New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for custom ports #38
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed the two typos that I've made
README.md
Outdated
@@ -30,6 +27,9 @@ These are the variables that can be passed to the role: | |||
|`nbde_server_fetch_keys`| `no` | indicates whether we should fetch keys to the control node, in which case they will be placed in `nbde_server_keys_dir`. You **must** set `nbde_server_keys_dir` to use `nbde_server_fetch_keys`. | |||
|`nbde_server_deploy_keys`| `no` |indicates whether we should deploy the keys located in `nbde_server_keys_dir` directory to the remote hosts. You **must** set `nbde_server_keys_dir` to use `nbde_server_deploy_keys`. | |||
|`nbde_server_keys_dir`| | specifies a directory in the control node that contains keys to be deployed to the remote hosts. Keys located in the top level directory will be deployed to every remote host, while keys located within subdirectories named after the remote hosts -- as per the inventory -- will be deployed only to these specific hosts. `nbde_server_keys_dir` **must** be an absolute path. You need to set this to use either `nbde_server_fetch_keys` and/or `nbde_server_deploy_keys`. | |||
|`nbde_server_port`|`80`| setup custom port which will be enabled in SELinux and firewalld. | |||
|`nbde_server_zone`|`public`| change the default zone where the port should be opened. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this the firewalld zone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes - this should be nbde_server_firewall_zone
tasks/tangd-custom-port.yml
Outdated
--- | ||
# This task tells SELinux for the port that we want the tangd service to use | ||
- name: Allow the custom port for tangd_port_t in SELinux | ||
community.general.seport: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use the selinux
system role - https://github.com/linux-system-roles/selinux
- name: Allow the custom port for tangd_port_t in SELinux
include_role:
name: linux-system-roles.selinux
vars:
selinux_ports:
- ports: "{{ nbde_server_port }}"
proto: tcp
setype: tangd_port_t
state: present
tasks/tangd-custom-port.yml
Outdated
# This tasks reload the daemons so the new changes take effect | ||
- name: Reload the daemons so the new changes take effect | ||
systemd: | ||
daemon_reload: yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be conditional i.e. when: __nbde_server_daemon_reload
- then one of the tasks above should set __nbde_server_daemon_reload
if the daemon needs to be reloaded
[citest commit:23c512f81404b0f071d4713af730df2eb9f3bab1] |
tasks/tangd-custom-port.yml
Outdated
path: /etc/systemd/system/tangd.socket.d/override.conf | ||
block: | | ||
[Socket] | ||
ListenStream={{ nbde_server_port }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ListenStream
is a list, so if you just specify a port here, it will be like you are adding this new port to the list. You should first clear this list with an empty ListenStream=
line prior to setting the new port. Check out https://www.freedesktop.org/software/systemd/man/systemd.socket.html#Options for more info.
Also, it would be great if you could add a test to make sure the server is using the new port (and ideally make also sure we are not using in the old one)
Hello sorry for the delay I was on vacation. I've added the requested changes. The override file is taken from the rhel docs NBDE 10.3.6. If further changes are required please let me know. |
.cache/roles/nbde_server
Outdated
@@ -0,0 +1 @@ | |||
../.. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove this
tasks/tangd-custom-port.yml
Outdated
--- | ||
# This task tells SELinux for the port that we want the tangd service to use when distribution Fedora | ||
- name: Allow the custom port for tangd_port_t in SELinux | ||
ansible.builtin.import_role: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use the FQCN ansible.builtin.import_role
form - please use import_role
tasks/tangd-custom-port.yml
Outdated
- { ports: '{{ nbde_server_port }}', proto: 'tcp', setype: 'tangd_port_t', state: 'present' } | ||
when: ansible_selinux.status == "enabled" and ansible_facts["distribution"] == "Fedora" | ||
|
||
# This task tells SELinux for the port that we want the tangd service to use when distribution RHEL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need this. In fact, you don't need the when: ansible_selinux.status == "enabled" and ansible_facts["distribution"] == "Fedora"
clause above.
The problem is that ansible_facts
will return the distribution on the managed host, but the roles will be looked up on the controller host. I think the logic you are hoping for is if the controller host is RedHat
, then use the rhel-system-roles.selinux role, but that will be much trickier to do.
And, to further complicate matters, if the user is using the Collection instead of the legacy role format, then the role name will be fedora.linux_system_roles.selinux
or redhat.rhel_system_roles.selinux
.
I think the best you can do here is to use import_role: name: selinux
and hope that role path and collection path/collection keyword are configured appropriately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just use name: linux-system-roles.selinux
- we have tooling in the rhel rpm spec to change it to rhel-system-roles
and similar tooling when we build collections.
ping - any updates ? |
ping |
Sorry it took me a while to understand what you meant with the managed and controlled node thus the first commit. I've fixed that in the second one. |
[citest pending] |
2 similar comments
[citest pending] |
[citest pending] |
tasks/tangd-custom-port.yml
Outdated
|
||
# This task makes sure that we add the new port to firewalld | ||
- name: Ensure the desired port is added to firewalld | ||
firewalld: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use the https://github.com/linux-system-roles/firewall role for this instead of the firewalld module, similar to how you used the selinux role for the selinux settings.
ping |
@richm hope the role is fine now, sorry for the delay again ... I should edit my email settings to get notifications |
Signed-off-by: lessfoobar <lessfoobar@pm.me>
tasks/main-tang.yml
Outdated
@@ -26,6 +26,10 @@ | |||
when: (nbde_server_fetch_keys | bool) or (nbde_server_deploy_keys | bool) | |||
include_tasks: tang-key-management.yml | |||
|
|||
- name: Open port in firewalld | |||
when: (nbde_server_port != "80") or (nbde_server_firewall_zone != "public") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nbde_server_port | int != 80)
nbde_server_port
can be a string or an int - if nbde_server_port
is an int e.g. nbde_server_port: 80
then 80
is not equal to "80"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've had so much problems with mode and always quoting it, so for me by default all numbers should be quoted. But sure I can fix that also.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've had so much problems with mode and always quoting it, so for me by default all numbers should be quoted. But sure I can fix that also.
If you want to keep everything a string, you can do that too:
(nbde_server_port | string != "80")
But in the examples you added, you are using int
instead of string
e.g. https://github.com/linux-system-roles/nbde_server/pull/38/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R37 , https://github.com/linux-system-roles/nbde_server/pull/38/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R124, etc.
So whatever you decide to do, please be consistent
tests/tests_tangd_custom_port.yml
Outdated
set -euo pipefail | ||
ss -tulpn | grep {{ nbde_server_port }} | awk -F' ' '{print $5}' | ||
register: __open_ports_output | ||
failed_when: __open_ports_output.stdout != "*:{{ nbde_server_port }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sergio-correia, @lessfoobar, @richm, how must this right-hand side be exactly matched?
The test playbook tests_tangd_custom_port.yml
passes on rhel-8
and rhel-9
, but it fails on rhel-7
as follows:
TASK [check if port is open] ***************************************************
task path: /home/nhosoi/linux-system-roles/nbde_server/tests/tests_tangd_custom_port.yml:12
Friday 23 September 2022 15:52:49 -0700 (0:00:00.651) 0:00:40.444 ******
[WARNING]: conditional statements should not include jinja2 templating
delimiters such as {{ }} or {% %}. Found: __open_ports_output.stdout != "*:{{
nbde_server_port }}"
fatal: [/home/nhosoi/.cache/linux-system-roles/rhel-7.qcow2]: FAILED! => {
"changed": true,
"cmd": "set -euo pipefail\nss -tulpn | grep 7500 | awk -F' ' '{print $5}'",
"delta": "0:00:00.123563",
"end": "2022-09-23 18:52:49.938979",
"failed_when_result": true,
"rc": 0,
"start": "2022-09-23 18:52:49.815416"
}
STDOUT:
[::]:7500
Can we consider it is successful if the ports match?
Please note that rhel-7
is a supported platform both as a control and a managed node.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
failed_when: __open_ports_output.stdout != "*:{{ nbde_server_port }}" | |
failed_when: not __open_ports_output.stdout is search(':' ~ (nbde_server_port | string) ~ '$') |
Thanks, @richm. It passed the rhel-7 CI with a tiny change. The filter
@lessfoobar, could you please apply the change to |
tests/tests_tangd_custom_port.yml
Outdated
failed_when: __open_ports_output.stdout != "tcp" | ||
|
||
- name: check if port is opened in firewall | ||
shell: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shell: | |
command: firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port {{ nbde_server_port }}/tcp | |
changed_when: false |
Then you don't need shell
, awk
, grep
, register
, failed_when
, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah ... really not sure why I didn't went for the firewall-cmd command ... glad you found that out. Way more simpler than my solution.
register: __firewall_output | ||
failed_when: __firewall_output.stdout != "{{ nbde_server_port }}/tcp" | ||
|
||
- name: check if firewall zone is set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you need this check at all - the firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port {{ nbde_server_port }}/tcp
will check that the given zone exists and that the port is set in the given zone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
tests/tests_tangd_custom_port.yml
Outdated
set -euo pipefail | ||
ss -tulpn | grep {{ nbde_server_port }} | awk -F' ' '{print $5}' | ||
register: __open_ports_output | ||
failed_when: not __open_ports_output.stdout is search(':' ~ (nbde_server_port | string) ~ '$') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
failed_when: not __open_ports_output.stdout is search(':' ~ (nbde_server_port | string) ~ '$') | |
failed_when: not __open_ports_output.stdout is | |
search(':' ~ (nbde_server_port | string) ~ '$') |
tests/tests_tangd_custom_port.yml
Outdated
failed_when: __open_ports_output.stdout != "tcp" | ||
|
||
- name: check if port is opened in firewall | ||
command: firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port {{ nbde_server_port }}/tcp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
command: firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port {{ nbde_server_port }}/tcp | |
command: >- | |
firewall-cmd --zone {{ nbde_server_firewall_zone }} --query-port | |
{{ nbde_server_port }}/tcp |
Sorry about that - it may seem that these linters are pedantic, but they are the gatekeepers to being able to publish on Galaxy and Automation Hub |
- name: Create a directory if it does not exist | ||
file: | ||
path: /etc/systemd/system/tangd.socket.d | ||
state: directory |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will already create the directory if it does not exist, no? There is no need to check/register in the previous task and run this conditionally here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
tests/templates
Outdated
@@ -0,0 +1 @@ | |||
../../../templates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be in tests/roles/linux-system-roles.nbde_server/
instead of tests/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Signed-off-by: lessfoobar <lessfoobar@pm.me>
tasks/main-tang.yml
Outdated
@@ -26,6 +26,10 @@ | |||
when: (nbde_server_fetch_keys | bool) or (nbde_server_deploy_keys | bool) | |||
include_tasks: tang-key-management.yml | |||
|
|||
- name: Open port in firewalld | |||
when: (nbde_server_port != 80) or (nbde_server_firewall_zone != "public") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when: (nbde_server_port != 80) or (nbde_server_firewall_zone != "public") | |
when: (nbde_server_port | int != 80) or (nbde_server_firewall_zone != "public") |
This should fix the error from the log:
ERROR: The following numeric operations found at runtime need int or float cast filters:
[nbde_server_port] [ne] [80] at tasks/main-tang.yml:29
the issue is that since nbde_server_port
is a public variable, there is no guarantee that the data type will be int
e.g. if the user does ansible-playbook -e nbde_server_port=80 ...
then the variable will be a string
data type and the comparison (nbde_server_port != 80)
will always fail. Using | int
to "cast" the type will ensure that the comparison is done correctly, and will also ensure that an error is generated if the data type cannot be cast to int
.
[citest] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm - the test failure appears to be unrelated - if there are no objections I'll merge this
to manage the custom ports implemented in "Add support for custom ports (linux-system-roles#38)" - Introduce nbde_server_manage_firewall to enable the firewall role to manage the nbde server port. - Introduce nbde_server_manage_selinux to enable the selinux role to manage the nbde server port.
to manage the custom ports implemented in "Add support for custom ports (linux-system-roles#38)" - Introduce nbde_server_manage_firewall to enable the firewall role to manage the nbde server port. - Introduce nbde_server_manage_selinux to enable the selinux role to manage the nbde server port. Signed-off-by: Noriko Hosoi <nhosoi@redhat.com>
to manage the custom ports implemented in "Add support for custom ports (linux-system-roles#38)" - If nbde_server_manage_firewall is set to true, use the firewall role to manage the nbde server port. - If nbde_server_manage_selinux is set to true, use the selinux role to manage the nbde server port. Signed-off-by: Noriko Hosoi <nhosoi@redhat.com>
[1.2.0] - 2022-11-01 -------------------- ### New Features - Add support for custom ports (linux-system-roles#38) - Introduce nbde_server_manage_firewall and nbde_server_manage_selinux to manage the custom ports implemented in "Add support for custom ports (linux-system-roles#38)" - If nbde_server_manage_firewall is set to true, use the firewall role to manage the nbde server port. - If nbde_server_manage_selinux is set to true, use the selinux role to manage the nbde server port. ### Bug Fixes - none ### Other Changes - none Signed-off-by: Rich Megginson <rmeggins@redhat.com>
[1.2.0] - 2022-11-01 -------------------- ### New Features - Add support for custom ports (#38) - Introduce nbde_server_manage_firewall and nbde_server_manage_selinux to manage the custom ports implemented in "Add support for custom ports (#38)" - If nbde_server_manage_firewall is set to true, use the firewall role to manage the nbde server port. - If nbde_server_manage_selinux is set to true, use the selinux role to manage the nbde server port. ### Bug Fixes - none ### Other Changes - none Signed-off-by: Rich Megginson <rmeggins@redhat.com> Signed-off-by: Rich Megginson <rmeggins@redhat.com>
No description provided.