From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 545F218F2FC
	for <kdevops@lists.linux.dev>; Mon, 28 Jul 2025 01:14:37 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1753665280; cv=none; b=KMCYXeExi2QiIzdsa8/GrgLnrAuFO6nCpWx4r2kmYnfdXDBFxaysAnaXbePqRcadpkg4/OElGGJJiB+0h2u4TD4CQyxoRze90r4agHQlff+EznYWUUbAkdYgqL4oichC3X8Vw+6hZhq620Z2IdC09+2MNmYazn1kXdB/COpnBo0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1753665280; c=relaxed/simple;
	bh=wZtv82ReVl4T2fn1wlwRxUAp3obfHVm/T2VSYt8Fx40=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=D0+9ZYHunCRn9RhOzbqvYpz8x9TkWDiQVhSzKJS3or/pujcNywFtknxOWNU4QMGh2Xda3IfCZg2E5hHUcCQMAEe0SWoLnLQXh8dBPOQOCc2ddxMBHmEwMfZyHCXeibwZYNlVV8f8C8JkVxajW/r/EUKioH03pCFJWJYNElUkkmw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=4nMC0KRo; arc=none smtp.client-ip=198.137.202.133
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="4nMC0KRo"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
	Reply-To:Content-Type:Content-ID:Content-Description;
	bh=wVWzXBxX/i0uPbfiX93ZdBAWF5UCEi3fUH+s9yz+fwM=; b=4nMC0KRokS2+gjFaPEfYXPq8e6
	uvkcXzHSfmHy/PdVpC/CAFf/FKG6Ci9cd//nSKcO/exm/qKVPVkNIHOw343eQzP2wCdRkuU/Dqh4X
	PC5rFT5T1qtoAb046/tzMq0zzaR6tZARcD7BSPOz3WZN3DJsJg0bzQ/1efbc76qKEwBjrT69sAYPW
	fBRdIeDyFvZqC19yMelu55rHAWE9wItrZof65ztF+w9dWNSERDbELHUJ/GzkWIHPnKDkbLuAmh0n5
	pKrUiBa1orFcdqM6oLHdWOcnCjQZZ5z3CvBqIV/lRYnNtJVsFEi2jD3zQGVb2skeYlB60zuTp+JBR
	geG1rRKQ==;
Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98.2 #2 (Red Hat Linux))
	id 1ugCRo-0000000DPkb-1HQf;
	Mon, 28 Jul 2025 01:14:36 +0000
From: Luis Chamberlain <mcgrof@kernel.org>
To: Chuck Lever <cel@kernel.org>,
	Daniel Gomez <da.gomez@kruces.com>,
	kdevops@lists.linux.dev
Cc: Chuck Lever <chuck.lever@oracle.com>,
	Luis Chamberlain <mcgrof@kernel.org>
Subject: [PATCH v2 22/33] bootlinux: Harden update-grub/install.yml
Date: Sun, 27 Jul 2025 18:14:22 -0700
Message-ID: <20250728011434.3197091-23-mcgrof@kernel.org>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250728011434.3197091-1-mcgrof@kernel.org>
References: <20250728011434.3197091-1-mcgrof@kernel.org>
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Luis Chamberlain <mcgrof@infradead.org>

From: Chuck Lever <chuck.lever@oracle.com>

After the kernel_release_file variable is set, ensure that
subsequent tasks check whether the release file exists so
they don't crap out.

Address some ansible-lint complaints:
 - fqcn[action-core]: Use FQCN for builtin module actions (set_fact).
 - fqcn[action-core]: Use FQCN for builtin module actions (stat).
 - name[template]: Jinja templates should only be at the end of 'name'
 - command-instead-of-shell: Use shell only when shell functionality is required.
 - fqcn[action-core]: Use FQCN for builtin module actions (shell).
 - no-changed-when: Commands should not change things if nothing needs doing.
 - fqcn[action-core]: Use FQCN for builtin module actions (set_fact).
 - fqcn[action-core]: Use FQCN for builtin module actions (set_fact).

To address "command-instead-of-shell", replace

  shell: cat {{ kernelrelease_file }}"

with the Ansible slurp module to pull the kernel release name
directly into a simple string variable.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 .../bootlinux/tasks/update-grub/install.yml   | 83 ++++++++++++++-----
 1 file changed, 64 insertions(+), 19 deletions(-)

diff --git a/playbooks/roles/bootlinux/tasks/update-grub/install.yml b/playbooks/roles/bootlinux/tasks/update-grub/install.yml
index 8402c09b..a10064ee 100644
--- a/playbooks/roles/bootlinux/tasks/update-grub/install.yml
+++ b/playbooks/roles/bootlinux/tasks/update-grub/install.yml
@@ -93,39 +93,76 @@
   tags: [ 'uninstall-linux', 'manual-update-grub' ]
   import_tasks: update-grub/main.yml
 
-- name: Set file used to extract KERNELRELEASE variable
-  set_fact:
+- name: Set the pathname used to extract the kernel release
+  tags:
+    - vars
+  ansible.builtin.set_fact:
     kernelrelease_file: "{{ target_linux_dir_path }}/include/config/kernel.release"
-  tags: vars
 
-- name: Check if {{ kernelrelease_file }} exists
-  stat:
+- name: Stat {{ kernelrelease_file }}
+  tags:
+    - vars
+  ansible.builtin.stat:
+    get_checksum: false
+    get_mime: false
     path: "{{ kernelrelease_file }}"
   register: kernel_release_file
-  tags: vars
 
-- name: Get Linux build KERNELRELEASE varible which is set in include/config/kernel.release
-  shell: cat {{ kernelrelease_file }}
-  register: kernelrelease
-  when: kernel_release_file.stat.exists
+- name: Slurp {{ kernelrelease_file }}
+  tags:
+    - vars
+  ansible.builtin.slurp:
+    src: "{{ kernelrelease_file }}"
+  register: slurped_kernel_release
+  when:
+    - kernel_release_file.stat.exists
+
+- name: Set default kernelrelease if not determined
+  ansible.builtin.set_fact:
+    kernelrelease: "unknown"
+  when:
+    - kernelrelease is not defined
 
-- name: Construct command line to determine default kernel ID
-  set_fact:
+- name: Get the kernel release of the kernel to be installed
+  tags:
+    - vars
+  ansible.builtin.set_fact:
+    kernelrelease: "{{ slurped_kernel_release.content | b64decode | trim }}"
+  when:
+    - kernel_release_file.stat.exists
+
+- name: Construct the command line to determine the default boot entry
+  tags:
+    - saved
+  ansible.builtin.set_fact:
     determine_default_kernel_id: >-
       awk -F\' '/menuentry / {print $2}'
       /boot/grub/grub.cfg | awk '{print NR-1" ... "$0}' |
-      grep {{ kernelrelease.stdout }} | head -1 | awk '{print $1}'
+      grep {{ kernelrelease }} | head -1 | awk '{print $1}'
   when:
-    ansible_facts['os_family']|lower != 'redhat' or ansible_facts['distribution_major_version'] | int < 8
+    - kernel_release_file is defined
+    - kernel_release_file.stat is defined
+    - kernel_release_file.stat.exists
+    - kernelrelease is defined
+    - kernelrelease != "unknown"
+    - ansible_os_family != "RedHat" or ansible_distribution_major_version | int < 8
 
-- name: Construct command line to determine default kernel ID for RHEL >= 8
-  set_fact:
+- name: Construct the command line to determine default boot entry for RHEL >= 8
+  tags:
+    - saved
+  ansible.builtin.set_fact:
     determine_default_kernel_id: >-
       for f in $(ls -1 /boot/loader/entries/*.conf); do
       cat $f;
-      done | grep title | awk '{ gsub("title ", "", $0); print }' | grep '{{ kernelrelease.stdout }}';
+      done | grep title | awk '{ gsub("title ", "", $0); print }' | grep '{{ kernelrelease }}';
   when:
-    ansible_facts['os_family']|lower == 'redhat' and ansible_facts['distribution_major_version'] | int >= 8
+    - kernel_release_file is defined
+    - kernel_release_file.stat is defined
+    - kernel_release_file.stat.exists
+    - kernelrelease is defined
+    - kernelrelease != "unknown"
+    - ansible_os_family == "RedHat"
+    - ansible_distribution_major_version | int >= 8
 
 # If this fails then grub-set-default won't be run, and the assumption here
 # is either you do the work to enhance the heuristic or live happy with the
@@ -143,6 +180,8 @@
   register: grub_boot_number_cmd
   changed_when: false
   when:
+    - kernel_release_file is defined
+    - kernel_release_file.stat is defined
     - kernel_release_file.stat.exists
 
 - name: Obtain command to set default kernel to boot
@@ -163,10 +202,13 @@
   become_method: sudo
   command: "{{ grub_set_default_boot_kernel }} \"{{ target_boot_entry }}\""
   vars:
-    target_boot_entry: "{{ grub_boot_number_cmd.stdout_lines.0 }}"
+    target_boot_entry: "{{ grub_boot_number_cmd.stdout_lines.0 if (grub_boot_number_cmd is defined and grub_boot_number_cmd.stdout_lines is defined) else '' }}"
   tags: [ 'saved' ]
   when:
+    - grub_boot_number_cmd is defined
+    - grub_boot_number_cmd.rc is defined
     - grub_boot_number_cmd.rc == 0
+    - grub_boot_number_cmd.stdout is defined
     - grub_boot_number_cmd.stdout != ""
 
 - name: Itemize kernel and GRUB entry we just selected
@@ -177,6 +219,9 @@
     target_boot_entry: "{{ grub_boot_number_cmd.stdout_lines.0 }}"
   tags: [ 'saved' ]
   when:
+    - grub_boot_number_cmd is defined
+    - grub_boot_number_cmd.rc is defined
     - grub_boot_number_cmd.rc == 0
+    - grub_boot_number_cmd.stdout is defined
     - grub_boot_number_cmd.stdout != ""
 
-- 
2.47.2