New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for custom ports #38
Changes from 6 commits
050939f
01bf854
23c512f
59aa205
eea9d5e
99cd26d
f91df23
42af42a
740d068
81d01c5
9d6defb
b7b3c71
bfa7193
1295970
2144329
bf8d525
aa07654
05c94b7
677c1f7
51b443a
9fac310
1c81ed7
91272a8
208cf90
638c75a
487f868
80c4b01
7530e3f
1327743
71644f7
a01a3bb
a9aff14
2cd1a28
1a26448
cd3fb90
efb96d3
6f22e1c
c112230
344462b
b515a68
ee98762
0b32b1e
0dbc506
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../.. | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
--- | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We are changing the way we use system roles from other system roles - https://linux-system-roles.github.io/documentation/role-requirements.html The short answer is
collections:
- fedora.linux_system_roles
- name: Allow the custom port for tangd_port_t in SELinux
import_role:
name: fedora.linux_system_roles.selinux
vars:
... |
||
# This task tells SELinux for the port that we want the tangd service to use when distribution Fedora | ||
- name: Allow the custom port for tangd_port_t in SELinux | ||
ansible.builtin.import_role: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please don't use the FQCN |
||
name: linux-system-roles.selinux | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
vars: | ||
selinux_ports: | ||
- { ports: '{{ nbde_server_port }}', proto: 'tcp', setype: 'tangd_port_t', state: 'present' } | ||
when: ansible_selinux.status == "enabled" and ansible_facts["distribution"] == "Fedora" | ||
|
||
# This task tells SELinux for the port that we want the tangd service to use when distribution RHEL | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You don't need this. In fact, you don't need the The problem is that And, to further complicate matters, if the user is using the Collection instead of the legacy role format, then the role name will be I think the best you can do here is to use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just use |
||
- name: Allow the custom port for tangd_port_t in SELinux | ||
ansible.builtin.import_role: | ||
name: rhel-system-roles.selinux | ||
vars: | ||
selinux_ports: | ||
- { ports: '{{ nbde_server_port }}', proto: 'tcp', setype: 'tangd_port_t', state: 'present' } | ||
when: ansible_selinux.status == "enabled" and ansible_facts["distribution"] == "RedHat" | ||
|
||
# This block creates the override file for systemd with the new port that we have requested | ||
- name: Create override file | ||
block: | ||
# This task checks if the directory /etc/systemd/system/tangd.socket.d exist and registers the value in systemd__system__tangd_socket | ||
- name: Check if directory /etc/systemd/system/tangd.socket.d exist | ||
stat: | ||
path: /etc/systemd/system/tangd.socket.d | ||
register: systemd_system_tangd_socket | ||
|
||
# This tasks Create the /etc/systemd/system/tangd.socket.d directory if it does not exist | ||
- name: Create a directory if it does not exist | ||
file: | ||
path: /etc/systemd/system/tangd.socket.d | ||
state: directory | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will already create the directory if it does not exist, no? There is no need to check/register in the previous task and run this conditionally here. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fixed |
||
mode: '0755' | ||
when: systemd_system_tangd_socket.stat.exists | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We want to create the directory when it does not exist?
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ops ... you are correct. I've fixed the problems and I'm pushing it right now. |
||
|
||
# This tasks creates the file with the port entry that we want tangd to listen to | ||
- name: Creates the file with the port entry that we want tangd to listen to | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why use a |
||
blockinfile: | ||
path: /etc/systemd/system/tangd.socket.d/override.conf | ||
block: | | ||
[Socket] | ||
ListenStream= | ||
ListenStream={{ nbde_server_port }} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Also, it would be great if you could add a test to make sure the server is using the new port (and ideally make also sure we are not using in the old one) |
||
state: present | ||
create: yes | ||
mode: '0644' | ||
marker: "# {mark} ANSIBLE MANAGED BLOCK NBDE" | ||
register: __nbde_server_daemon_reload | ||
|
||
# This tasks reload the daemons so the new changes take effect | ||
- name: Reload the daemons so the new changes take effect | ||
systemd: | ||
daemon_reload: yes | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should be conditional i.e. |
||
when: __nbde_server_daemon_reload.changed | ||
|
||
# This task makes sure that we add the new port to firewalld | ||
- name: Ensure the desired port is added to firewalld | ||
firewalld: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please use the https://github.com/linux-system-roles/firewall role for this instead of the firewalld module, similar to how you used the selinux role for the selinux settings. |
||
port: "{{ nbde_server_port }}/tcp" | ||
zone: "{{ nbde_server_firewall_zone }}" | ||
state: enabled | ||
immediate: yes | ||
permanent: yes | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove this