github_runner role works on redhat: selinux-fu

This commit is contained in:
Ibrahim Mkusa 2024-12-02 23:49:17 -05:00
parent 2dff4e3921
commit 7a62c14784
4 changed files with 25 additions and 0 deletions

View File

@ -6,6 +6,7 @@ localhost
[docker]
docker0 ansible_user=ansible
rhel0 ansible_user=ansible
[aws]
aws ansible_user=ubuntu

View File

@ -354,6 +354,7 @@ dnsmasq:
- 192.168.0.113 node4
- 192.168.0.114 node5
- 192.168.0.115 node6
- 192.168.0.103 rhel0
# -- Static DHCP config
staticDhcpEntries: []

View File

@ -1,4 +1,26 @@
---
- name: add a policy to allow service to run with selinux
ansible.builtin.shell: |
ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
semodule -X 300 -i my-NETDebugPipe.pp
ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
semodule -X 300 -i my-runsvcsh.pp
ausearch -c 'Runner.Listener' --raw | audit2allow -M my-RunnerListener
semodule -i my-RunnerListener.pp
ausearch -c 'node' --raw | audit2allow -M my-node
semodule -X 300 -i my-node.pp
setsebool -P domain_can_mmap_files 1
ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
semodule -X 300 -i my-unsvcsh.pp
setsebool -P nis_enabled 1
ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
semodule -X 300 -i my-NETTPWorker.pp
restorecon -Rv /
args:
chdir: actions_runner
become: true
when: ansible_os_family == "RedHat"
- name: configure action runner on machine
ansible.builtin.shell: >
./config.sh --unattended --url {{repository}} --token {{token}} --replace

View File

@ -9,6 +9,7 @@
url: "https://github.com/actions/runner/releases/download/v{{runner_version}}/actions-runner-linux-x64-{{runner_version}}.tar.gz"
dest: "actions_runner/actions_runner.tar.gz"
mode: '0755'
timeout: 15
- name: unpack compressed actions_runner
ansible.builtin.unarchive: