ssh_hardening - ansible_pkg wrongly selects atomic_container as packagemanager for rpm_ostree systems

[millerthegorilla]

Description

Hi, when using ssh-hardening on a rpm_ostree system, the installation of openssh fails due to an underlying issue with the ansible_pkg module, which returns 'atomic_container' as the package manager for rpm-ostree systems, when that module only allows installation of containers and is deprecated. The correct module is rpm_ostree_pkg.
The ansible_pkg module exposes a configuration override (ansible_package_use) where one can specify the exact package manager used in those instances, as per the reply to my issue opened in ansible.
ansible/ansible#84820

ansible_package_use: '{{ ansible_facts.pkg_mgr if ansible_facts.pkg_mgr != "atomic_container" else "community.general.rpm_ostree_pkg" }}'

I can make a pull request to fix the underlying issue if necessary.

Reproduction steps

...
- hosts: "{{ hostvars['localhost']['remote_ip'] }}"
  remote_user: core
  become: yes
  roles:
    - role: devsec.hardening.ssh_hardening

Current Behavior

...
ssh_hardening fails when trying to install openssh as the atomic_container packagemanager is not capable of installing packages (it only install containers)

Expected Behavior

...
For ssh_hardening to continue and complete, including checking that openssh is installed and installing it if necessary

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc.
ansible-playbook running on a fedora silverblue vm provisioning a coreos install on a raspberry pi.

Ansible Version

Paste verbatim output from "ansible --version" between quotes. This will be automatically formatted into code, so no need for backticks.
ansible [core 2.18.3]
  config file = /var/home/user/src/motioncore/ansible.cfg
  configured module search path = ['/var/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /var/home/user/src/motioncore/.motioncore_venv/lib64/python3.13/site-packages/ansible
  ansible collection location = /var/home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /var/home/user/src/motioncore/.motioncore_venv/bin/ansible
  python version = 3.13.2 (main, Feb  4 2025, 00:00:00) [GCC 14.2.1 20250110 (Red Hat 14.2.1-7)] (/var/home/user/src/motioncore/.motioncore_venv/bin/python)
  jinja version = 3.1.6
  libyaml = True

Collection Version

Paste version of the collection. This will be automatically formatted into code, so no need for backticks.
10.3.0

Additional information

...

[sdwilsh]

Another workaround is if the packages are already installed, you can set ansible_package_use: ansible.builtin.dnf for the host/group and dnf will realize they are already installed and carry on.

[millerthegorilla]

I ended up opening an issue against ansible_pkg which resulted in a pull request and code changes that allow ansible_package_use to function with custom action plugins. Its then relatively trivial to write a custom action plugin that installs the package and then reboots.

ansible/ansible#85021 (comment)