Skip to content

chore(deps): update dependency konstruktoid.hardening to v4.6.0 #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
renovate wants to merge 4 commits into
base: main
Choose a base branch
from
Open

chore(deps): update dependency konstruktoid.hardening to v4.6.0 #83

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d9d39cd
chore(deps): update dependency konstruktoid.hardening to v4.6.0
renovate[bot] Jun 2, 2026
988f757
Merge branch 'main' into renovate/konstruktoid.hardening-4.x
jdaln Jun 9, 2026
d40b59e
fix: preserve user namespaces for rootless Docker against hardening role
jdaln Jun 18, 2026
26d364a
chore(deps): pin konstruktoid.hardening to v4.6.0 SHA
jdaln Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions install-docker-rootless.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,25 @@
become: true
tags: [docker-setup, packages]

# konstruktoid.hardening v4.4.0+ sets kernel.unprivileged_userns_clone=0 and
# user.max_user_namespaces=0 (STIG V-257816) in /usr/lib/sysctl.d/zz-main-hardening.conf,
# which breaks rootless Docker. Must run BEFORE the role so its restart handler can
# bring docker.service up. The "zzz-" prefix wins alphanumerically against the hardening file
# so the override persists across reboots.
- name: Override hardening sysctls to keep user namespaces enabled for rootless Docker
ansible.posix.sysctl:
name: "{{ item.name }}"
value: "{{ item.value }}"
sysctl_set: true
sysctl_file: /etc/sysctl.d/zzz-docker-rootless-userns.conf
state: present
reload: true
loop:
- { name: kernel.unprivileged_userns_clone, value: "1" }
- { name: user.max_user_namespaces, value: "28633" }
become: true
tags: [docker-setup, sysctl]

- name: Ensure Docker user exists before enabling lingering
ansible.builtin.user:
name: "{{ DOCKER_USER | default('dockeruser') }}"
Expand Down
2 changes: 1 addition & 1 deletion requirements-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ collections:

roles:
- name: konstruktoid.hardening
version: 'v4.3.0'
version: 'v4.6.0'
src: https://github.com/konstruktoid/ansible-role-hardening.git
scm: git
- name: konstruktoid.docker_rootless
Expand Down
2 changes: 1 addition & 1 deletion setup-playbook.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@
ansible.builtin.git:
repo: https://github.com/konstruktoid/ansible-role-hardening.git
dest: "{{ lookup('env', 'HOME') }}/.ansible/roles/konstruktoid.hardening"
version: '4da78c8723d7792dbce73ce5aea47d8144f4596f' # v4.3.0
version: '1c0a9f0954b88694281812167e799c6a4f45214f' # v4.6.0
delegate_to: localhost
run_once: true
tags: [hardening, setup, role-download]
Expand Down
2 changes: 1 addition & 1 deletion testing/requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
roles:
- name: konstruktoid.hardening
version: 'v4.3.0'
version: 'v4.6.0'
src: https://github.com/konstruktoid/ansible-role-hardening.git
scm: git
- name: konstruktoid.docker_rootless
Expand Down
Loading