Optimize evolinux-users #78
No reviewers
Labels
No labels
bug
duplicate
enhancement
help wanted
invalid
question
security
wontfix
No milestone
No project
No assignees
3 participants
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: evolix/ansible-roles#78
Loading…
Reference in a new issue
No description provided.
Delete branch "simplify-evolinux-users"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Even a simple check can require more memory and time from an ansible role.
I moved around some tasks to turn 3 tasks * (length evolinux-users) into tasks that only execute once. I ignored some comments that made no sense to me, so I'll need some validation that the comments were indeed wrong.
I'm not sure why you assigned me.
I cannot review this code.
Maybe @jlecour can check this?
I didn't run tests yet, but the "sudo" part looks good to me. The sudoers template doesn't need to be run for each user so we'll save a bunch of executions.
I'm much more skeptical regarding the SSH part. The
verify AllowGroups directive
andverify AllowUsers directive
task seem to have disappeared. And the comment stating that the check needs to be run for each user might not be there by mistake. I vaguely remember that I've put it there intentionally.Could you clarify what kind of tests you've run to verify that there is no regression ?
I removed them from the loop after a lot of consideration.
This has not been extensively tested, but I believe my rational sound, the main thing I'm unsure about is testing on added_allow_user.changed. Perhaps there exists a better condition.
I'm fairly certain we could actually make this much faster and simpler by using map and join, but I'm not sure how we could make sure it does not overwrite manually added allow users.
Doing this would allow us to reduce the allow users and match users from 2*n tasks to 2 tasks.
OK, so I need to take a more global look to it, and not just your diff.
Thanks for your explanation.
Regarding the map/join, as you figured this is not possible because users are often added beyong evolinux users.
Map / join works if you're adding the statement though. See my two latest commits.
Further optimised the sudo tasks in the case of debian 9 or later, you only need to create the group once. I also inlined the jessie file as there was only one task in it.
I realise now that we are missing one case:
Servers with AllowGroups activated should also use Match Group instead of Match User. I do not believe we need as much stringent verification as with AllowGroups / AllowUsers, since multiple statements can coexist.
I made a fix to the Match User stuff, but the Match Group stuff is not supported yet.
I've meeting an error with map|join, for some reason it is not working. If somebody has time to check it out before me, here is the error:
The syntax for my join operation seems to be correct, but maybe I misunderstood where it could be used ?
I'm pretty sure this has been done elsewere and this PR is obsolete.
Pull request closed