL repository + yum: + name: epel-release + state: "{{ security_package_state }}" + when: + - ansible_pkg_mgr == 'yum' + - security_epel_install_repository | bool + - security_enable_virus_scanner | bool + tags: + - always + # Package installations and removals must come first so that configuration # changes can be made later. - include: packages.yml