airavata-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From machris...@apache.org
Subject airavata git commit: SELinux enabled PGA install
Date Sat, 15 Apr 2017 19:21:30 GMT
Repository: airavata
Updated Branches:
  refs/heads/master dca8e1431 -> dc24945af


SELinux enabled PGA install


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/dc24945a
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/dc24945a
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/dc24945a

Branch: refs/heads/master
Commit: dc24945af0f8c91d3fa68fc1886bf60f4f5a583b
Parents: dca8e14
Author: Marcus Christie <machristie@apache.org>
Authored: Sat Apr 15 14:57:21 2017 -0400
Committer: Marcus Christie <machristie@apache.org>
Committed: Sat Apr 15 14:57:21 2017 -0400

----------------------------------------------------------------------
 dev-tools/ansible/roles/pga/handlers/main.yml |  4 +-
 dev-tools/ansible/roles/pga/tasks/main.yml    | 71 ++++++++++++++++------
 2 files changed, 53 insertions(+), 22 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/dc24945a/dev-tools/ansible/roles/pga/handlers/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/handlers/main.yml b/dev-tools/ansible/roles/pga/handlers/main.yml
index ff941a9..202da40 100644
--- a/dev-tools/ansible/roles/pga/handlers/main.yml
+++ b/dev-tools/ansible/roles/pga/handlers/main.yml
@@ -25,9 +25,9 @@
   become: yes
 
 - name: start httpd
-  service: name={{ httpd_name[ansible_os_family] }} state=started
+  service: name={{ httpd_name[ansible_os_family] }} state=started enabled=yes
   become: yes
 
 - name: restart httpd
-  service: name={{ httpd_name[ansible_os_family] }} state=restarted
+  service: name={{ httpd_name[ansible_os_family] }} state=restarted enabled=yes
   become: yes

http://git-wip-us.apache.org/repos/asf/airavata/blob/dc24945a/dev-tools/ansible/roles/pga/tasks/main.yml
----------------------------------------------------------------------
diff --git a/dev-tools/ansible/roles/pga/tasks/main.yml b/dev-tools/ansible/roles/pga/tasks/main.yml
index dff3002..cb3bb7b 100644
--- a/dev-tools/ansible/roles/pga/tasks/main.yml
+++ b/dev-tools/ansible/roles/pga/tasks/main.yml
@@ -25,19 +25,10 @@
 
 - include: install_deps_{{ ansible_distribution }}_{{ ansible_distribution_major_version
}}.yml
 
-# - name: Check previous deployments
-#   stat: path="{{ doc_root_dir }}" get_md5=no get_checksum=no
-#   register: check
-
-# Why? if it's new, we just created this dir above...
-# if not, can just pull from the git repo in the next task...
-#- name: delete previous deployments 
-#  file: path="{{ doc_root_dir }}" state=absent
-
 - name: Git clone php gateway
-  git: 
+  git:
    repo: "{{ pga_repo }}"
-   dest: "{{ doc_root_dir }}" 
+   dest: "{{ doc_root_dir }}"
    version: "{{ git_branch }}"
    update: yes
    force: yes
@@ -47,17 +38,50 @@
   file: path="{{ user_data_dir }}" state=directory owner="{{user}}" group="{{group}}" mode=0777
recurse=yes
   become: yes
 
-# - name: Allow selinux outbound connection from web server
-  # command: setsebool -P httpd_can_network_connect 1
+# SELinux configuration
+- name: set selinux to enforcing
+  selinux: state=enforcing policy=targeted
+  become: yes
+  when: ansible_os_family == "RedHat"
+
+- name: set selinux context to allow read on public directory
+  sefcontext:
+    target: "{{ doc_root_dir }}/public(/.*)?"
+    setype: httpd_sys_content_t
+    state: present
+  become: yes
+  notify:
+    - restart httpd
+  when: ansible_os_family == "RedHat"
+
+- name: set selinux context to allow read/write on storage directory
+  sefcontext:
+    target: "{{ doc_root_dir }}/app/storage(/.*)?"
+    setype: httpd_sys_rw_content_t
+    state: present
+  become: yes
+  notify:
+    - restart httpd
+  when: ansible_os_family == "RedHat"
+
+- name: set selinux context to allow read/write on the user data directory
+  sefcontext:
+    target: "{{ user_data_dir }}(/.*)?"
+    setype: httpd_sys_rw_content_t
+    state: present
+  become: yes
+  notify:
+    - restart httpd
+  when: ansible_os_family == "RedHat"
 
-#SHOULD MAKE A PROFILE RATHER THAN DISABLING. SELINUX IS *GOOD*
-# going to permissive from enforcing doesn't require a reboot
-# permissive allows all, but still logs, allowing easy build
-# of a working profile.
-- name: set selinux permissive
-  selinux: state=permissive policy=default
+- name: allow httpd to connect out to the network
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
   become: yes
-  register: selinux_disable
+  notify:
+    - restart httpd
   when: ansible_os_family == "RedHat"
 
 - name: Run composer update
@@ -85,6 +109,12 @@
   file: path="{{ doc_root_dir }}/app/storage" state=directory mode=0777 owner="{{user}}"
group="{{group}}" recurse=yes
   become: yes
 
+# For SELinux, need to apply file contexts, but I'm not sure why since the contexts were
created before the files/directories
+- name: run restorecon on those directories
+  command: restorecon -R {{ doc_root_dir }} {{ user_data_dir }}
+  become: yes
+  when: ansible_os_family == "RedHat"
+
 - name: Enable https and http service on public zone
   firewalld: service="{{ item }}" permanent=true state=enabled zone=public immediate=True
   with_items:
@@ -110,4 +140,5 @@
   authorized_key:
     user: "{{user}}"
     key: "{{ gateway_data_store_ssh_public_key }}"
+  become: yes
   when: gateway_data_store_ssh_public_key != ""


Mime
View raw message