From 3b41466b79f130f66068825e3e06ae2b52430b5b Mon Sep 17 00:00:00 2001 From: Ibrahim Mkusa Date: Tue, 3 Dec 2024 13:05:56 -0500 Subject: [PATCH] selinux policy exceptions(for rpm hosts) during install --- inventory/inventory | 4 +- playbooks/gitea/runners.yml | 2 +- .../github_runner/tasks/configure_runner.yml | 77 ++++++++++++++----- 3 files changed, 59 insertions(+), 24 deletions(-) diff --git a/inventory/inventory b/inventory/inventory index d17b02b..67d1a5e 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -2,13 +2,13 @@ localhost [dns] -192.168.2.236 [docker] docker0 ansible_user=ansible rhel0 ansible_user=ansible +rhel1 ansible_user=ansible -[aws] +[aws] aws ansible_user=ubuntu [helm] diff --git a/playbooks/gitea/runners.yml b/playbooks/gitea/runners.yml index e1ba38a..cf55643 100644 --- a/playbooks/gitea/runners.yml +++ b/playbooks/gitea/runners.yml @@ -6,7 +6,7 @@ vars: runner_version: "2.321.0" repository: https://github.com/iskm/maabara - labels: "test" + labels: "test,ultramarines" user: ansible roles: - github_runner diff --git a/roles/github_runner/tasks/configure_runner.yml b/roles/github_runner/tasks/configure_runner.yml index 7adb505..5129952 100644 --- a/roles/github_runner/tasks/configure_runner.yml +++ b/roles/github_runner/tasks/configure_runner.yml @@ -1,6 +1,56 @@ --- + +# temporary set selinux to permissive +- name: put selinux in permissive mode, log avcs to create policies later + ansible.posix.selinux: + policy: targeted + state: permissive + become: true + when: ansible_os_family == "RedHat" + +- name: configuring action runner + block: + - name: configure action runner on machine + ansible.builtin.shell: > + ./config.sh --unattended --url {{repository}} --token {{token}} --replace + --name {{ansible_hostname}} --labels {{labels}} + args: + chdir: actions_runner + rescue: + - name: is an action runner already configured + ansible.builtin.debug: + msg: "{{ansible_failed_result}}" + - name: Skipping setup if runner already exists + when: "'already configured' in ansible_failed_result.stderr" + ansible.builtin.debug: + msg: "Action runner already running" + +- name: setup and start github action runner as a service + block: + - name: Installing github action as a service + ansible.builtin.shell: > + ./svc.sh install {{user}} + args: + chdir: actions_runner + become: true + rescue: + - name: Skipping setup if runner already exists + when: "'exists' in ansible_failed_result.stderr" + ansible.builtin.debug: + msg: "Action runner already running" + + +- name: start the service + ansible.builtin.shell: > + ./svc.sh start + args: + chdir: actions_runner + become: true + - name: add a policy to allow service to run with selinux ansible.builtin.shell: | + ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh + semodule -X 300 -i my-unsvcsh.pp ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe semodule -X 300 -i my-NETDebugPipe.pp ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh @@ -10,8 +60,6 @@ ausearch -c 'node' --raw | audit2allow -M my-node semodule -X 300 -i my-node.pp setsebool -P domain_can_mmap_files 1 - ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh - semodule -X 300 -i my-unsvcsh.pp setsebool -P nis_enabled 1 ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker semodule -X 300 -i my-NETTPWorker.pp @@ -21,26 +69,13 @@ become: true when: ansible_os_family == "RedHat" -- name: configure action runner on machine - ansible.builtin.shell: > - ./config.sh --unattended --url {{repository}} --token {{token}} --replace - --name {{ansible_hostname}} --labels {{labels}} - args: - chdir: actions_runner - -- name: setup and start github action runner as a service - ansible.builtin.shell: > - ./svc.sh install {{user}} - args: - chdir: actions_runner - become: true - -- name: start the service - ansible.builtin.shell: > - ./svc.sh start - args: - chdir: actions_runner +# set selinux back to enforcing +- name: put selinux back to enforcing mode + ansible.posix.selinux: + policy: targeted + state: enforcing become: true + when: ansible_os_family == "RedHat" - name: display status of service ansible.builtin.shell: >