selinux policy exceptions(for rpm hosts) during install
This commit is contained in:
parent
7a62c14784
commit
3b41466b79
@ -2,11 +2,11 @@
|
|||||||
localhost
|
localhost
|
||||||
|
|
||||||
[dns]
|
[dns]
|
||||||
192.168.2.236
|
|
||||||
|
|
||||||
[docker]
|
[docker]
|
||||||
docker0 ansible_user=ansible
|
docker0 ansible_user=ansible
|
||||||
rhel0 ansible_user=ansible
|
rhel0 ansible_user=ansible
|
||||||
|
rhel1 ansible_user=ansible
|
||||||
|
|
||||||
[aws]
|
[aws]
|
||||||
aws ansible_user=ubuntu
|
aws ansible_user=ubuntu
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
vars:
|
vars:
|
||||||
runner_version: "2.321.0"
|
runner_version: "2.321.0"
|
||||||
repository: https://github.com/iskm/maabara
|
repository: https://github.com/iskm/maabara
|
||||||
labels: "test"
|
labels: "test,ultramarines"
|
||||||
user: ansible
|
user: ansible
|
||||||
roles:
|
roles:
|
||||||
- github_runner
|
- github_runner
|
||||||
|
@ -1,6 +1,56 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
# temporary set selinux to permissive
|
||||||
|
- name: put selinux in permissive mode, log avcs to create policies later
|
||||||
|
ansible.posix.selinux:
|
||||||
|
policy: targeted
|
||||||
|
state: permissive
|
||||||
|
become: true
|
||||||
|
when: ansible_os_family == "RedHat"
|
||||||
|
|
||||||
|
- name: configuring action runner
|
||||||
|
block:
|
||||||
|
- name: configure action runner on machine
|
||||||
|
ansible.builtin.shell: >
|
||||||
|
./config.sh --unattended --url {{repository}} --token {{token}} --replace
|
||||||
|
--name {{ansible_hostname}} --labels {{labels}}
|
||||||
|
args:
|
||||||
|
chdir: actions_runner
|
||||||
|
rescue:
|
||||||
|
- name: is an action runner already configured
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "{{ansible_failed_result}}"
|
||||||
|
- name: Skipping setup if runner already exists
|
||||||
|
when: "'already configured' in ansible_failed_result.stderr"
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "Action runner already running"
|
||||||
|
|
||||||
|
- name: setup and start github action runner as a service
|
||||||
|
block:
|
||||||
|
- name: Installing github action as a service
|
||||||
|
ansible.builtin.shell: >
|
||||||
|
./svc.sh install {{user}}
|
||||||
|
args:
|
||||||
|
chdir: actions_runner
|
||||||
|
become: true
|
||||||
|
rescue:
|
||||||
|
- name: Skipping setup if runner already exists
|
||||||
|
when: "'exists' in ansible_failed_result.stderr"
|
||||||
|
ansible.builtin.debug:
|
||||||
|
msg: "Action runner already running"
|
||||||
|
|
||||||
|
|
||||||
|
- name: start the service
|
||||||
|
ansible.builtin.shell: >
|
||||||
|
./svc.sh start
|
||||||
|
args:
|
||||||
|
chdir: actions_runner
|
||||||
|
become: true
|
||||||
|
|
||||||
- name: add a policy to allow service to run with selinux
|
- name: add a policy to allow service to run with selinux
|
||||||
ansible.builtin.shell: |
|
ansible.builtin.shell: |
|
||||||
|
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
|
||||||
|
semodule -X 300 -i my-unsvcsh.pp
|
||||||
ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
|
ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
|
||||||
semodule -X 300 -i my-NETDebugPipe.pp
|
semodule -X 300 -i my-NETDebugPipe.pp
|
||||||
ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
|
ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
|
||||||
@ -10,8 +60,6 @@
|
|||||||
ausearch -c 'node' --raw | audit2allow -M my-node
|
ausearch -c 'node' --raw | audit2allow -M my-node
|
||||||
semodule -X 300 -i my-node.pp
|
semodule -X 300 -i my-node.pp
|
||||||
setsebool -P domain_can_mmap_files 1
|
setsebool -P domain_can_mmap_files 1
|
||||||
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
|
|
||||||
semodule -X 300 -i my-unsvcsh.pp
|
|
||||||
setsebool -P nis_enabled 1
|
setsebool -P nis_enabled 1
|
||||||
ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
|
ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
|
||||||
semodule -X 300 -i my-NETTPWorker.pp
|
semodule -X 300 -i my-NETTPWorker.pp
|
||||||
@ -21,26 +69,13 @@
|
|||||||
become: true
|
become: true
|
||||||
when: ansible_os_family == "RedHat"
|
when: ansible_os_family == "RedHat"
|
||||||
|
|
||||||
- name: configure action runner on machine
|
# set selinux back to enforcing
|
||||||
ansible.builtin.shell: >
|
- name: put selinux back to enforcing mode
|
||||||
./config.sh --unattended --url {{repository}} --token {{token}} --replace
|
ansible.posix.selinux:
|
||||||
--name {{ansible_hostname}} --labels {{labels}}
|
policy: targeted
|
||||||
args:
|
state: enforcing
|
||||||
chdir: actions_runner
|
|
||||||
|
|
||||||
- name: setup and start github action runner as a service
|
|
||||||
ansible.builtin.shell: >
|
|
||||||
./svc.sh install {{user}}
|
|
||||||
args:
|
|
||||||
chdir: actions_runner
|
|
||||||
become: true
|
|
||||||
|
|
||||||
- name: start the service
|
|
||||||
ansible.builtin.shell: >
|
|
||||||
./svc.sh start
|
|
||||||
args:
|
|
||||||
chdir: actions_runner
|
|
||||||
become: true
|
become: true
|
||||||
|
when: ansible_os_family == "RedHat"
|
||||||
|
|
||||||
- name: display status of service
|
- name: display status of service
|
||||||
ansible.builtin.shell: >
|
ansible.builtin.shell: >
|
||||||
|
Loading…
Reference in New Issue
Block a user