Add disable_selinux_do_reboot variable

This allows the user to control whether hosts will be rebooted to apply
an SELinux policy configuration change. We cannot do this in CI, where
the Ansible control host is the host being configured.

Change-Id: I431ed26d907a534e2e99a8032152340d109fd49e
This commit is contained in:
Mark Goddard 2018-03-13 19:29:33 +00:00
parent bc5f3aba90
commit cff7a0f1bc
2 changed files with 37 additions and 37 deletions

View File

@ -1,4 +1,7 @@
--- ---
# Whether to reboot to apply SELinux config changes.
disable_selinux_do_reboot: true
# Number of seconds to wait for hosts to become accessible via SSH after being # Number of seconds to wait for hosts to become accessible via SSH after being
# rebooted. # rebooted.
disable_selinux_reboot_timeout: disable_selinux_reboot_timeout:

View File

@ -13,14 +13,14 @@
register: selinux_result register: selinux_result
become: True become: True
- name: Set a fact to determine whether we are running locally - block:
- name: Set a fact to determine whether we are running locally
set_fact: set_fact:
is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}" is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
when: selinux_result | changed
# Any SSH connection errors cause ansible to fail the task. We therefore # Any SSH connection errors cause ansible to fail the task. We therefore
# perform a manual SSH connection and allow the command to fail. # perform a manual SSH connection and allow the command to fail.
- name: Reboot the system to apply SELinux changes (remote) - name: Reboot the system to apply SELinux changes (remote)
local_action: local_action:
# Use -tt to force a pseudo tty. # Use -tt to force a pseudo tty.
module: > module: >
@ -31,19 +31,15 @@
failed_when: failed_when:
- reboot_result | failed - reboot_result | failed
- "'closed by remote host' not in reboot_result.stderr" - "'closed by remote host' not in reboot_result.stderr"
when: when: not is_local | bool
- selinux_result | changed
- not is_local | bool
- name: Reboot the system to apply SELinux changes (local) - name: Reboot the system to apply SELinux changes (local)
command: shutdown -r now "Applying SELinux changes" command: shutdown -r now "Applying SELinux changes"
become: True become: True
when: when: is_local | bool
- selinux_result | changed
- is_local | bool
# If we're running this locally we won't get here. # If we're running this locally we won't get here.
- name: Wait for the system to boot up (remote) - name: Wait for the system to boot up (remote)
local_action: local_action:
module: wait_for module: wait_for
host: "{{ ansible_host | default(inventory_hostname) }}" host: "{{ ansible_host | default(inventory_hostname) }}"
@ -51,7 +47,8 @@
state: started state: started
# Wait for 10 seconds before polling to ensure the node has shutdown. # Wait for 10 seconds before polling to ensure the node has shutdown.
delay: 10 delay: 10
timeout: "{{ disable_selinux_reboot_timeout }}" timeout: "{{ disable_selinux_do_reboot_timeout }}"
when: not is_local | bool
when: when:
- disable_selinux_do_reboot | bool
- selinux_result | changed - selinux_result | changed
- not is_local | bool