From 7b8915099e79ec6c6d20e8ce046917a6358a67b9 Mon Sep 17 00:00:00 2001
From: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
Date: Tue, 8 Aug 2023 08:20:31 +0200
Subject: [PATCH] remove nologin-file so we can test pam

see: https://github.com/dev-sec/ansible-collection-hardening/issues/690
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
---
 alpine-ansible-latest/Dockerfile              |  3 +++
 amazon2-ansible-latest/Dockerfile             |  3 +++
 amazon2023-ansible-latest/Dockerfile          |  3 +++
 arch-ansible-latest/Dockerfile                |  3 +++
 centos7-ansible-latest/Dockerfile             |  3 +++
 centos8-ansible-latest/Dockerfile             |  3 +++
 centosstream8-ansible-latest/Dockerfile       |  3 +++
 centosstream9-ansible-latest/Dockerfile       |  3 +++
 debian10-ansible-latest/Dockerfile            |  3 +++
 debian11-ansible-latest/Dockerfile            |  3 +++
 debian12-ansible-latest/Dockerfile            |  3 +++
 fedora37-ansible-latest/Dockerfile            |  3 +++
 fedora38-ansible-latest/Dockerfile            |  3 +++
 opensuse_tumbleweed-ansible-latest/Dockerfile |  3 +++
 openwrt-ansible-latest/Dockerfile             |  3 +++
 oracle7-ansible-latest/Dockerfile             |  3 +++
 rocky8-ansible-latest/Dockerfile              |  3 +++
 rocky9-ansible-latest/Dockerfile              | 12 +++---------
 ubuntu1804-ansible-latest/Dockerfile          |  3 +++
 ubuntu2004-ansible-latest/Dockerfile          |  3 +++
 ubuntu2204-ansible-latest/Dockerfile          |  3 +++
 21 files changed, 63 insertions(+), 9 deletions(-)

diff --git a/alpine-ansible-latest/Dockerfile b/alpine-ansible-latest/Dockerfile
index dd80b5e..e85ad0b 100644
--- a/alpine-ansible-latest/Dockerfile
+++ b/alpine-ansible-latest/Dockerfile
@@ -7,4 +7,7 @@ RUN apk add --update ansible
 RUN mkdir -p /etc/ansible \
     && echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/amazon2-ansible-latest/Dockerfile b/amazon2-ansible-latest/Dockerfile
index 3716b12..8286a2d 100644
--- a/amazon2-ansible-latest/Dockerfile
+++ b/amazon2-ansible-latest/Dockerfile
@@ -27,4 +27,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
   
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/amazon2023-ansible-latest/Dockerfile b/amazon2023-ansible-latest/Dockerfile
index 9a11be2..d75bb9a 100644
--- a/amazon2023-ansible-latest/Dockerfile
+++ b/amazon2023-ansible-latest/Dockerfile
@@ -35,5 +35,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/arch-ansible-latest/Dockerfile b/arch-ansible-latest/Dockerfile
index c852083..75a6e01 100644
--- a/arch-ansible-latest/Dockerfile
+++ b/arch-ansible-latest/Dockerfile
@@ -47,4 +47,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "s/^# \(%${SUDO_GROUP} ALL=(ALL:ALL) NOPASSWD: ALL\)/\\1/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/centos7-ansible-latest/Dockerfile b/centos7-ansible-latest/Dockerfile
index 268e168..1e29b83 100644
--- a/centos7-ansible-latest/Dockerfile
+++ b/centos7-ansible-latest/Dockerfile
@@ -55,5 +55,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
   
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/centos8-ansible-latest/Dockerfile b/centos8-ansible-latest/Dockerfile
index 8e6982c..0fa18f4 100644
--- a/centos8-ansible-latest/Dockerfile
+++ b/centos8-ansible-latest/Dockerfile
@@ -50,5 +50,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/centosstream8-ansible-latest/Dockerfile b/centosstream8-ansible-latest/Dockerfile
index 36d5a69..2613a3a 100644
--- a/centosstream8-ansible-latest/Dockerfile
+++ b/centosstream8-ansible-latest/Dockerfile
@@ -50,5 +50,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/centosstream9-ansible-latest/Dockerfile b/centosstream9-ansible-latest/Dockerfile
index b71984b..ab05f51 100644
--- a/centosstream9-ansible-latest/Dockerfile
+++ b/centosstream9-ansible-latest/Dockerfile
@@ -48,5 +48,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/debian10-ansible-latest/Dockerfile b/debian10-ansible-latest/Dockerfile
index dcc3e4e..18b1490 100644
--- a/debian10-ansible-latest/Dockerfile
+++ b/debian10-ansible-latest/Dockerfile
@@ -34,4 +34,7 @@ RUN set -xe \
 # Make sure systemd doesn't start agettys on tty[1-6].
 RUN rm -f /lib/systemd/system/multi-user.target.wants/getty.target
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/debian11-ansible-latest/Dockerfile b/debian11-ansible-latest/Dockerfile
index 9d81a58..e4af5ef 100644
--- a/debian11-ansible-latest/Dockerfile
+++ b/debian11-ansible-latest/Dockerfile
@@ -31,4 +31,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/debian12-ansible-latest/Dockerfile b/debian12-ansible-latest/Dockerfile
index aea3dc5..dfd2e14 100644
--- a/debian12-ansible-latest/Dockerfile
+++ b/debian12-ansible-latest/Dockerfile
@@ -35,4 +35,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/fedora37-ansible-latest/Dockerfile b/fedora37-ansible-latest/Dockerfile
index 21b6913..066b06e 100644
--- a/fedora37-ansible-latest/Dockerfile
+++ b/fedora37-ansible-latest/Dockerfile
@@ -31,4 +31,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/fedora38-ansible-latest/Dockerfile b/fedora38-ansible-latest/Dockerfile
index 31bbfec..f361587 100644
--- a/fedora38-ansible-latest/Dockerfile
+++ b/fedora38-ansible-latest/Dockerfile
@@ -31,4 +31,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/opensuse_tumbleweed-ansible-latest/Dockerfile b/opensuse_tumbleweed-ansible-latest/Dockerfile
index 1e79557..4763429 100644
--- a/opensuse_tumbleweed-ansible-latest/Dockerfile
+++ b/opensuse_tumbleweed-ansible-latest/Dockerfile
@@ -25,5 +25,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "s/^# \(%${SUDO_GROUP} ALL=(ALL:ALL) NOPASSWD: ALL\)/\\1/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup", "/run"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/openwrt-ansible-latest/Dockerfile b/openwrt-ansible-latest/Dockerfile
index 197bf85..acbf4de 100644
--- a/openwrt-ansible-latest/Dockerfile
+++ b/openwrt-ansible-latest/Dockerfile
@@ -31,4 +31,7 @@ RUN set -xe \
 RUN opkg remove --autoremove \
     python3-pip shadow-groupadd shadow-useradd shadow-usermod sed
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/oracle7-ansible-latest/Dockerfile b/oracle7-ansible-latest/Dockerfile
index ce2f30d..f639c0c 100644
--- a/oracle7-ansible-latest/Dockerfile
+++ b/oracle7-ansible-latest/Dockerfile
@@ -35,5 +35,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/rocky8-ansible-latest/Dockerfile b/rocky8-ansible-latest/Dockerfile
index 4ebd437..0618382 100644
--- a/rocky8-ansible-latest/Dockerfile
+++ b/rocky8-ansible-latest/Dockerfile
@@ -50,5 +50,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/rocky9-ansible-latest/Dockerfile b/rocky9-ansible-latest/Dockerfile
index 337c7a8..7baf83a 100644
--- a/rocky9-ansible-latest/Dockerfile
+++ b/rocky9-ansible-latest/Dockerfile
@@ -17,15 +17,6 @@ RUN yum makecache --timer \
       python3-pip \
  && yum clean all
 
-RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
-rm -f /lib/systemd/system/multi-user.target.wants/*;\
-rm -f /etc/systemd/system/*.wants/*;\
-rm -f /lib/systemd/system/local-fs.target.wants/*; \
-rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
-rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
-rm -f /lib/systemd/system/basic.target.wants/*;\
-rm -f /lib/systemd/system/anaconda.target.wants/*;
-
 # upgrade pip because of the rust dependency error
 RUN pip3 install --upgrade pip
 
@@ -51,5 +42,8 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 VOLUME ["/sys/fs/cgroup"]
 CMD [ "ansible-playbook", "--version" ]
diff --git a/ubuntu1804-ansible-latest/Dockerfile b/ubuntu1804-ansible-latest/Dockerfile
index a583b9f..d81f9f4 100644
--- a/ubuntu1804-ansible-latest/Dockerfile
+++ b/ubuntu1804-ansible-latest/Dockerfile
@@ -37,4 +37,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/ubuntu2004-ansible-latest/Dockerfile b/ubuntu2004-ansible-latest/Dockerfile
index 5692ab6..0873206 100644
--- a/ubuntu2004-ansible-latest/Dockerfile
+++ b/ubuntu2004-ansible-latest/Dockerfile
@@ -36,4 +36,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]
diff --git a/ubuntu2204-ansible-latest/Dockerfile b/ubuntu2204-ansible-latest/Dockerfile
index f6df100..b66f660 100644
--- a/ubuntu2204-ansible-latest/Dockerfile
+++ b/ubuntu2204-ansible-latest/Dockerfile
@@ -37,4 +37,7 @@ RUN set -xe \
   && usermod -aG ${DEPLOY_GROUP} ${ANSIBLE_USER} \
   && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
 
+# delete file created by systemd that prevents login via ssh
+RUN rm -f /{var/run,etc,run}/nologin
+
 CMD [ "ansible-playbook", "--version" ]