From cff7a0f1bc09bff3009fea560f057cc5c6a5d7a2 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Tue, 13 Mar 2018 19:29:33 +0000 Subject: [PATCH] Add disable_selinux_do_reboot variable This allows the user to control whether hosts will be rebooted to apply an SELinux policy configuration change. We cannot do this in CI, where the Ansible control host is the host being configured. Change-Id: I431ed26d907a534e2e99a8032152340d109fd49e --- .../roles/disable-selinux/defaults/main.yml | 3 + ansible/roles/disable-selinux/tasks/main.yml | 71 +++++++++---------- 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/ansible/roles/disable-selinux/defaults/main.yml b/ansible/roles/disable-selinux/defaults/main.yml index 979f3f93a..23fd5cd33 100644 --- a/ansible/roles/disable-selinux/defaults/main.yml +++ b/ansible/roles/disable-selinux/defaults/main.yml @@ -1,4 +1,7 @@ --- +# Whether to reboot to apply SELinux config changes. +disable_selinux_do_reboot: true + # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. disable_selinux_reboot_timeout: diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml index 76ed64847..ce67f5c69 100644 --- a/ansible/roles/disable-selinux/tasks/main.yml +++ b/ansible/roles/disable-selinux/tasks/main.yml @@ -13,45 +13,42 @@ register: selinux_result become: True -- name: Set a fact to determine whether we are running locally - set_fact: - is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}" - when: selinux_result | changed +- block: + - name: Set a fact to determine whether we are running locally + set_fact: + is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}" -# Any SSH connection errors cause ansible to fail the task. We therefore -# perform a manual SSH connection and allow the command to fail. -- name: Reboot the system to apply SELinux changes (remote) - local_action: - # Use -tt to force a pseudo tty. - module: > - command - ssh -tt {{ ansible_user }}@{{ ansible_host | default(inventory_hostname) }} - sudo shutdown -r now "Applying SELinux changes" - register: reboot_result - failed_when: - - reboot_result | failed - - "'closed by remote host' not in reboot_result.stderr" - when: - - selinux_result | changed - - not is_local | bool + # Any SSH connection errors cause ansible to fail the task. We therefore + # perform a manual SSH connection and allow the command to fail. + - name: Reboot the system to apply SELinux changes (remote) + local_action: + # Use -tt to force a pseudo tty. + module: > + command + ssh -tt {{ ansible_user }}@{{ ansible_host | default(inventory_hostname) }} + sudo shutdown -r now "Applying SELinux changes" + register: reboot_result + failed_when: + - reboot_result | failed + - "'closed by remote host' not in reboot_result.stderr" + when: not is_local | bool -- name: Reboot the system to apply SELinux changes (local) - command: shutdown -r now "Applying SELinux changes" - become: True - when: - - selinux_result | changed - - is_local | bool + - name: Reboot the system to apply SELinux changes (local) + command: shutdown -r now "Applying SELinux changes" + become: True + when: is_local | bool -# If we're running this locally we won't get here. -- name: Wait for the system to boot up (remote) - local_action: - module: wait_for - host: "{{ ansible_host | default(inventory_hostname) }}" - port: 22 - state: started - # Wait for 10 seconds before polling to ensure the node has shutdown. - delay: 10 - timeout: "{{ disable_selinux_reboot_timeout }}" + # If we're running this locally we won't get here. + - name: Wait for the system to boot up (remote) + local_action: + module: wait_for + host: "{{ ansible_host | default(inventory_hostname) }}" + port: 22 + state: started + # Wait for 10 seconds before polling to ensure the node has shutdown. + delay: 10 + timeout: "{{ disable_selinux_do_reboot_timeout }}" + when: not is_local | bool when: + - disable_selinux_do_reboot | bool - selinux_result | changed - - not is_local | bool