Add disable_selinux_do_reboot variable
This allows the user to control whether hosts will be rebooted to apply an SELinux policy configuration change. We cannot do this in CI, where the Ansible control host is the host being configured. Change-Id: I431ed26d907a534e2e99a8032152340d109fd49e
This commit is contained in:
parent
bc5f3aba90
commit
cff7a0f1bc
@ -1,4 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
# Whether to reboot to apply SELinux config changes.
|
||||||
|
disable_selinux_do_reboot: true
|
||||||
|
|
||||||
# Number of seconds to wait for hosts to become accessible via SSH after being
|
# Number of seconds to wait for hosts to become accessible via SSH after being
|
||||||
# rebooted.
|
# rebooted.
|
||||||
disable_selinux_reboot_timeout:
|
disable_selinux_reboot_timeout:
|
||||||
|
@ -13,14 +13,14 @@
|
|||||||
register: selinux_result
|
register: selinux_result
|
||||||
become: True
|
become: True
|
||||||
|
|
||||||
- name: Set a fact to determine whether we are running locally
|
- block:
|
||||||
|
- name: Set a fact to determine whether we are running locally
|
||||||
set_fact:
|
set_fact:
|
||||||
is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
|
is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
|
||||||
when: selinux_result | changed
|
|
||||||
|
|
||||||
# Any SSH connection errors cause ansible to fail the task. We therefore
|
# Any SSH connection errors cause ansible to fail the task. We therefore
|
||||||
# perform a manual SSH connection and allow the command to fail.
|
# perform a manual SSH connection and allow the command to fail.
|
||||||
- name: Reboot the system to apply SELinux changes (remote)
|
- name: Reboot the system to apply SELinux changes (remote)
|
||||||
local_action:
|
local_action:
|
||||||
# Use -tt to force a pseudo tty.
|
# Use -tt to force a pseudo tty.
|
||||||
module: >
|
module: >
|
||||||
@ -31,19 +31,15 @@
|
|||||||
failed_when:
|
failed_when:
|
||||||
- reboot_result | failed
|
- reboot_result | failed
|
||||||
- "'closed by remote host' not in reboot_result.stderr"
|
- "'closed by remote host' not in reboot_result.stderr"
|
||||||
when:
|
when: not is_local | bool
|
||||||
- selinux_result | changed
|
|
||||||
- not is_local | bool
|
|
||||||
|
|
||||||
- name: Reboot the system to apply SELinux changes (local)
|
- name: Reboot the system to apply SELinux changes (local)
|
||||||
command: shutdown -r now "Applying SELinux changes"
|
command: shutdown -r now "Applying SELinux changes"
|
||||||
become: True
|
become: True
|
||||||
when:
|
when: is_local | bool
|
||||||
- selinux_result | changed
|
|
||||||
- is_local | bool
|
|
||||||
|
|
||||||
# If we're running this locally we won't get here.
|
# If we're running this locally we won't get here.
|
||||||
- name: Wait for the system to boot up (remote)
|
- name: Wait for the system to boot up (remote)
|
||||||
local_action:
|
local_action:
|
||||||
module: wait_for
|
module: wait_for
|
||||||
host: "{{ ansible_host | default(inventory_hostname) }}"
|
host: "{{ ansible_host | default(inventory_hostname) }}"
|
||||||
@ -51,7 +47,8 @@
|
|||||||
state: started
|
state: started
|
||||||
# Wait for 10 seconds before polling to ensure the node has shutdown.
|
# Wait for 10 seconds before polling to ensure the node has shutdown.
|
||||||
delay: 10
|
delay: 10
|
||||||
timeout: "{{ disable_selinux_reboot_timeout }}"
|
timeout: "{{ disable_selinux_do_reboot_timeout }}"
|
||||||
|
when: not is_local | bool
|
||||||
when:
|
when:
|
||||||
|
- disable_selinux_do_reboot | bool
|
||||||
- selinux_result | changed
|
- selinux_result | changed
|
||||||
- not is_local | bool
|
|
||||||
|
Loading…
Reference in New Issue
Block a user