selinux policy exceptions(for rpm hosts) during install
This commit is contained in:
parent
7a62c14784
commit
3b41466b79
@ -2,13 +2,13 @@
|
||||
localhost
|
||||
|
||||
[dns]
|
||||
192.168.2.236
|
||||
|
||||
[docker]
|
||||
docker0 ansible_user=ansible
|
||||
rhel0 ansible_user=ansible
|
||||
rhel1 ansible_user=ansible
|
||||
|
||||
[aws]
|
||||
[aws]
|
||||
aws ansible_user=ubuntu
|
||||
|
||||
[helm]
|
||||
|
@ -6,7 +6,7 @@
|
||||
vars:
|
||||
runner_version: "2.321.0"
|
||||
repository: https://github.com/iskm/maabara
|
||||
labels: "test"
|
||||
labels: "test,ultramarines"
|
||||
user: ansible
|
||||
roles:
|
||||
- github_runner
|
||||
|
@ -1,6 +1,56 @@
|
||||
---
|
||||
|
||||
# temporary set selinux to permissive
|
||||
- name: put selinux in permissive mode, log avcs to create policies later
|
||||
ansible.posix.selinux:
|
||||
policy: targeted
|
||||
state: permissive
|
||||
become: true
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: configuring action runner
|
||||
block:
|
||||
- name: configure action runner on machine
|
||||
ansible.builtin.shell: >
|
||||
./config.sh --unattended --url {{repository}} --token {{token}} --replace
|
||||
--name {{ansible_hostname}} --labels {{labels}}
|
||||
args:
|
||||
chdir: actions_runner
|
||||
rescue:
|
||||
- name: is an action runner already configured
|
||||
ansible.builtin.debug:
|
||||
msg: "{{ansible_failed_result}}"
|
||||
- name: Skipping setup if runner already exists
|
||||
when: "'already configured' in ansible_failed_result.stderr"
|
||||
ansible.builtin.debug:
|
||||
msg: "Action runner already running"
|
||||
|
||||
- name: setup and start github action runner as a service
|
||||
block:
|
||||
- name: Installing github action as a service
|
||||
ansible.builtin.shell: >
|
||||
./svc.sh install {{user}}
|
||||
args:
|
||||
chdir: actions_runner
|
||||
become: true
|
||||
rescue:
|
||||
- name: Skipping setup if runner already exists
|
||||
when: "'exists' in ansible_failed_result.stderr"
|
||||
ansible.builtin.debug:
|
||||
msg: "Action runner already running"
|
||||
|
||||
|
||||
- name: start the service
|
||||
ansible.builtin.shell: >
|
||||
./svc.sh start
|
||||
args:
|
||||
chdir: actions_runner
|
||||
become: true
|
||||
|
||||
- name: add a policy to allow service to run with selinux
|
||||
ansible.builtin.shell: |
|
||||
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
|
||||
semodule -X 300 -i my-unsvcsh.pp
|
||||
ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
|
||||
semodule -X 300 -i my-NETDebugPipe.pp
|
||||
ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
|
||||
@ -10,8 +60,6 @@
|
||||
ausearch -c 'node' --raw | audit2allow -M my-node
|
||||
semodule -X 300 -i my-node.pp
|
||||
setsebool -P domain_can_mmap_files 1
|
||||
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
|
||||
semodule -X 300 -i my-unsvcsh.pp
|
||||
setsebool -P nis_enabled 1
|
||||
ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
|
||||
semodule -X 300 -i my-NETTPWorker.pp
|
||||
@ -21,26 +69,13 @@
|
||||
become: true
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: configure action runner on machine
|
||||
ansible.builtin.shell: >
|
||||
./config.sh --unattended --url {{repository}} --token {{token}} --replace
|
||||
--name {{ansible_hostname}} --labels {{labels}}
|
||||
args:
|
||||
chdir: actions_runner
|
||||
|
||||
- name: setup and start github action runner as a service
|
||||
ansible.builtin.shell: >
|
||||
./svc.sh install {{user}}
|
||||
args:
|
||||
chdir: actions_runner
|
||||
become: true
|
||||
|
||||
- name: start the service
|
||||
ansible.builtin.shell: >
|
||||
./svc.sh start
|
||||
args:
|
||||
chdir: actions_runner
|
||||
# set selinux back to enforcing
|
||||
- name: put selinux back to enforcing mode
|
||||
ansible.posix.selinux:
|
||||
policy: targeted
|
||||
state: enforcing
|
||||
become: true
|
||||
when: ansible_os_family == "RedHat"
|
||||
|
||||
- name: display status of service
|
||||
ansible.builtin.shell: >
|
||||
|
Loading…
Reference in New Issue
Block a user