Skip to content

Resolve review findings: core_dumps sysctl, sshd changelog, tag vocabulary, example, php PATH#280

Merged
NavidSassan merged 5 commits into
mainfrom
fix/navid-review-feedback
Jun 9, 2026
Merged

Resolve review findings: core_dumps sysctl, sshd changelog, tag vocabulary, example, php PATH#280
NavidSassan merged 5 commits into
mainfrom
fix/navid-review-feedback

Conversation

@markuslf

@markuslf markuslf commented Jun 9, 2026

Copy link
Copy Markdown
Member

Addresses review feedback on recently merged commits. One commit per finding.

Findings addressed

  1. core_dumps: route fs.suid_dumpable through kernel_settings (169c23af)
    The role deployed its own /etc/sysctl.d file plus a sysctl --system
    handler. sysctl now goes through the dedicated kernel_settings role
    (injected via core_dumps__kernel_settings__sysctl__dependent_var, wired
    into core_dumps.yml and setup_basic.yml). The redundant
    core_dumps__sysctl_suid_dumpable knob was dropped.

  2. sshd hardening is a breaking change (613b739b)
    The hardened sshd defaults change existing installations on the next run,
    so the changelog entry moved from Changed to Breaking Changes, with
    remediation variables.

  3. Section tags made plural across the controlled vocabulary (95b016ff)
    :user/:database were singular while :certs/:containers/:networks/
    :modules/:plugins/:firewalls were plural. Standardized on plural
    (:users, :databases) across all roles, READMEs and CONTRIBUTING.

  4. example role: no user-facing comments in source (856fa7ba)
    Removed variable-semantics comments from roles/example/defaults/main.yml;
    the information lives in the README.

  5. php: env[PATH] fix missing on Debian/Ubuntu (8cddafb3)
    The php-fpm env[PATH] fix was Red Hat only. Applied the same fix to the
    Debian pool template (shared by Debian and Ubuntu); value matches the
    distro ENV_SUPATH, verified on Debian 13 and Ubuntu 24.04.

Notes

  • Finding 3 is a breaking change (tag renames); see the changelog.
  • setup_basic now pulls in kernel_settings, which requires the
    fedora.linux_system_roles collection on the controller.

Verification

yamllint clean; ansible-playbook --syntax-check on the touched playbooks;
php env[PATH] validated empirically in Debian 13 and Ubuntu 24.04 containers.

markuslf added 5 commits June 9, 2026 15:37
@markuslf
fix(roles/core_dumps): set fs.suid_dumpable via the kernel_settings role
169c23a 
Stop deploying an own /etc/sysctl.d file plus a sysctl --system handler.
The fs.suid_dumpable value is now injected into the kernel_settings role
via core_dumps__kernel_settings__sysctl__dependent_var, wired into both
core_dumps.yml and setup_basic.yml, so sysctl management stays in a single
place. Drop the redundant core_dumps__sysctl_suid_dumpable knob (the role
only ever disables core dumps); override via kernel_settings if needed.
@markuslf
docs(CHANGELOG): classify the sshd default hardening as a breaking ch…
613b739 
…ange

The hardened sshd defaults (X11/agent forwarding and TCP keepalives off,
lower MaxAuthTries/ClientAliveCountMax, VERBOSE log level) change the
behaviour of existing installations on the next run, so the entry belongs
under Breaking Changes, not Changed. Add the remediation variables needed
to restore the previous behaviour.
@markuslf
refactor(roles): make section tags plural across the controlled vocab…
95b016f 
…ulary

The controlled tag vocabulary was inconsistent in number: certs,
containers, networks, modules, plugins and firewalls were plural while
user and database were singular. Standardize on plural for count-noun
sections (Ansible's common convention): :user -> :users and
:database -> :databases across all roles and their READMEs, and align the
CONTRIBUTING vocabulary accordingly. Update the breaking-change entry to
describe the end state relative to the last release.
@markuslf
docs(roles/example): drop user-facing comments from defaults
856fa7b 
The two comments describing example__backup_target and
example__conf_tls_protocols documented user-facing variable semantics in
the source. That belongs in the README (where both are already covered);
comments in the reference role should explain patterns to developers, not
duplicate user documentation.
@markuslf
fix(roles/php): give php-fpm workers a defined PATH on Debian and Ubuntu
8cddafb 
The env[PATH] fix was applied only to the Red Hat pool template, but
php-fpm clears the worker environment (clear_env defaults to yes) on every
platform. Apply the same env[PATH] to the Debian pool template (shared by
Debian and Ubuntu). The value matches Debian's and Ubuntu's ENV_SUPATH,
verified on Debian 13 and Ubuntu 24.04.
@markuslf markuslf requested a review from NavidSassan June 9, 2026 13:45
@NavidSassan NavidSassan merged commit c68ee97 into main Jun 9, 2026
11 checks passed
@NavidSassan NavidSassan deleted the fix/navid-review-feedback branch June 9, 2026 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NavidSassan NavidSassan Awaiting requested review from NavidSassan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@markuslf @NavidSassan