32ca3e6909
This patch applies the RHEL 7 STIG security content from the openstack-ansible-security role to OpenStack-Ansible deployments by default. Implements: blueprint security-rhel7-stig Change-Id: I7981d73660adf877d91b63ca8387ec27e863c73c
138 lines
5.0 KiB
Bash
Executable File
138 lines
5.0 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## Shell Opts ----------------------------------------------------------------
|
|
set -e -u
|
|
|
|
## Variables -----------------------------------------------------------------
|
|
DEPLOY_AIO=${DEPLOY_AIO:-false}
|
|
PLAYBOOK_LOGS=${PLAYBOOK_LOGS:-"/openstack/log/ansible_playbooks/"}
|
|
COMMAND_LOGS=${COMMAND_LOGS:-"/openstack/log/ansible_cmd_logs/"}
|
|
ORIG_ANSIBLE_LOG_PATH=${ANSIBLE_LOG_PATH:-"/openstack/log/ansible-logging/ansible.log"}
|
|
|
|
## Main ----------------------------------------------------------------------
|
|
function run_play_book_exit_message {
|
|
echo -e "\e[1;5;97m*** NOTICE ***\e[0m
|
|
|
|
The \"\e[1;31m${0}\e[0m\" script has exited. This script is no longer needed from now on.
|
|
If you need to re-run parts of the stack, adding new nodes to the environment,
|
|
or have encountered an error you will no longer need this application to
|
|
interact with the environment. All jobs should be executed out of the
|
|
\"\e[1;33m${PLAYBOOK_DIR}\e[0m\" directory using the \"\e[1;32mopenstack-ansible\e[0m\"
|
|
command line wrapper.
|
|
|
|
For more information about OpenStack-Ansible please review our documentation at:
|
|
\e[1;36mhttp://docs.openstack.org/developer/openstack-ansible\e[0m
|
|
|
|
Additionally if there's ever a need for information on common operational tasks please
|
|
see the following information:
|
|
\e[1;36mhttp://docs.openstack.org/developer/openstack-ansible/developer-docs/ops.html\e[0m
|
|
|
|
|
|
If you ever have any questions please join the community conversation on IRC at
|
|
#openstack-ansible on freenode.
|
|
"
|
|
}
|
|
|
|
function get_includes {
|
|
/opt/ansible-runtime/bin/python <<EOC
|
|
import yaml
|
|
with open("${1}") as f:
|
|
yaml_list = yaml.load(f.read())
|
|
for item in yaml_list:
|
|
_item = '---\n' + yaml.safe_dump([item], default_flow_style=False, width=1000)
|
|
print(repr(_item).strip("'").strip('"'))
|
|
EOC
|
|
}
|
|
|
|
function get_include_file {
|
|
/opt/ansible-runtime/bin/python <<EOC
|
|
import yaml
|
|
with open("${1}") as f:
|
|
yaml_list = yaml.load(f.read())
|
|
print(yaml_list[0]['include'])
|
|
EOC
|
|
}
|
|
|
|
function playbook_run {
|
|
|
|
# First we gather facts about the hosts to populate the fact cache.
|
|
# We can't gather the facts for all hosts yet because the containers
|
|
# aren't built yet.
|
|
ansible -m setup -a "gather_subset=network,hardware,virtual" hosts
|
|
|
|
# Iterate over lines in setup-everything
|
|
IFS=$'\n'
|
|
COUNTER=0
|
|
for root_include in $(get_includes setup-everything.yml); do
|
|
echo -e "${root_include}" > root-include-playbook.yml
|
|
root_include_file_name="$(get_include_file root-include-playbook.yml)"
|
|
|
|
# Once setup-hosts is complete, we should gather facts for everything
|
|
# (now including containers) so that the fact cache is complete for the
|
|
# remainder of the run.
|
|
if [[ "${root_include_file_name}" == "setup-infrastructure.yml" ]]; then
|
|
ansible -m setup -a "gather_subset=network,hardware,virtual" all
|
|
fi
|
|
for include in $(get_includes "${root_include_file_name}"); do
|
|
echo -e "${include}" > /tmp/include-playbook.yml
|
|
include_file_name="$(get_include_file /tmp/include-playbook.yml)"
|
|
include_playbook="include-playbook.yml-${include_file_name}"
|
|
mv /tmp/include-playbook.yml ${include_playbook}
|
|
echo "[Executing \"${include_file_name}\" playbook]"
|
|
# Set the playbook log path so that we can review specific execution later.
|
|
export ANSIBLE_LOG_PATH="${PLAYBOOK_LOGS}/${COUNTER}-${include_file_name}.txt"
|
|
let COUNTER=COUNTER+=1
|
|
if [[ "${DEPLOY_AIO}" = true ]]; then
|
|
install_bits "${include_playbook}"
|
|
fi
|
|
# Remove the generate playbook when done with it
|
|
rm "${include_playbook}"
|
|
done
|
|
# Remove the generate playbook when done with it
|
|
rm root-include-playbook.yml
|
|
done
|
|
cat ${PLAYBOOK_LOGS}/* >> "${ORIG_ANSIBLE_LOG_PATH}"
|
|
}
|
|
|
|
trap run_play_book_exit_message EXIT
|
|
|
|
info_block "Checking for required libraries." 2> /dev/null || source "$(dirname "${0}")/scripts-library.sh"
|
|
|
|
# Initiate the deployment
|
|
pushd "playbooks"
|
|
PLAYBOOK_DIR="$(pwd)"
|
|
|
|
# Create playbook log directory
|
|
mkdir -p "${PLAYBOOK_LOGS}"
|
|
mkdir -p "$(dirname ${ORIG_ANSIBLE_LOG_PATH})"
|
|
|
|
# Execute setup everything
|
|
playbook_run
|
|
|
|
if [[ "${DEPLOY_AIO}" = true ]]; then
|
|
# Log some data about the instance and the rest of the system
|
|
log_instance_info
|
|
|
|
# Log repo data
|
|
mkdir -p "${COMMAND_LOGS}/repo_data"
|
|
ansible 'repo_all[0]' -m raw \
|
|
-a 'find /var/www/repo/os-releases -type l' \
|
|
-t "${COMMAND_LOGS}/repo_data"
|
|
|
|
print_report
|
|
fi
|
|
popd
|