7e7c6230cb
Fixes bug 1605228, where if the user installs epel-relase from the Centos7 default packages rather than from the latest rpm online packages the latest epel-release from the rpm installs on top of it but does not provide newer packages. But that's not what you care about, the big change that comes with this bugfix is a refactoring of every playbook that uses EPEL to all call a single role which both installs epel and setups a handler to cleanup epel when the set of roles is done. This unifies and cleans up what was previously two ways of installing EPEL, two ways of disabling it all duplicating across more than half a dozen roles. Some of of which used the epel_rpm variable some of which did not. The resulting combined role still uses the rpm command and as such inherits some hackiness in an effort to keep everything working as it was before just with better organization. This has been tested with very playbook modified here against my own cloud. Don't consider this final since trying to install every single one of these to a single virtual undercloud generated lots of other problems, but none of them failed on EPEL or package related issues. Change-Id: Ic592a97875a9ec783519f618260713277589c83e
159 lines
5.2 KiB
YAML
159 lines
5.2 KiB
YAML
---
|
|
#
|
|
# Install/run nginx for browbeat
|
|
#
|
|
|
|
- name: Install nginx, httpd-tools, httplib2, libsemanage-python
|
|
yum: name={{ item }} state=present
|
|
become: true
|
|
with_items:
|
|
- nginx
|
|
- httpd-tools
|
|
- python-httplib2
|
|
- libsemanage-python
|
|
|
|
# SELinux boolean for nginx
|
|
- name: Apply SELinux boolean httpd_can_network_connect
|
|
seboolean: name=httpd_can_network_connect state=yes persistent=yes
|
|
|
|
# deploy kibana.conf with FQDN
|
|
- name: Setup nginx reverse proxy for kibana
|
|
template:
|
|
src=kibana.conf.j2
|
|
dest=/etc/nginx/conf.d/kibana.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
register: nginx_needs_restart
|
|
|
|
# deploy basic nginx.conf 8080 vhost
|
|
- name: Setup nginx TCP/8080 vhost for SSL certificate
|
|
template:
|
|
src=nginx.conf.j2
|
|
dest=/etc/nginx/nginx.conf
|
|
owner=root
|
|
group=root
|
|
mode=0644
|
|
become: true
|
|
|
|
# start nginx service
|
|
- name: Start nginx service
|
|
command: systemctl restart nginx.service
|
|
ignore_errors: true
|
|
when: nginx_needs_restart != 0
|
|
|
|
- name: Set nginx to start on boot
|
|
command: systemctl enable nginx.service
|
|
ignore_errors: true
|
|
|
|
# we need TCP/80 and TCP/8080 open
|
|
# determine firewall status and take action
|
|
# 1) use firewall-cmd if firewalld is utilized
|
|
# 2) insert iptables rule if iptables is used
|
|
|
|
# Firewalld
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
|
|
- name: Determine if TCP/{{nginx_kibana_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{nginx_kibana_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_tcp80_exists
|
|
no_log: true
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{nginx_kibana_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp80_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
shell: grep "dport {{nginx_kibana_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_tcp80_exists
|
|
failed_when: iptables_tcp80_exists == 127
|
|
no_log: true
|
|
|
|
- name: Add firewall rule for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{nginx_kibana_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp80_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/{{nginx_kibana_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
|
|
# Firewalld
|
|
- name: Determine if firewalld is in use
|
|
shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
|
|
ignore_errors: true
|
|
register: firewalld_in_use
|
|
no_log: true
|
|
|
|
- name: Determine if firewalld is active
|
|
shell: systemctl is-active firewalld.service | grep -vq inactive
|
|
ignore_errors: true
|
|
register: firewalld_is_active
|
|
no_log: true
|
|
|
|
- name: Determine if TCP/{{elk_server_ssl_cert_port}} is already active
|
|
shell: firewall-cmd --list-ports | egrep -q "^{{elk_server_ssl_cert_port}}/tcp"
|
|
ignore_errors: true
|
|
register: firewalld_tcp8080_exists
|
|
no_log: true
|
|
|
|
# add firewall rule via firewall-cmd
|
|
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (firewalld)
|
|
command: "{{ item }}"
|
|
with_items:
|
|
- firewall-cmd --zone=public --add-port={{elk_server_ssl_cert_port}}/tcp --permanent
|
|
- firewall-cmd --reload
|
|
ignore_errors: true
|
|
become: true
|
|
when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_tcp8080_exists.rc != 0
|
|
|
|
# iptables-services
|
|
- name: check firewall rules for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
shell: grep "dport {{elk_server_ssl_cert_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
|
|
ignore_errors: true
|
|
register: iptables_tcp8080_exists
|
|
failed_when: iptables_tcp8080_exists == 127
|
|
no_log: true
|
|
|
|
- name: Add firewall rule for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
lineinfile:
|
|
dest: /etc/sysconfig/iptables
|
|
line: '-A INPUT -p tcp -m tcp --dport {{elk_server_ssl_cert_port}} -j ACCEPT'
|
|
regexp: '^INPUT -i lo -j ACCEPT'
|
|
insertbefore: '-A INPUT -i lo -j ACCEPT'
|
|
backup: yes
|
|
when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_tcp8080_exists.stdout|int == 0
|
|
register: iptables_needs_restart
|
|
|
|
- name: Restart iptables-services for TCP/{{elk_server_ssl_cert_port}} (iptables-services)
|
|
shell: systemctl restart iptables.service
|
|
ignore_errors: true
|
|
when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0
|
|
|