base__ssh_listen_mesh_only binds sshd to the live wt0 IP only, with
ip_nonlocal_bind to beat the post-boot bind race and a fail-closed assert so an
unresolved address never silently listens on all interfaces. Molecule covers
the render + sysctl. Mesh-hardening 1/3 (ADR-016/021).
Environmental checkpoint applied: the molecule-debian13 container image lacks
procps (no sysctl binary). Added molecule/default/prepare.yml to install procps
and sysctls: {net.ipv4.ip_nonlocal_bind: "0"} to molecule.yml platform so the
ansible.posix.sysctl task can write and read back the value hermetically.
Sysctl file format is net.ipv4.ip_nonlocal_bind=1 (no spaces); verify.yml
grep pattern updated to match ansible.posix.sysctl's actual output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
11 lines
255 B
YAML
11 lines
255 B
YAML
---
|
|
- name: Prepare
|
|
hosts: all
|
|
become: true
|
|
gather_facts: false
|
|
tasks:
|
|
- name: Install procps so ansible.posix.sysctl can find the sysctl binary
|
|
ansible.builtin.apt:
|
|
name: procps
|
|
state: present
|
|
update_cache: true
|