blob: 365a58137a859f3587438e09a9c829f1aa86efba (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
|
---
# tasklist for setting up fedmsg
# This is the base set of files needed for fedmsg
- name: install needed packages
yum: pkg={{ item }} state=present
with_items:
- fedmsg
- libsemanage-python
- python-psutil
- policycoreutils-python # This is in the kickstart now. Here for old hosts.
tags:
- packages
- fedmsg/base
# We only need this on el6. On el7, the fedmsg package uses systemd-tempfiles
# to generate this effect for us. Note that at the bottom of this role we add
# the nrpe user to the fedmsg group so that it has *write* permissions to a unix
# socket in this dir.
- name: create a /var/run/fedmsg dir with setgid for monitoring.
file: >
dest=/var/run/fedmsg
mode=2775
owner=fedmsg
group=fedmsg
state=directory
when: ansible_distribution_major_version|int == 6
tags:
- fedmsg/base
- name: setup /etc/fedmsg.d directory
file: path=/etc/fedmsg.d owner=root group=root mode=0755 state=directory
tags:
- config
- fedmsg/base
# Any files that change need to restart any services that depend on them. A
# trick here is that some hosts have an httpd that uses fedmsg, while others do
# not. Some hosts have a fedmsg-hub that uses this config, while others do not.
# Our handlers in handlers/restart_services.yml are smart enough to
# *conditionally* restart these services, only if they are installed on the
# system.
- name: setup basic /etc/fedmsg.d/ contents for internal hosts
template: >
src="{{ item }}.j2"
dest="/etc/fedmsg.d/{{ item }}"
owner=root
group=root
mode=644
with_items:
- ssl.py
- endpoints.py
- endpoints-anitya.py
- endpoints-pagure.py
- endpoints-fedocal.py
- endpoints-elections.py
- endpoints-fedbadges.py
- endpoints-fmn-web.py
- endpoints-fmn-backend.py
- endpoints-hotness.py
- endpoints-nuancier.py
- endpoints-mailman.py
- endpoints-summershum.py
- endpoints-kerneltest.py
- endpoints-fedimg.py
- endpoints-github2fedmsg.py
- endpoints-bugzilla2fedmsg.py
- relay.py
- pkgdb.py
- logging.py
- base.py
when: "'persistent-cloud' not in group_names"
tags:
- config
- fedmsgdconfig
- fedmsg/base
notify:
- restart httpd
- restart fedmsg-gateway
- restart fedmsg-hub
- restart fedmsg-irc
- restart fedmsg-relay
- name: dynamically generate policy from group/host vars.
template: >
src="{{ item }}.j2"
dest="/etc/fedmsg.d/{{ item }}"
owner=root
group=root
mode=644
with_items:
- policy.py
when: "'persistent-cloud' not in group_names"
tags:
- config
- fedmsgdconfig
- fedmsg/base
notify:
- restart httpd
- restart fedmsg-gateway
- restart fedmsg-hub
- restart fedmsg-irc
- restart fedmsg-relay
- name: setup basic /etc/fedmsg.d/ contents for cloud hosts
template: >
src="{{ item }}.j2"
dest="/etc/fedmsg.d/{{ item }}"
owner=root
group=root
mode=644
with_items:
- ssl.py
- endpoints-external.py
- relay.py
- logging.py
- base.py
when: "'persistent-cloud' in group_names"
tags:
- config
- fedmsgdconfig
- fedmsg/base
notify:
- restart httpd
- restart fedmsg-gateway
- restart fedmsg-hub
- restart fedmsg-irc
- restart fedmsg-relay
- name: setup /etc/pki/fedmsg directory
file: path=/etc/pki/fedmsg owner=root group=root mode=0755 state=directory
tags:
- config
- fedmsg/base
- name: install fedmsg ca.cert
copy: >
src="{{ puppet_private }}/fedmsg-certs/keys/ca.crt"
dest=/etc/pki/fedmsg/ca.crt
owner=root
group=root
mode=0644
tags:
- config
- fedmsg/base
- name: fedmsg certs
copy: >
src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.crt"
dest=/etc/pki/fedmsg/
mode=644
owner={{item['owner']}}
group={{item['group']}}
with_items:
- "{{ fedmsg_certs }}"
when: fedmsg_certs != []
tags:
- config
- fedmsg/base
- name: fedmsg keys
copy: >
src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}.key"
dest=/etc/pki/fedmsg/
mode=0640
owner={{item['owner']}}
group={{item['group']}}
with_items:
- "{{ fedmsg_certs }}"
when: fedmsg_certs != []
tags:
- config
- fedmsg/base
# Three tasks for handling our custom selinux module
- name: ensure a directory exists for our custom selinux module
file: dest=/usr/local/share/fedmsg state=directory
tags:
- fedmsg/base
- name: copy over our custom selinux module
copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
register: selinux_module
tags:
- fedmsg/base
- name: install our custom selinux module
command: semodule -i /usr/local/share/fedmsg/fedmsg.pp
when: selinux_module|changed
tags:
- fedmsg/base
# Also, label the ports that we commonly use for fedmsg under mod_wsgi
# to be http_port_t so selinux lets apache bind there.
- name: check semanage ports
command: semanage port -l
register: semanageoutput
always_run: yes
changed_when: "1 != 1"
tags:
- fedmsg/base
- name: set ports so httpd can bind to fedmsg endpoints
command: semanage port -a -t http_port_t -p tcp 3000-3100
when: semanageoutput.stdout.find("3000-3100") == -1
tags:
- fedmsg/base
- name: Check if the nrpe user exists
shell: /usr/bin/getent passwd nrpe | /usr/bin/wc -l | tr -d ' '
register: nrpe_exists
always_run: true
changed_when: "1 != 1"
tags:
- fedmsg/base
- name: Add nrpe user to the fedmsg group if it exists
user: name=nrpe groups=fedmsg append=yes
when: nrpe_exists.stdout == "1"
tags:
- fedmsg/base
|
