From b3a24547ce9c0fa552712a5c34a348ecd96a3f1b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 22 Jul 2015 18:24:50 +0200 Subject: [PATCH 01/26] library/roles/oracle-jdk: Install the extended security policy as a package. --- oracle-jdk/defaults/main.yml | 8 ++++-- oracle-jdk/files/jdk-7-US_export_policy.jar | Bin 2487 -> 0 bytes oracle-jdk/files/jdk-7-local_policy.jar | Bin 2500 -> 0 bytes oracle-jdk/files/jdk-8-US_export_policy.jar | Bin 3023 -> 0 bytes oracle-jdk/files/jdk-8-local_policy.jar | Bin 3035 -> 0 bytes oracle-jdk/tasks/main.yml | 30 +++++++++++--------- 6 files changed, 22 insertions(+), 16 deletions(-) delete mode 100644 oracle-jdk/files/jdk-7-US_export_policy.jar delete mode 100644 oracle-jdk/files/jdk-7-local_policy.jar delete mode 100644 oracle-jdk/files/jdk-8-US_export_policy.jar delete mode 100644 oracle-jdk/files/jdk-8-local_policy.jar diff --git a/oracle-jdk/defaults/main.yml b/oracle-jdk/defaults/main.yml index bb8d7bc6..ed327dec 100644 --- a/oracle-jdk/defaults/main.yml +++ b/oracle-jdk/defaults/main.yml @@ -6,8 +6,12 @@ jdk_version: - '{{ jdk_default }}' jdk_java_home: '/usr/lib/jvm/java-{{ jdk_default }}-oracle' jdk_pkg_state: installed -jdk_install_strong_encryption_policy: False +oracle_jdk_packages: + - 'oracle-java{{ jdk_default }}-installer' + - 'oracle-java{{ jdk_default }}-set-default' +jdk_install_strong_encryption_policy: True + # If we want a different oracle jdk set the following variables in the local playbook: +jdk_use_tarfile: False # jdk_java_home: /usr/lib/jvm/java-7-0-25 -# jdk_use_tarfile: True # jdk_tarfile: oracle-jdk-7.0.25.tar.gz diff --git a/oracle-jdk/files/jdk-7-US_export_policy.jar b/oracle-jdk/files/jdk-7-US_export_policy.jar deleted file mode 100644 index 717321301e92b00fef35cf920e7a15f9ff5dce0c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2487 zcma)82{hDe8^<)blcj7aF0#9ZFeF#X(s0LECNq>wGlq;vVJu%-5d)5$0k1Ua*PHHp}nu^ z)`kJYsKg;z!*#~Ma+8j@>hv|f$@4Cazq)9?cFDMuUy54`*BlR(*h!zV?y`dM?{o&c zht1$fU7o#p3IR85V#q@Ds>$<;5y~o4j`yWMPl6OzaFa_PYOeG(x~tP$qR4sN$6Z$j zladId7zFrF=j-e4S!2}RGD994C$L$zjX6nglM4ao;$9v!Y06>cU&?wA|KA^4S{WFb zL9wQ)NaNcbmhhKqqQPswKb|;kqW8zGmSNL|mvj&k-SY6o0PW%1kyXP)H`t@%?D2aF zjU!%6J@Mq@I1hbngWt381Tbv+VF~GE@#PSHZy6rn`jBu{Babg}Pjud)cUZtM%cUluE*0pzAbeOGhAz+BH}CMhA) z#XxWy7$(07F^i54ALYz&D;f@HH?u0@;T+|LMjuTZ(%?-?72)vw%7K?RmY0{u!*f8s zIgh+V!0r08F@g=lWFy<5`((o~oH!p&-r2=+IG~LJLZ>akz>#?H7gZ@w&2(sVMz1 zFO%|2?GtrT&(5M8b}H59`Vt`!Q15w#c?<$m6BtEh%-91*>KE-Y=XR9f;~RSEc{}V& z3%5u4CnS8osU

foVs>b6;5Ym#Dz}o8@UgzkrMp?pQ25 zHpsYnSL(tN0APD8I}RERopG675()o!dFQ8C!5EMVc{qPHlYV?u2Q_GRt`A)0XXMab(+t@%juX*{yxUPB!k7OqYny-pInqw~azn3V z<~vUFcCO$mKH_gDf#HUywAd(@Wsm?bfYjarAiHAkO%R;+m7<3L!7}kO{H9$cgX!h1 znV=+E^w?^_?ud=$mLnWb#SD&Osd`I=GrZLby%(!Qojbl@OPL8*uG(3w&RyiU)Z7#e zI`_%Xh*8c_p*;bC+|k|^a`AOdi)^|2d)XO;eJ>$hLeb76)F^aY+;aQ_^_LOhf>mb7L zVxruD+{X!>+Z~|I=XJUv#fpy77a0N_8nuX}!leMDioBR*W!tEZXJQ;1bE-Xsov4f|3<{sMtmXy1Ib0&# zP8h?4nvtId`sP#LfEDY#2_14HBs52T8>nKp?&auEQ$zny4oyb}-w~_R;!Lka#`kNG zSJ#<~14}FT6Xvt#+iRHG38y|gUefd~-Tf*ht1EtGSg4~;8r;q#;_V&Klv$rzBH{5m z5rg%y%uqEwKSkQ5jlIR(V3gNiREI*|NP--Hdyew*;+)RvkUYA`-me?+L z5Nq*iQPK9h9+>4ueknWUU!j?3xkmc%ydy0g6QrG@^=-SQuQalUFO^ahtVJ}K{%nv6 zXh@c{GLO90RIYjUTtM33UH!Znqt}D?68x*NUrEEhPVX&B?!FhkfkbvM{J~h&ucvzd z70LKi{Z=5MdTCMoq>8G-$>vwdXKAA~n;H#^Ju`i=V$zh&I$PmmVw8M|pxENDTP91p zdi2eKL7SE6UaC$|{+|Te=iKaX7FpRflM74Ic58lHSl*2+)hdc|f8Dws%W$~3)sub3 z6@YAP(_Du;t%c{07W)(1k%LbAt&NQh@I9E-f7v+pHWm)t3xDg!U{TiB8%}tfkDE8v z8i{qf>)}rDR`qaqb8+<3i&E!nQsaR#GN!Vnbo3QoMZanQ7AfA2vC<`=FWs-w?GCB@ zYqmDY(C*J`a rSyJy)?1_0ebWgm))!7s806DDC|0X2@4&>as31qF`SXtU~@4fvEf0+{G diff --git a/oracle-jdk/files/jdk-7-local_policy.jar b/oracle-jdk/files/jdk-7-local_policy.jar deleted file mode 100644 index c34d0362d33e269e3869806fbdec2b20084a95d5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2500 zcma)8c{J2*8^$z~U0EhkOt#2aG9;8Gjb4T^S;{)Ys9{7|GL_;LqOoKP4MS3)V@j4J zK6?!@gT^*7mdFyxQfNrNnfIKx_`dgi=ewWtd(QLxabM4UU)S$E*MmX;c1ZH@bB6Ne zdSjj~A<0?Wz#YsqERhykHfBgm3%I?5rj3Qvom#;tZApvOi23AFxWXa0PoDXoF@i7R zdmQu8bN*fmmM0m7B^Tw%%^%dGo8%~7Qqu7*fmtU5O`lP1k>!lNsHp3~hU!E`!|5X+ z?EcSV`Udf1h6Y{k2I?*z7b=$f8h!B327Kg`BaXe{Clk8jovU4D&b0b4#9if+m%@=u zk=SM4LQg>NS&e#{3HrdJ4}qC$ZidI|xOFPGSNYcAp4)@iKbNN_v}BePL_0-*lOC z1{=99SI$JgRcEP+4LHX!qFdT*UlZL;ue1Vl|8XSEjomwtiLEgMAS&Lzy{mM7G>%RN72jYcI zzWm`Mx@ScwjF(Fa(rx824C*Q5)WTxcc%_P== zQ7S7i>x6_D7KrRe8Mr~SwxbAxSp4t=p)973NY*_tU*HcuoQj2tiV6;qCrHSP3kE}J zrW1)04Fe=|XJ$0%M3m<~QBM``Q|1Q%yt`uE@4+C44`Lb*7b=aQ`b=e%sLD`rx2(d^ zY?9kujGMDtYL+Wyl$7aLSfym(r$ zX&D^Ih7*-Z>}#OJuOe4Jd}wWLZEIjLg@lWd1yqX|4afFF2iJ$|O6gB@nx$YJ%EGtGp;$48)}H*<>T3pH+W}1`Lo1E z-Rf~V5ni04;%wm z-~BL3JT}t5>^t-shsB-qaAPsOyO{ovRw}7$vXQycOiW3+b&EuVH$;d{t2>8VP&XmQ zvjBkeuKP*w1o%h%_$)YP{`7{x9f?Fih0NMlc>#UBrgBP8X$qc@K1k}?G-B{=d$_#H z8XVfT7Wz=Zx3BR$$QJ^Pgf4-~5*e0oq8gqJR|}nZqWp>te04RO&xEv%gPJr~?1VR;)6~(MNOZv0RTXO{OwkHfN zJlPyPW6SnJ;L6bbEKJ$)+2W5PuMRRys-(T?-!aeEQqDTLA{Qo2#B6m}q{ELcT{B-T z=d08ofx#~7uS?zJr2Ct7WGA+^XNHy5 zU=J?a^j0irN~0+|!%}K7w}z(F)|EfA7SP|3Zdt63IVt;jnwIes<1QF9Fq5X-t2{qq z;7=D^c~NI{^Qo$rg2}2lU8fc`TReNi-fO0U;*{}Ns|Ho&`)PSDNff-O`Krq5qTTHz zKEPDI2>DJbRXAI;g%Z40TDtB)uaM-zHeOS=Y>BHZ}Ax^V$s*ar8R|E#7^#_Q^duq=m0*GrhB4 zaC>YfY}OaiwIk=dT}3j-H~TI*736j%e;JUZ*C{}0YpFO7tXsiENNsA+gRiM*Oo%O6 z)9Tn*=4SiQd-S>0lH=ldnb?a3A!k3$$Xng}sIjEgge)~y#AEKnPIUr@1D^&f1HOM>GF0q zM3<&=-6P)|NA4T3W&8E^4#z0hNIBJ&R4x@Q*sOXz*GV42b}Bu+i=tK8=w8gdM5wiy z$PqRl@>nhuv@VfnLR+scUGg6b|3r*j+TCp&UiE0HAI~Z}Ky0_BT7I%dwVeY3r}0UrrM4heo?9aolDnzq{A<3>6>`&-l)* z7cDYyySobT?D*}jKihbC0DmQOu3sKL?!<}T)`h#UJ(+9G=g#9iL;Nmd{4RNU`e_DS z^22*wJD$)k(xkl$IR9)+FT&jvsVWkX$J;)j6u)n9z}(GT z>>oeJs{Qi1?7-wJtE6W$Vh>X&lxm5W-*0Pe&aN+31$ShcXg7p`R)JhD&c}cAO5_yV z@K-y$e3CrB-x^z8n%mI!_@|c#3b7qwtEFv680CQdLilB4_7?w%uvIIr_5F@zj!phI z0>=oqLi{c2-->ZX{T*n|5AX|uEAiG;uB2Pp*X=Jzvp*;&-**idH&~l;4nIRP5?7AGoaZf)c|m! zIH_kdh!t4g_%igO8Thg>6k=(mU63ZbT|Xr|6!~>UD!I2VF6jX z$GM}7FXJ9BPm2h}ojWt>yzYF*AENmL?3EQ|Wx57%(kk_(%)j)Cic4=M)t!R(J5+n{ z6$dc|v+dl`NQ~&BI0-uuCFC9Sltr~f2|@(eczH?8s;HjHm+~0Lipyi%ar)Y|xLM8d zgf5x~dtR1v-C-vN!j_A zBA~o%?BN|j-OQ?+M_GtCHZ)<>9(L9HX^LET3f(5v1J|pC_m~=Ion4DznxFKYNIyXtR_FP>=OeFUeypaYVAgaACTrFc1u(snGASKw~TE*&3zwyjZ;=B%rw!d*yxp^U4g=c3R-(0 zzeAyJuJ94(vP#zsK~%nR|C4jBlhXXoxrHTI+0!+$uahveIIxwCP0IEH z1HZCIOK!=UVlemj8S8zrPWcL92xK`^43Uj-g83eX6+a4M$7gWU2JF+iOF|_jCEZ~U zS#CUh5X3D<)?0`NvemL{jAa^=LbNCqiBG|Y z_4vd)CFD39@kP^_ILB0kqrGD?-hnuc!}>h-dB~i+$eq4!A_uc#?lYH_F_$y3M)jE+ zTQm2W_VZwY<)5^GVb8iLSfFxO_XxsaJ#n|<2S%9EbKkz%uT$@BJdz3X>p9{1^)q6Jupn2BLqZ z5q@b~zK_8ig2RWI7|TU238Q(?FJ5(y$g@oq>;VO&__z!e!h*mv#3xbOKVQW`TJ?xv z@y!8jbqe;+OQv7YcBz}2P{?aybT8X$Jr;WVd3HDcM=1|DEC<)o7GHWSVSyWH3&Hgk za1k~u7oA+3vB}F8oMEVcF7Rq7ue<>KQ!#O;7^d*m zV?64S?oVx0ft&#Z2#P0xSlI5V`~om7fEF??GU^>27=NB6qO^~i-?+c(!QkWH=;1!$w&I$ShnSgc-Z{Mf|?GzdYV3#ep@rAehfKf zFRXhQp;@->(khqcTuq>;MX{V=?{kPzmruDct8)`)oSFw2+MFrPmQAs-ZTwAbbO0y+ zXHy;LeC3c7tQa=g6!Zqqwc;Idlh)x%r{SGd2|O}1Z`gKZx3KfImwlNW3~?h5H8i+9 zE-WZF>l7G}Hu1+?`539adOMfSg%jYm6wzlkE6rl`^4T6&Kfj%h;5lG`H87 z_AZA?Ea)#uG&Fw5(Qrz=)qe31`@Evz#VR69d{E`|Thryz!6DsL#cqdrL`=481az=b z;7ormYyI5SB@>o?&Jgxgh5GgEumC)m1#07QO?{dPY32gA@ld_SXc42VoUhn?AztE) zcZ9CLvd)%Ahg!mNf`i|B-JbRsDAu@r)5l9PclP3#cc!X(!@i%K_x^TbkqfW@sAx7u z<1G>0`94~a=~r3Z$~PQUsUBWF83z#`2GZ{qt>`q&E&;s{#9!2!tiSOkXKcXj<{YP$ zi?E$NMv}R!w@PPyD{Iyd&Wl#OGwN~BkBC(5B4J0>i0+L#A#XPN{rc54e01TSV&%Tp z0nHS$7>D_^8T0uP66nTbHG6l06_O`_$VpR9=)h_?2dmQ=Am}oknS!a zKEViUO9b*3%0Dnz0p;)Gb^W#uTIqDFA{%5oYc^LzQ%|ZL)85QLl=h9c&NkaZ$BuuX)zs}6&dry{L*4SVuKuMd2Q0Yx7_F1tzMf*;`yCuh6s7YUc+ z^BFgXc;EA59pR$1UdR#5aL8(tefVH&OC7#F>+7ZAMi0W}vb|BgwM#jddX03tCya&! zlDB1Cy@7)UJed=kDDf=3KW1+_Oz^7{93w=p&+19}3fcno*Cw4Sl#aWqh+VH(6t~MW zv;fyDOo>HTv%vPK*33<`QG!0fc*BH?{COX=rxqC35)^2r z-QD}moPF9jJ7}oJT=31DX=phC$I0Q6xrftNh(6rP{{me?m0K~zvuqGbH4L_=RNQ9zTb16-}^jhBoD6`00aU7o;Z;# z06R*IJwA?bfNNQwu+%;dKVfZ&uy=qSx5V|rZDV0#ypz8Qu&}Ap596*oh>D8%{Y10# zO@f=G;lgjrRBm*Xt9_hD*8lm@uoKn5xUL=)H}p*StOlCTYqq-b(U67bwIa*d5{9~B zPWrT_Fll(th}gS7s#Bucd))HIKN!3g?T`+QrBV`WA8Cz6;P9Yh0#-xT8ORybFJPNy z{xO@^$~oGLK58ZJ;jmm7k_8=;lu!M=dRfqkKI^|PwdDY|ZUS*Cc`V}cl)mZas8$%& z!vE;Nmg;N!ymGosjHxdsT*Z{oP*?6>xU~_L@nLWZ+-z$qxP0e&;|w1f$q#Z&Y`{;k z2@v4|0MOqlYWXjUZ0+C{CV@qs=20OZeX}FNyV@B*Sp#*=Se!y6@Ba8PdM_66pxCt&ZocdEOb^Fh~TdTY4IL1 zjTUkB<>^&71*MP+y)IYjamSVlXtX^t8Y3gx!!$AiiUU-g?F{{i2eONoq1INhTaD#~ zb%s?LbBog0!1FS*(Z(7PZ~dtvX##EC*Bq9DT$tB~un%kXp@<8G4v{s{5@T9!7O-%# z9RPW&I?gbTJDT-L4OuRBQSh+M)f5=%JVq4MS=$OBEFrZ)Cn; zSpL-z2~7sY1E|+lL)})>#xbzh*4h!& zi|XrUAdN`6*SOU^BqUaY!w_k9fnf&MAa4&D80c_$==1PEUaKh%3wIp47z`GrO#^*+ ztgpz#Z6=9kguu!Xd|wfX%9O9+z~oQxWd*IAdEI;Dc&od0-C4;`s8cEWy|3twDlf$Q)SMRSo6^F-krJsxH z^Y)2piinU|YpF`eF=Na)Yj&?(n!2+HVfrG|bIUq|6Bbcb<9SXWOMZXXn=(3AIn~}1 z>e!MMl;?NGaXiX^b>d*(T4?=gqsJ7ol+->+qg5$`Fd2~fbi+ad^F1ulhW zC(Ad9L>Bz~5I?Y7(NrO6UsA_F+pw1KMBzF_R#jU3C^RwzK1IKK@yM~$6vPu49j?TD zo>iHV_01IZIq4LM$+SegpvQI#zkmtyI?sT;WNv3%6}9hQNwWLgWseO0lw>Ej(hM)o z%FatlFCjCfgwK+Xno9=XDWwD!IR}2a+?szb8NZS&ujM7WO!d=}MK6`mzmy=M8~Cw{ zx6OWOVGBeA5G1FRrY9&IZ}0~IRcKiRoCU%-1K_do=65qHZ3{3ukI*SgMJstyF6O=w zKJ8a=wJfQ}Q}(Q?d$}v^*BM^*r8SLSkwYgtWrA&Q#RTg1QkNUunFsGbsLY=1iILAe z^FenraOTtHMLZuNpaJha?!T(u|KWuJB(-eS1C!r$>y4oax^j{?fp_h2Zrvzu!dbzL z6?M351^YxZ^Y=&(kL7DAuH#h(YF5X^uvQ)5(S_h9l1@THhLL z#bzo7RgopgSB)Vrsp21eqt0=={ML3fdQq8*i?}&-a`}KF#|NNMO zoaVG!a8Ty>t-T6-z+Qxmv7BP?F_B9B27CTO&6oBMnvrxmU1l(GIUZ4#{SC4r zeR)E4uTQ_V5!@6D1(Tq4D>;!tRJfp}6W-luk{@>*i*~{vatGSQ>FXEhH2s{cEaDqw z7NBpkihpXDGN0n&zf!w?WK=J~x|K=rQOTRu9`(I($f$nPU(r<^=pz!|htL65TmL$IRm=E2wu*1y-hioed(m)%XFW7#jbi;S6C%=g z{BVe$?V@x@^5(07HhEo~tAcl^S(N1YiT9_&ADHL%Ik8mpzM@d2-)ysDyf+D3cjq7N zM?8$Swz@rd52}`zTjRY^P-#?yAI`m-vlhLYRxm9SLmrTu+wu>fnlarM^2D1<>?XK4 zw=MkWs}&7C0AQYfr@bAL+MNId0KD4?V5`)SNBV$B-yc-Zl*sKoXb{R zhA!#p?{}xKd6ef={5G8kIo*?Oh{_hQ7r({hZg*rBq2lLR`b~aZR-@=5nvS#_Jbb%lFUL*rb-ui4>;M>9vrmFITi#^Bc?6A-!2h;y6NfxOkp4Q1)c{rgG{9cpY@&VC=(Y`KO8w41`%ZPf_dDS3_sz zw&J-TRDlFr&&S%PB_54zW084QD%|bQBT971w}~MW*9kd7 zZ=P`p-C!nJrI^#KKiP;gmN)g*4TBS#LxPVV>FieE2!YTd_LPh5*M)z3HW#-TU^_|f z3{V^??5=;ym1yKP0w-wgOa!|T4zlO%pWlqV^xs-zCjv)*JNf14Z@cyg>{25d$p_?20@+U# Lo19~UoUi`@yDZ_Z diff --git a/oracle-jdk/tasks/main.yml b/oracle-jdk/tasks/main.yml index 127827c3..2ddc9648 100644 --- a/oracle-jdk/tasks/main.yml +++ b/oracle-jdk/tasks/main.yml @@ -15,33 +15,35 @@ tags: jdk - name: Install the latest version of Oracle JDK - apt: pkg=oracle-java{{ item }}-installer state={{ jdk_pkg_state }} force=yes + apt: pkg={{ item }} state={{ jdk_pkg_state }} force=yes + when: not jdk_use_tarfile + with_items: oracle_jdk_packages + tags: jdk + +- name: Install the extended security JCE Oracle JDK package + apt: pkg=oracle-java{{ item }}-unlimited-jce-policy state={{ jdk_pkg_state }} force=yes when: jdk_use_tarfile is not defined or not jdk_use_tarfile with_items: jdk_version + when: + - not jdk_use_tarfile + - jdk_install_strong_encryption_policy tags: jdk - name: Set the JDK default via update-alternatives apt: pkg=oracle-java{{ item }}-set-default state={{ jdk_pkg_state }} force=yes with_items: jdk_default - when: jdk_use_tarfile is not defined or not jdk_use_tarfile - notify: - Set the default Oracle JDK - when: jdk_default is defined + when: + - not jdk_use_tarfile + - jdk_default is defined + notify: Set the default Oracle JDK tags: jdk - name: Install a custom version of Oracle JDK from a tar file unarchive: src={{ jdk_tarfile }} dest={{ jdk_java_home_prefix }} - when: jdk_use_tarfile is defined and jdk_use_tarfile + when: jdk_use_tarfile tags: jdk - name: Set fact jdk_installed set_fact: jdk_installed=True - tags: [ 'jdk', 'jdk_security' ] + tags: jdk -- name: Install the strong encryption policy files - copy: src=jdk-{{ item.0 }}-{{ item.1 }} dest={{ jdk_java_home }}/jre/lib/security/{{ item.1}} mode=0444 owner=root group=root - with_nested: - - '{{ jdk_version }}' - - [ 'US_export_policy.jar', 'local_policy.jar' ] - when: jdk_install_strong_encryption_policy - tags: [ 'jdk', 'jdk_security' ] From 0df30e5cf7ac5915115ddd1395130c4bb856e4e3 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 23 Jul 2015 19:32:54 +0200 Subject: [PATCH 02/26] library/roles: fixes to the fail2ban and iptables handlers. Remove some dependencies from the solr-tomcat-instance and tomcat-apache-requirements roles. They will need to be explicitly set. --- dnet_user_services_perms/tasks/main.yml | 17 ++++++++++++++--- fail2ban/handlers/main.yml | 2 ++ iptables/handlers/main.yml | 2 +- solr-tomcat-instance/defaults/main.yml | 3 +-- solr-tomcat-instance/meta/main.yml | 3 --- tomcat-apache-requirements/meta/main.yml | 10 +++++----- .../tasks/java-requirements.yml | 19 ++----------------- .../templates/tomcat-server.xml.j2 | 4 ++++ 8 files changed, 29 insertions(+), 31 deletions(-) delete mode 100644 solr-tomcat-instance/meta/main.yml diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml index fad72845..cec4b533 100644 --- a/dnet_user_services_perms/tasks/main.yml +++ b/dnet_user_services_perms/tasks/main.yml @@ -38,6 +38,18 @@ with_items: dnet_log_directories tags: [ 'tomcat', 'dnet', 'users' ] +- name: Install additional packages, if needed + apt: pkg={{ item }} state=installed + with_items: dnet_additional_packages + when: dnet_additional_packages is defined + tags: ['dnet', 'pkgs'] + +- name: Install additional python modules, if needed + pip: name={{ item }} state=present + with_items: dnet_additional_python_modules + when: dnet_additional_python_modules is defined + tags: ['dnet', 'pkgs'] + # # Acls for the single tomcat instance # @@ -79,16 +91,15 @@ acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present when: tomcat_m_instances is defined with_nested: - - ' {{ tomcat_m_instances }}' + - '{{ tomcat_m_instances }}' - [ 'webapps', 'common', 'common/classes' ] tags: [ 'tomcat', 'dnet', 'users' ] - name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - when: tomcat_m_instances is not defined when: tomcat_m_instances is defined with_nested: - - ' {{ tomcat_m_instances }}' + - '{{ tomcat_m_instances }}' - [ 'webapps', 'common', 'common/classes' ] tags: [ 'tomcat', 'dnet', 'users' ] diff --git a/fail2ban/handlers/main.yml b/fail2ban/handlers/main.yml index cdd2d5e8..a6b3c1a5 100644 --- a/fail2ban/handlers/main.yml +++ b/fail2ban/handlers/main.yml @@ -1,4 +1,6 @@ --- - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes + when: ( is_trusty ) or ( is_debian8 ) + diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index 44293ea7..150d2e9c 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -22,5 +22,5 @@ - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes - when: is_trusty + when: ( is_trusty ) or ( is_debian8 ) diff --git a/solr-tomcat-instance/defaults/main.yml b/solr-tomcat-instance/defaults/main.yml index 0fb55504..a3ec346a 100644 --- a/solr-tomcat-instance/defaults/main.yml +++ b/solr-tomcat-instance/defaults/main.yml @@ -1,7 +1,6 @@ --- # solr solr_http_port: 8983 -tomcat_http_port: '{{ solr_http_port }}' tomcat_load_additional_default_conf: True tomcat_version: 7 # solr needs a lot of time to start if it needs to rebuild its indices @@ -13,7 +12,7 @@ solr_config_name: hindex solr_shards: 1 solr_instance: '{{ solr_service }}' solr_log_level: INFO -solr_http_port_1: '{{ tomcat_http_port }}' +solr_http_port_1: '{{ solr_http_port }}' solr_zoo_port: 9983 solr_zoo_port_1: 9984 solr_zoo_port_2: 9985 diff --git a/solr-tomcat-instance/meta/main.yml b/solr-tomcat-instance/meta/main.yml deleted file mode 100644 index a30f4a7d..00000000 --- a/solr-tomcat-instance/meta/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -dependencies: - - role: '../../library/roles/tomcat-multiple-instances' diff --git a/tomcat-apache-requirements/meta/main.yml b/tomcat-apache-requirements/meta/main.yml index f3b1ad18..891b1941 100644 --- a/tomcat-apache-requirements/meta/main.yml +++ b/tomcat-apache-requirements/meta/main.yml @@ -1,8 +1,8 @@ --- -dependencies: - - role: '../../library/roles/oracle-jdk' - - role: '../../library/roles/apache' - - role: '../../library/roles/tomcat' - when: tomcat_m_instances is not defined +#dependencies: +# - role: '../../library/roles/oracle-jdk' +# - role: '../../library/roles/apache' +# - role: '../../library/roles/tomcat' +# when: tomcat_m_instances is not defined # - role: '../../library/roles/tomcat-multiple-instances' # when: tomcat_m_instances diff --git a/tomcat-apache-requirements/tasks/java-requirements.yml b/tomcat-apache-requirements/tasks/java-requirements.yml index c065d71a..5396df20 100644 --- a/tomcat-apache-requirements/tasks/java-requirements.yml +++ b/tomcat-apache-requirements/tasks/java-requirements.yml @@ -1,23 +1,8 @@ --- -- name: Install the apache proxy modules needed for tomcat - file: src=/etc/apache2/mods-available/{{ item }} dest=/etc/apache2/mods-enabled/{{ item }} state=link - with_items: - - proxy.load - - proxy_http.load - - proxy_ajp.load - notify: apache2 reload - tags: - - apache - - dnet - - name: Ensure that the jre/lib/endorsed exists file: dest={{ jdk_java_home }}/jre/lib/endorsed state=directory owner=root group=root mode=0755 - tags: - - apache - - dnet + tags: apache - name: Install the xercesImpl.jar needed by the dnet applications copy: src=xercesImpl.jar dest={{ jdk_java_home }}/jre/lib/endorsed/xercesImpl.jar owner=root group=root mode=0644 - tags: - - apache - - dnet + tags: apache diff --git a/tomcat-multiple-instances/templates/tomcat-server.xml.j2 b/tomcat-multiple-instances/templates/tomcat-server.xml.j2 index 0c8d6968..d4f70d3f 100644 --- a/tomcat-multiple-instances/templates/tomcat-server.xml.j2 +++ b/tomcat-multiple-instances/templates/tomcat-server.xml.j2 @@ -16,7 +16,11 @@ limitations under the License. --> +{% if item.shutdown_port == '-1' %} + +{% else %} + {% endif %} From c20347be10a0ecd420f5cd5f9f3de32024bc6fd1 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 23 Jul 2015 22:05:06 +0200 Subject: [PATCH 03/26] library/roles/ubuntu-deb-general/defaults/main.yml: Install sudo. Not installed by default on debian. --- ubuntu-deb-general/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 8aefed53..ad574eec 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -23,6 +23,7 @@ common_packages: - tree - bind9-host - bash-completion + - sudo # Unattended upgrades unatt_allowed_origins: From b9f91eeb4c4df87029e02fe4c5e4b7b8388a3387 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 23 Jul 2015 22:55:24 +0200 Subject: [PATCH 04/26] library/roles/postfix-relay: All the actions are by default disabled. dnet-openaire: configure the puma development VM as a relay client. --- postfix-relay/defaults/main.yml | 6 ++++-- postfix-relay/tasks/main.yml | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/postfix-relay/defaults/main.yml b/postfix-relay/defaults/main.yml index 15e1a0b3..3e716cab 100644 --- a/postfix-relay/defaults/main.yml +++ b/postfix-relay/defaults/main.yml @@ -1,3 +1,6 @@ +--- +# Set it to true when you want configure your machine to send email to a relay +postfix_relay_client: False postfix_biff: "no" postfix_append_dot_mydomain: "no" postfix_use_relay_host: True @@ -6,7 +9,7 @@ postfix_use_sasl_auth: True postfix_smtp_sasl_auth_enable: "yes" postfix_smtp_create_relay_user: True # See vars/isti-global.yml -postfix_relay_host: smtp-relay.research-infrastructures.eu +postfix_relay_host: smtp-relay.example.com postfix_relay_port: 587 postfix_default_destination_concurrency_limit: 20 #postfix_smtp_relay_user: smtp-user @@ -15,7 +18,6 @@ postfix_default_destination_concurrency_limit: 20 # The following options are used only whe postfix_relay_server is set to True postfix_relay_server: False -#postfix_mynetworks: '{{ network.nmis }}, hash:/etc/postfix/network_table' postfix_mynetworks: hash:/etc/postfix/network_table postfix_interfaces: all postfix_inet_protocols: all diff --git a/postfix-relay/tasks/main.yml b/postfix-relay/tasks/main.yml index c0a9445f..609f4e0f 100644 --- a/postfix-relay/tasks/main.yml +++ b/postfix-relay/tasks/main.yml @@ -1,6 +1,9 @@ --- - include: smtp-common-packages.yml + when: postfix_relay_client - include: smtp-sasl-auth.yml - when: postfix_use_sasl_auth + when: + - postfix_use_sasl_auth + - postfix_relay_client - include: postfix-relay-server.yml when: postfix_relay_server From 550d02fc4825a9d625a2380ad8637f083179eb15 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 24 Jul 2015 12:00:37 +0200 Subject: [PATCH 05/26] library/roles/d4s_user_services_perms: Install a README file inside the gcube home directory. Set up acls so that the gcube user can read/write the tomcat options files. --- d4s_user_services_perms/README.md | 9 +++++++++ d4s_user_services_perms/defaults/main.yml | 4 ++++ d4s_user_services_perms/tasks/main.yml | 22 +++++++++++++++++++++ d4s_user_services_perms/templates/README.j2 | 8 ++++++++ 4 files changed, 43 insertions(+) create mode 100644 d4s_user_services_perms/templates/README.j2 diff --git a/d4s_user_services_perms/README.md b/d4s_user_services_perms/README.md index 7bf646d2..17649040 100644 --- a/d4s_user_services_perms/README.md +++ b/d4s_user_services_perms/README.md @@ -1,3 +1,12 @@ This role assumes that only one tomcat instance is defined and running on the system. Important note: the variable 'http_port' needs to be defined earlier in the calling playbook. + +What the role does: + +- Install the sudoers config that permits the tomcat user to restart +the service +- Install the script that allows the tomcat user to start and stop the +service without using the full path +- Install the README file that explains where the options files are +placed and how start/stop the service diff --git a/d4s_user_services_perms/defaults/main.yml b/d4s_user_services_perms/defaults/main.yml index aa65e71a..59d4a1b7 100644 --- a/d4s_user_services_perms/defaults/main.yml +++ b/d4s_user_services_perms/defaults/main.yml @@ -1,3 +1,7 @@ --- d4science_user: gcube d4science_user_home: '/home/{{ d4science_user }}' + +d4science_tomcat_options_files: + - '/etc/default/tomcat-instance-{{ item.0.http_port }}' + - '/etc/default/tomcat-instance-{{ item.0.http_port }}.local' diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml index 687eae1f..58cd4891 100644 --- a/d4s_user_services_perms/tasks/main.yml +++ b/d4s_user_services_perms/tasks/main.yml @@ -9,3 +9,25 @@ - '{{ tomcat_m_instances }}' - [ 'startContainer.sh', 'stopContainer.sh' ] tags: [ 'tomcat', 'd4science', 'sudo' ] + +- name: Install the README file that explains where the options files are placed and how start/stop the service + template: src={{ item.1 }}.j2 dest={{ item.0.user_home }}/{{ item.1 }} owner={{ item.0.user }} group={{ item.0.user }} mode=0444 + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'README' ] + tags: [ 'tomcat', 'd4science', 'd4s_readme' ] + +- name: Set the read/write permissions on the tomcat default options files + acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present + with_nested: + - '{{ tomcat_m_instances }}' + - '{{ d4science_tomcat_options_files }}' + tags: [ 'tomcat', 'd4science', 'acl' ] + +- name: Set the default read/write permissions on the tomcat default options files + acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present default=yes + with_nested: + - '{{ tomcat_m_instances }}' + - '{{ d4science_tomcat_options_files }}' + tags: [ 'tomcat', 'd4science', 'acl' ] + diff --git a/d4s_user_services_perms/templates/README.j2 b/d4s_user_services_perms/templates/README.j2 new file mode 100644 index 00000000..52448f5b --- /dev/null +++ b/d4s_user_services_perms/templates/README.j2 @@ -0,0 +1,8 @@ +The java options are set inside /etc/default/tomcat-instance-{{ item.0.http_port }} +The GHN environment variables are set inside /etc/default/tomcat-instance-{{ item.0.http_port }}.local + +The commands that start and stop the containers are: +/home/gcube/startContainer.sh +/home/gcube/stopContainer.sh + +The log files live inside /home/gcube/tomcat/logs (it's a symbolic link to {{ tomcat_m_instances_logdir_base }}/{{ item.0.http_port }}) From 29aab30b458f06cab6efa962dc500e393726b84e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 24 Jul 2015 12:46:24 +0200 Subject: [PATCH 06/26] library/roles/ubuntu-deb-general/tasks/packages.yml: use a specific tag to identify the task that installs the common packages library/roles/d4s_user_services_perms/tasks/main.yml: Fix the acl tasks --- d4s_user_services_perms/tasks/main.yml | 22 +++++++++++++--------- ubuntu-deb-general/tasks/packages.yml | 3 +-- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/d4s_user_services_perms/tasks/main.yml b/d4s_user_services_perms/tasks/main.yml index 58cd4891..7505dc46 100644 --- a/d4s_user_services_perms/tasks/main.yml +++ b/d4s_user_services_perms/tasks/main.yml @@ -17,17 +17,21 @@ - [ 'README' ] tags: [ 'tomcat', 'd4science', 'd4s_readme' ] +# - name: Set the read/write permissions on the tomcat default options files +# acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present +# with_nested: +# - '{{ tomcat_m_instances }}' +# - '{{ d4science_tomcat_options_files }}' +# tags: [ 'tomcat', 'd4science', 'acl' ] + - name: Set the read/write permissions on the tomcat default options files - acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present - with_nested: - - '{{ tomcat_m_instances }}' - - '{{ d4science_tomcat_options_files }}' + acl: name=/etc/default/tomcat-instance-{{ item.http_port }} entity={{ item.user }} etype=user permissions=rw state=present + with_items: tomcat_m_instances tags: [ 'tomcat', 'd4science', 'acl' ] -- name: Set the default read/write permissions on the tomcat default options files - acl: name={{ item.1 }} entity={{ item.0.user }} etype=user permissions=rw state=present default=yes - with_nested: - - '{{ tomcat_m_instances }}' - - '{{ d4science_tomcat_options_files }}' +- name: Set the read/write permissions on the tomcat default local options files + acl: name=/etc/default/tomcat-instance-{{ item.http_port }}.local entity={{ item.user }} etype=user permissions=rw state=present + with_items: tomcat_m_instances tags: [ 'tomcat', 'd4science', 'acl' ] + diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 952e29aa..52ff5ae5 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -76,8 +76,7 @@ apt: pkg={{ item }} state=installed when: has_apt with_items: common_packages - tags: - - packages + tags: [ 'packages', 'common_pkgs' ] - name: Install the ntp server apt: pkg=ntp state=installed From cd4ce10bcac9825f04e28040299ff4f6e3d26b2a Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 28 Jul 2015 19:27:25 +0200 Subject: [PATCH 07/26] library/roles/ubuntu-deb-general: Various fixes --- fail2ban/tasks/main.yml | 6 +++--- ubuntu-deb-general/defaults/main.yml | 10 ++++++++++ ubuntu-deb-general/tasks/denyhost.yml | 12 ----------- .../tasks/install_external_ca_cert.yml | 7 ++++--- ubuntu-deb-general/tasks/main.yml | 5 ++--- ubuntu-deb-general/tasks/ntp.yml | 9 +++++++++ ubuntu-deb-general/tasks/packages.yml | 20 ++++++------------- 7 files changed, 34 insertions(+), 35 deletions(-) create mode 100644 ubuntu-deb-general/tasks/ntp.yml diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 57488351..4cf02202 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,5 +1,5 @@ --- - include: fail2ban.yml - when: ( is_trusty ) or ( is_debian8 ) - - + when: + - is_trusty + - is_debian8 diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index ad574eec..5ebb13bc 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -5,6 +5,7 @@ use_apt_proxy: False apt_proxy_url: "http://apt.research-infrastructures.eu:9999" +pkg_state: installed common_packages: - acl - zile @@ -25,6 +26,11 @@ common_packages: - bash-completion - sudo +# Set this variable in your playbook +# additional_packages: +# - pkg1 +# - pkg2 + # Unattended upgrades unatt_allowed_origins: - '${distro_id}:${distro_codename}-security' @@ -82,6 +88,10 @@ configure_munin: False # Manage the root ssh keys manage_root_ssh_keys: False +install_external_ca_files: True +external_ca_dest_dir: /etc/ssl/certs +external_ca_list: + - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' } # # debian/ubuntu distributions controllers # diff --git a/ubuntu-deb-general/tasks/denyhost.yml b/ubuntu-deb-general/tasks/denyhost.yml index 8c834d45..d3a92105 100644 --- a/ubuntu-deb-general/tasks/denyhost.yml +++ b/ubuntu-deb-general/tasks/denyhost.yml @@ -3,33 +3,21 @@ apt: pkg={{ item }} state=installed with_items: - denyhosts - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure CM can access the VMs action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.18$" line="sshd: 146.48.123.18" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: ensure Monitoring can connect via ssh action: | lineinfile name=/etc/hosts.allow regexp="sshd: 146.48.123.23$" line="sshd: 146.48.123.23" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty tags: denyhosts - name: Set the treshold for root on the denyhosts config file lineinfile: | name=/etc/denyhosts.conf regexp="^DENY_THRESHOLD_ROOT = " line="DENY_THRESHOLD_ROOT = 5" - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty notify: Restart denyhosts tags: denyhosts diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml index b74e0354..c90d7752 100644 --- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml +++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml @@ -1,6 +1,7 @@ --- - name: Install the INFN CA certificate - get_url: url=https://security.fi.infn.it/CA/mgt/INFNCA.pem dest=/etc/ssl/certs/infn-ca.pem - tags: - - ca + get_url: url={{ item.url }} dest={{ item.dest_file }} + with_items: external_ca_list + when: install_external_ca_files + tags: ca diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 2ba84e34..36bdd54a 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -3,15 +3,14 @@ - include: resolvconf.yml when: install_resolvconf - include: packages.yml +- include: ntp.yml - include: remove-unneeded-pkgs.yml - include: manage-ipv6-status.yml when: is_not_debian_less_than_6 - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty + when: is_debian_7_or_older or is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml diff --git a/ubuntu-deb-general/tasks/ntp.yml b/ubuntu-deb-general/tasks/ntp.yml new file mode 100644 index 00000000..46a6692c --- /dev/null +++ b/ubuntu-deb-general/tasks/ntp.yml @@ -0,0 +1,9 @@ +--- +- name: Install the ntp server + apt: pkg=ntp state={{ pkg_state }} + tags: [ 'packages', 'ntp' ] + +- name: Ensure that the ntp server is running + service: name=ntp state=started enabled=yes + tags: [ 'packages', 'ntp' ] + diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 52ff5ae5..2b8241a4 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -69,24 +69,16 @@ apt: update_cache=yes when: update_apt_cache.changed ignore_errors: True - tags: - - packages + tags: packages - name: install common packages - apt: pkg={{ item }} state=installed + apt: pkg={{ item }} state={{ pkg_state }} when: has_apt with_items: common_packages tags: [ 'packages', 'common_pkgs' ] -- name: Install the ntp server - apt: pkg=ntp state=installed - tags: - - packages - - ntp - -- name: Ensure that the ntp server is running - service: name=ntp state=started - tags: - - packages - - ntp +- name: Install additional packages, if any + apt: pkg={{ item }} state={{ pkg_state }} + with_items: additional_packages + tags: [ 'packages', 'common_pkgs' ] From bee4f5f42073f31ff39e107d14162a279f824b0e Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 31 Jul 2015 16:31:09 +0200 Subject: [PATCH 08/26] infrastructure-services: a playbook that configures an HVM and installs vagrant and virtualbox on it. --- ubuntu-deb-general/tasks/packages.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 2b8241a4..9878ca49 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -28,42 +28,42 @@ apt_repository: repo='deb http://http.debian.net/debian-backports squeeze-backports main' state=present register: update_apt_cache when: is_debian6 - tags: - - squeeze-backports + tags: squeeze-backports - name: Install the squeeze-lts repository on debian 6 apt_repository: repo='deb http://http.debian.net/debian squeeze-lts main contrib non-free' state=present register: update_apt_cache when: is_debian6 - tags: - - squeeze-lts + tags: squeeze-lts - name: Install the backports repository on debian 7 apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main' state=present register: update_apt_cache when: is_debian7 - tags: - - wheezy-backports + tags: wheezy-backports + +- name: Install the wheezy-lts repository on debian 7 + apt_repository: repo='deb http://http.debian.net/debian wheezy-lts main contrib non-free' state=present + register: update_apt_cache + when: is_debian7 + tags: wheeze-lts - name: Install the backports repository on debian 8 apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present register: update_apt_cache when: is_debian8 - tags: - - wheezy-backports + tags: jessie-backports - name: apt key for the internal ppa repository apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present when: is_ubuntu - tags: - - packages + tags: packages - name: setup system apt repository apt_repository: repo='deb http://ppa.research-infrastructures.eu/system stable main' register: update_apt_cache when: is_ubuntu - tags: - - packages + tags: packages - name: Update the apt cache apt: update_cache=yes @@ -80,5 +80,5 @@ - name: Install additional packages, if any apt: pkg={{ item }} state={{ pkg_state }} with_items: additional_packages - tags: [ 'packages', 'common_pkgs' ] + tags: [ 'packages', 'common_pkgs', 'additional_packages' ] From 72e03b7851b245142150c3e8923952763b551361 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sat, 1 Aug 2015 12:57:03 +0200 Subject: [PATCH 09/26] library/roles/fail2ban: Fix the tests on the distributions versions, again. infrastructure-services/group_vars/images_provider/main.yml: Install the linux kernel headers, otherwise the virtualbox modules aren't compiled. --- fail2ban/tasks/main.yml | 4 +--- ubuntu-deb-general/tasks/main.yml | 4 +++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 4cf02202..3990764e 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,5 +1,3 @@ --- - include: fail2ban.yml - when: - - is_trusty - - is_debian8 + when: ( is_trusty ) or ( is_debian8 ) diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 36bdd54a..0c2d74d9 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -10,7 +10,9 @@ - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: is_debian_7_or_older or is_ubuntu_less_than_trusty + when: + - is_debian_7_or_older + - is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml From abf68e19e5c2daf98ccb494e2bcdf609b269cbe1 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 5 Aug 2015 19:14:03 +0200 Subject: [PATCH 10/26] library/roles/mysql: Fix the backup script. Now it finds the installed databases in a sane way. library/roles/nginx: Option to activate the gzip compression. --- mediawiki/defaults/main.yml | 1 + mysql/defaults/main.yml | 1 + mysql/files/mysql-backup.sh | 39 ++++++++++++------------- mysql/templates/mysql_backup-default.j2 | 2 ++ nginx/defaults/main.yml | 8 +++++ nginx/tasks/nginx.yml | 23 ++++++++------- 6 files changed, 42 insertions(+), 32 deletions(-) diff --git a/mediawiki/defaults/main.yml b/mediawiki/defaults/main.yml index 26dc76c3..47b87079 100644 --- a/mediawiki/defaults/main.yml +++ b/mediawiki/defaults/main.yml @@ -16,6 +16,7 @@ mw_php_prereq: - php5-mysqlnd - php-apc - php-pear + - php5-ldap - imagemagick # This choice is not recommended. The package has a poor list of dependencies. We do not want to deal with those diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml index 21a3e9e6..cdea08a8 100644 --- a/mysql/defaults/main.yml +++ b/mysql/defaults/main.yml @@ -43,4 +43,5 @@ mysql_backup_logdir: '{{ mysql_log_dir }}' mysql_backup_logfile: '{{ mysql_backup_logdir }}/my_backup.log' mysql_backup_retain_copies: 15 mysql_backup_destdir: /var/lib/mysql-backup +mysql_backup_exclude_list: "performance_schema" diff --git a/mysql/files/mysql-backup.sh b/mysql/files/mysql-backup.sh index e08cbb74..463bebad 100644 --- a/mysql/files/mysql-backup.sh +++ b/mysql/files/mysql-backup.sh @@ -6,6 +6,8 @@ MY_BACKUP_USE_NAGIOS="False" MY_BACKUP_DIR=/var/lib/mysql-backup MY_DATA_DIR=/var/lib/mysql N_DAYS_TO_SPARE=7 +# Exclude list +EXCLUDE_LIST='performance_schema' if [ -f /etc/default/mysql_backup ] ; then . /etc/default/mysql_backup @@ -33,33 +35,28 @@ fi chmod 700 $MY_BACKUP_DIR LOCKFILE=$MY_DATA_DIR/.mysqldump.lock NAGIOS_LOG=$MY_BACKUP_DIR/.nagios-status -# Exclude list -EXCLUDE_LIST='performance_schema' if [ ! -f $LOCKFILE ] ; then touch $LOCKFILE if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then > $NAGIOS_LOG fi - for db in $( /bin/ls -1 /var/lib/mysql/ | grep -v $EXCLUDE_LIST ) ; do - if [ -d /var/lib/mysql/$db ] ; then - #mysqldump -uroot -f --opt -p$MYSQLPASS $db > $MY_BACKUP_DIR/$db.sql 2> $MY_BACKUP_DIR/log/$db.log - mysqldump -f --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log - DUMP_RESULT=$? - chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} - if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then - if [ $DUMP_RESULT -ne 0 ] ; then - echo "$db:FAILED" >> $NAGIOS_LOG - RETVAL=$DUMP_RESULT - else - echo "$db:OK" >> $NAGIOS_LOG - fi - fi - pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 - rm -f $db.sql - ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql - popd >/dev/null 2>&1 - fi + for db in $( mysql -Bse "show databases;" | grep -v $EXCLUDE_LIST ) ; do + mysqldump -f --flush-privileges --opt $db > $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} 2> $MY_BACKUP_LOG_DIR/$db.log + DUMP_RESULT=$? + chmod 600 $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} + if [ "${MY_BACKUP_USE_NAGIOS}" == "True" ] ; then + if [ $DUMP_RESULT -ne 0 ] ; then + echo "$db:FAILED" >> $NAGIOS_LOG + RETVAL=$DUMP_RESULT + else + echo "$db:OK" >> $NAGIOS_LOG + fi + fi + pushd ${MY_BACKUP_DIR}/ >/dev/null 2>&1 + rm -f $db.sql + ln -s $MY_BACKUP_DIR/history/${db}.sql.${SAVE_TIME} ./$db.sql + popd >/dev/null 2>&1 done # Do a "flush-hosts" after the backup mysqladmin flush-hosts 2> $MY_BACKUP_LOG_DIR/flush-hosts.log diff --git a/mysql/templates/mysql_backup-default.j2 b/mysql/templates/mysql_backup-default.j2 index 3eccc710..b189f3d6 100644 --- a/mysql/templates/mysql_backup-default.j2 +++ b/mysql/templates/mysql_backup-default.j2 @@ -4,3 +4,5 @@ MY_BACKUP_LOG_FILE='{{ mysql_backup_logfile}}' N_DAYS_TO_SPARE='{{ mysql_backup_retain_copies }}' MY_BACKUP_DIR='{{ mysql_backup_destdir }}' MY_DATA_DIR='{{ mysql_data_dir }}' +# Exclude list +EXCLUDE_LIST='{{ mysql_backup_exclude_list }}' diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 657faf3e..b6000f04 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -5,6 +5,14 @@ nginx_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" nginx_ldap_base_dn: "dc=research-infrastructures,dc=eu" nginx_enabled: "Yes" +nginx_enable_compression: True +nginx_gzip_vary: "on" +nginx_gzip_proxied: any +nginx_gzip_comp_level: 6 +nginx_gzip_buffers: 16 8k +nginx_gzip_http_version: 1.1 +nginx_gzip_types: "text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript" + nginx_proxy_buffering: "on" nginx_proxy_redirect: "off" nginx_proxy_buffer_size: 128k diff --git a/nginx/tasks/nginx.yml b/nginx/tasks/nginx.yml index cf62d3f3..f5df3143 100644 --- a/nginx/tasks/nginx.yml +++ b/nginx/tasks/nginx.yml @@ -4,25 +4,26 @@ with_items: - nginx-full when: not nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx - name: Install the nginx web server if we need ldap auth via pam apt: pkg={{ item }} state=installed - with_items: + with_items: - nginx-extras when: nginx_use_ldap_pam_auth - tags: - - nginx + tags: nginx - name: remove nginx default config file: dest=/etc/nginx/sites-enabled/default state=absent - notify: - Reload nginx - tags: - - nginx + notify: Reload nginx + tags: [ 'nginx', 'nginx_conf', 'nginx_virtualhost' ] + +- name: Install the gzip compression configuration if enabled + template: src=nginx-compression.conf.j2 dest=/etc/nginx/conf.d/compression.conf owner=root group=root mode=0444 + when: nginx_enable_compression + notify: Reload nginx + tags: [ 'nginx', 'nginx_conf' ] - name: Ensure that the webserver is running service: name=nginx state=started enabled={{ nginx_enabled }} - tags: - - nginx + tags: nginx From 5b3a972453dac618c8c634a79084c7083cee38b2 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 5 Aug 2015 19:15:19 +0200 Subject: [PATCH 11/26] d4science-gcube/roles/mediawiki_setup: Fix the nginx virtualhost template to support the gcube mediawiki configuration --- nginx/templates/nginx-compression.conf.j2 | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 nginx/templates/nginx-compression.conf.j2 diff --git a/nginx/templates/nginx-compression.conf.j2 b/nginx/templates/nginx-compression.conf.j2 new file mode 100644 index 00000000..4a06955b --- /dev/null +++ b/nginx/templates/nginx-compression.conf.j2 @@ -0,0 +1,6 @@ +gzip_vary {{ nginx_gzip_vary }}; +gzip_proxied {{ nginx_gzip_proxied }}; +gzip_comp_level {{ nginx_gzip_comp_level }}; +gzip_buffers {{ nginx_gzip_buffers }}; +gzip_http_version {{ nginx_gzip_http_version }}; +gzip_types {{ nginx_gzip_types }}; From 954ee7c25a5bbe912fdea9a4450c0c741ae318ab Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 6 Aug 2015 13:56:20 +0200 Subject: [PATCH 12/26] library/roles/ldap-client-config: Install a better configuration for the ldap clients. library/roles/ubuntu-deb-general: Install the additional CA certs correctly. --- ldap-client-config/defaults/main.yml | 6 ++--- ldap-client-config/tasks/main.yml | 26 +++++++------------ ldap-client-config/templates/ldap.conf-old.j2 | 11 ++++++++ ldap-client-config/templates/ldap.conf.j2 | 7 +++-- ubuntu-deb-general/defaults/main.yml | 10 ++++--- ubuntu-deb-general/handlers/main.yml | 4 +++ .../tasks/install_external_ca_cert.yml | 7 ++--- 7 files changed, 43 insertions(+), 28 deletions(-) create mode 100644 ldap-client-config/templates/ldap.conf-old.j2 diff --git a/ldap-client-config/defaults/main.yml b/ldap-client-config/defaults/main.yml index 048eaa20..8ed59077 100644 --- a/ldap-client-config/defaults/main.yml +++ b/ldap-client-config/defaults/main.yml @@ -1,4 +1,4 @@ --- -nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" -nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu" - +ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" +ldap_base_dn: "dc=research-infrastructures,dc=eu" +ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt diff --git a/ldap-client-config/tasks/main.yml b/ldap-client-config/tasks/main.yml index 7f5d78bf..c4b4e76e 100644 --- a/ldap-client-config/tasks/main.yml +++ b/ldap-client-config/tasks/main.yml @@ -4,36 +4,30 @@ with_items: - ldapscripts - libpam-ldap - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file - template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root + template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root when: is_ubuntu_less_than_trusty - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf uri - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf bind dn - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf dn suffix - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client diff --git a/ldap-client-config/templates/ldap.conf-old.j2 b/ldap-client-config/templates/ldap.conf-old.j2 new file mode 100644 index 00000000..38754476 --- /dev/null +++ b/ldap-client-config/templates/ldap.conf-old.j2 @@ -0,0 +1,11 @@ +# The distinguished name of the search base. +BASE {{ ldap_base_dn }} + +# Another way to specify your LDAP server is to provide an +URI {{ ldap_uri }} + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/ldap-client-config/templates/ldap.conf.j2 b/ldap-client-config/templates/ldap.conf.j2 index 7a81eae4..ae1526d6 100644 --- a/ldap-client-config/templates/ldap.conf.j2 +++ b/ldap-client-config/templates/ldap.conf.j2 @@ -1,11 +1,14 @@ # The distinguished name of the search base. -BASE {{ nemis_ldap_base_dn }} +BASE {{ ldap_base_dn }} # Another way to specify your LDAP server is to provide an -URI {{ nemis_ldap_uri }} +URI {{ ldap_uri }} # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data + +# TLS certificates (needed for GnuTLS) +TLS_CACERT {{ ldap_tls_cacert }} diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 5ebb13bc..140e53c0 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -88,10 +88,12 @@ configure_munin: False # Manage the root ssh keys manage_root_ssh_keys: False -install_external_ca_files: True -external_ca_dest_dir: /etc/ssl/certs -external_ca_list: - - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' } +install_additional_ca_certs: False +additional_ca_dest_dir: /usr/local/share/ca-certificates +# IMPORTANT: the destination file extension must be .crt +#x509_additional_ca_certs: +# - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } + # # debian/ubuntu distributions controllers # diff --git a/ubuntu-deb-general/handlers/main.yml b/ubuntu-deb-general/handlers/main.yml index cbb26546..fb906757 100644 --- a/ubuntu-deb-general/handlers/main.yml +++ b/ubuntu-deb-general/handlers/main.yml @@ -18,3 +18,7 @@ - name: Restart rsyslog service: name=rsyslog state=restarted +- name: Update the CA bundle list + shell: update-ca-certificates + tags: ca + diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml index c90d7752..0be2a9e4 100644 --- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml +++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml @@ -1,7 +1,8 @@ --- -- name: Install the INFN CA certificate +- name: Install the additional CA certificates get_url: url={{ item.url }} dest={{ item.dest_file }} - with_items: external_ca_list - when: install_external_ca_files + with_items: x509_additional_ca_certs + when: install_additional_ca_certs + notify: Update the CA bundle list tags: ca From 4b06f84618a9921250e0a101336346e89bff1039 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Aug 2015 11:25:06 +0200 Subject: [PATCH 13/26] library/roles: Try and fix the fail2ban conditionals, again. xen/host_vars/dlib28x.dom0.research-infrastructures.eu: add dlib28x.dom0.research-infrastructures.eu --- fail2ban/defaults/main.yml | 6 ++---- fail2ban/handlers/main.yml | 2 +- fail2ban/tasks/main.yml | 2 +- iptables/handlers/main.yml | 2 +- ubuntu-deb-general/defaults/main.yml | 2 ++ ubuntu-deb-general/tasks/packages.yml | 1 + 6 files changed, 8 insertions(+), 7 deletions(-) diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 655a7fe0..b5e01294 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,16 +2,14 @@ # Fail2ban # Needed by the fail2ban template -cm_ip: 146.48.123.18 -monitoring_ip: 146.48.123.23 # ban time in seconds. 86400 == 1 day f2b_ban_time: 86400 f2b_findtime: 600 f2b_maxretry: 5 f2b_default_backend: auto f2b_usedns: warn -f2b_dest_email: sysadmin@research-infrastructures.eu -f2b_sender_email: denyhosts@research-infrastructures.eu +f2b_dest_email: 'sysadmin@{{ domain_name }}' +f2b_sender_email: 'denyhosts@{{ domain_name }}' f2b_default_banaction: iptables-multiport # Default action: ban. Not send email f2b_default_action: action_ diff --git a/fail2ban/handlers/main.yml b/fail2ban/handlers/main.yml index a6b3c1a5..5423011a 100644 --- a/fail2ban/handlers/main.yml +++ b/fail2ban/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes - when: ( is_trusty ) or ( is_debian8 ) + when: has_fail2ban diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 3990764e..33aa9aeb 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,3 +1,3 @@ --- - include: fail2ban.yml - when: ( is_trusty ) or ( is_debian8 ) + when: has_fail2ban diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml index 150d2e9c..72895169 100644 --- a/iptables/handlers/main.yml +++ b/iptables/handlers/main.yml @@ -22,5 +22,5 @@ - name: Restart fail2ban service: name=fail2ban state=restarted enabled=yes - when: ( is_trusty ) or ( is_debian8 ) + when: has_fail2ban diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 140e53c0..b79b4b71 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -103,6 +103,8 @@ has_htop: "'{{ ansible_distribution }}' == 'Ubuntu' and ({{ ansible_distribution has_apt: "('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and '{{ ansible_lsb['major_release'] }}' >= 5" +has_fail2ban: "(('{{ ansible_distribution }}' == 'Ubuntu') and ({{ ansible_distribution_major_version }} >= 14)) or (('{{ ansible_distribution }}' == 'Debian') and ({{ ansible_lsb['major_release'] }} >= 8))" + is_debian: "'{{ ansible_distribution }}' == 'Debian'" is_debian8: "'{{ ansible_distribution_release }}' == 'jessie'" is_debian7: "'{{ ansible_distribution_release }}' == 'wheezy'" diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 9878ca49..85fe4d07 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -80,5 +80,6 @@ - name: Install additional packages, if any apt: pkg={{ item }} state={{ pkg_state }} with_items: additional_packages + when: additional_packages is defined tags: [ 'packages', 'common_pkgs', 'additional_packages' ] From 0ab5593d7d73e6f1a5831106ef48490555853845 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Aug 2015 18:20:09 +0200 Subject: [PATCH 14/26] library/roles/nagios, xen: Various fixes to add debian 8 compatibility. --- fail2ban/templates/jail.local.j2 | 2 +- nagios/tasks/dell-omsa.yml | 33 ++++++++++++++++++-------------- nagios/tasks/hardware-checks.yml | 1 + 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 6cf14ac0..65c9e4f8 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -18,7 +18,7 @@ # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. -ignoreip = 127.0.0.1/8 {{ cm_ip }} {{ monitoring_ip }} +ignoreip = 127.0.0.1/8 {% if cm_ip is defined %}{{ cm_ip }}{% endif %} {% if monitoring_ip is defined %}{{ monitoring_ip }}{% endif %} # "bantime" is the number of seconds that a host is banned. bantime = {{ f2b_ban_time }} diff --git a/nagios/tasks/dell-omsa.yml b/nagios/tasks/dell-omsa.yml index 594d32e8..8dddf23f 100644 --- a/nagios/tasks/dell-omsa.yml +++ b/nagios/tasks/dell-omsa.yml @@ -7,14 +7,28 @@ register: update_apt_cache tags: [ 'dell', 'nagios' ] +- name: Install the NeMIS internal repository apt key + apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present + tags: [ 'dell', 'nagios' ] + - name: research infrastructures system repository on debian copy: src={{ item }} dest=/etc/apt/sources.list.d/{{ item }} with_items: - research-infrastructures.eu.system.list - when: is_debian6 + when: is_debian register: update_apt_cache tags: [ 'dell', 'nagios' ] +- name: Update apt cache + apt: update_cache=yes + when: ( update_apt_cache | changed ) + tags: [ 'dell', 'nagios' ] + +#- action: apt_key id=1285491434D8786F state=present +- name: Install the Dell OMSA repository apt key + apt_key: keyserver=pool.sks-keyservers.net id=1285491434D8786F + tags: [ 'dell', 'nagios' ] + - name: Install the Dell apt repository template: src={{ item }}.j2 dest=/etc/apt/sources.list.d/{{ item }} with_items: @@ -23,18 +37,9 @@ register: update_apt_cache tags: [ 'dell', 'nagios' ] -- name: Install the NeMIS internal repository apt key - apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present - tags: [ 'dell', 'nagios' ] - -#- action: apt_key id=1285491434D8786F state=present -- name: Install the Dell OMSA repository apt key - apt_key: keyserver=pool.sks-keyservers.net id=1285491434D8786F - tags: [ 'dell', 'nagios' ] - - name: Update apt cache apt: update_cache=yes - when: update_apt_cache.changed + when: ( update_apt_cache | changed ) tags: [ 'dell', 'nagios' ] - name: Install the Dell OMSA packages dependencies @@ -42,7 +47,7 @@ with_items: nagios_dell_omsa_deps tags: [ 'dell', 'nagios' ] -- name: Install the Dell OMSA packages dependencies +- name: Install other Dell OMSA packages dependencies apt: pkg={{ item }} state=installed with_items: - python-requests @@ -75,8 +80,8 @@ when: ( libssl_legacy | changed ) tags: [ 'dell', 'nagios' ] -- name: Install the Dell OMSA packages - apt: pkg={{ item }} state=installed force=yes +- name: Install the main Dell OMSA package + apt: pkg={{ item }} state={{ nagios_dell_omsa_pkg_state }} force=yes with_items: - syscfg when: is_not_debian6 diff --git a/nagios/tasks/hardware-checks.yml b/nagios/tasks/hardware-checks.yml index 26d921fc..29df2b57 100644 --- a/nagios/tasks/hardware-checks.yml +++ b/nagios/tasks/hardware-checks.yml @@ -25,6 +25,7 @@ - name: Ensure that the smart server is enabled and running service: name=smartmontools state=started enabled=yes + when: not is_debian8 tags: - nagios-hw - nagios From e816d11be12a80f68b102d5c4d7eab7d198240f6 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 7 Aug 2015 19:12:03 +0200 Subject: [PATCH 15/26] library/roles/nagios/defaults/main.yml: Explicitly install a Dell OMSA package that's not listed as a dependency but it's required. --- nagios/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/nagios/defaults/main.yml b/nagios/defaults/main.yml index c7307d5e..5b92f7be 100644 --- a/nagios/defaults/main.yml +++ b/nagios/defaults/main.yml @@ -61,6 +61,7 @@ nagios_dell_omsa_pkgs: - srvadmin-base - srvadmin-idrac - srvadmin-storageservices + - srvadmin-omcommon # We need a more recent version of the check_openmanage executable nagios_dell_standalone_checks: From 372d856260598b9420f9b8835ec61d056edc90ad Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Tue, 11 Aug 2015 18:12:41 +0200 Subject: [PATCH 16/26] xen: add two nodes to the ganeti cluster. Try to fix the xm/xl mess. --- nagios/defaults/main.yml | 2 ++ ubuntu-deb-general/tasks/packages.yml | 26 ++++++++++++++------------ 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/nagios/defaults/main.yml b/nagios/defaults/main.yml index 5b92f7be..9a7ec645 100644 --- a/nagios/defaults/main.yml +++ b/nagios/defaults/main.yml @@ -67,3 +67,5 @@ nagios_dell_omsa_pkgs: nagios_dell_standalone_checks: - check_dell_warranty.py - check_openmanage + +nagios_openmanage_additional_opts: '' diff --git a/ubuntu-deb-general/tasks/packages.yml b/ubuntu-deb-general/tasks/packages.yml index 85fe4d07..005214a2 100644 --- a/ubuntu-deb-general/tasks/packages.yml +++ b/ubuntu-deb-general/tasks/packages.yml @@ -30,30 +30,32 @@ when: is_debian6 tags: squeeze-backports -- name: Install the squeeze-lts repository on debian 6 - apt_repository: repo='deb http://http.debian.net/debian squeeze-lts main contrib non-free' state=present - register: update_apt_cache - when: is_debian6 - tags: squeeze-lts - - name: Install the backports repository on debian 7 apt_repository: repo='deb http://http.debian.net/debian wheezy-backports main' state=present register: update_apt_cache when: is_debian7 tags: wheezy-backports -- name: Install the wheezy-lts repository on debian 7 - apt_repository: repo='deb http://http.debian.net/debian wheezy-lts main contrib non-free' state=present - register: update_apt_cache - when: is_debian7 - tags: wheeze-lts - - name: Install the backports repository on debian 8 apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present register: update_apt_cache when: is_debian8 tags: jessie-backports +# Debian 7 “Wheezy” from February 2016 to May 2018 +# Debian 8 “Jessie“ from May 2018 to April/May 2020 +- name: Install the squeeze-lts repository on debian 6 + apt_repository: repo='deb http://http.debian.net/debian squeeze-lts main contrib non-free' state=present + register: update_apt_cache + when: is_debian6 + tags: squeeze-lts + +# - name: Install the wheezy-lts repository on debian 7 +# apt_repository: repo='deb http://http.debian.net/debian wheezy-lts main contrib non-free' state=present +# register: update_apt_cache +# when: is_debian7 +# tags: wheeze-lts + - name: apt key for the internal ppa repository apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present when: is_ubuntu From a7c764d959f838069a9202fb276958c58519625f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 15:20:12 +0200 Subject: [PATCH 17/26] xen: Fix the ganeti playbook. Install xenmap, do not install fprobe --- ubuntu-deb-general/tasks/main.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 0c2d74d9..93cb5832 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -10,9 +10,7 @@ - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: - - is_debian_7_or_older - - is_ubuntu_less_than_trusty + when: ( is_debian_7_or_older ) or ( is_ubuntu_less_than_trusty ) - include: munin.yml when: configure_munin - include: pubkeys.yml From 91b75f4697ebd69e8493c0b8a7f32c65e9b50bc2 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 18:35:41 +0200 Subject: [PATCH 18/26] san, xen: monitor the presence of the gmond process. --- ganglia/tasks/main.yml | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/ganglia/tasks/main.yml b/ganglia/tasks/main.yml index b4873dd7..d1976cdb 100644 --- a/ganglia/tasks/main.yml +++ b/ganglia/tasks/main.yml @@ -12,18 +12,16 @@ with_items: - ganglia-modules-linux - ganglia-monitor-python - notify: - Restart ganglia monitor - when: is_trusty_or_debian7 + notify: Restart ganglia monitor + when: ( is_trusty_or_debian7 ) or ( is_debian8 ) tags: - monitoring - ganglia - name: Distribute the ganglia configuration file for Ubuntu >= 12.04 template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 - when: is_not_ubuntu_less_than_precise - notify: - Restart ganglia monitor + when: ( is_not_ubuntu_less_than_precise ) or ( is_debian8 ) + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -31,8 +29,7 @@ - name: Distribute the ganglia configuration file for Debian 7 template: src=gmond.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 when: is_debian7 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -40,8 +37,7 @@ - name: Distribute the ganglia configuration file for Ubuntu < 12.04 and >= 10.04 and Debian 6 template: src=gmond-3.1.j2 dest=/etc/ganglia/gmond.conf owner=root group=root mode=444 when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -50,8 +46,7 @@ template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444 when: - is_ubuntu_between_8_and_9_and_is_debian_4 - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -60,8 +55,7 @@ template: src=gmond-2.5.j2 dest=/etc/gmond.conf owner=root group=root mode=444 when: - is_broken_hardy_lts - notify: - Restart ganglia monitor + notify: Restart ganglia monitor tags: - monitoring - ganglia @@ -82,8 +76,7 @@ - name: Setup the ganglia configuration for python modules copy: src=modpython.conf dest=/etc/ganglia/conf.d/modpython.conf owner=root group=root mode=0644 - notify: - - Restart ganglia monitor + notify: Restart ganglia monitor when: is_precise tags: - monitoring From fb2fcc6084dfeff1305b2ea25105ee927e666815 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 19:36:38 +0200 Subject: [PATCH 19/26] library/roles: Basic role to install vagrant from the vagrant site. --- vagrant/defaults/main.yml | 10 ++++++++++ vagrant/tasks/main.yml | 15 +++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 vagrant/defaults/main.yml create mode 100644 vagrant/tasks/main.yml diff --git a/vagrant/defaults/main.yml b/vagrant/defaults/main.yml new file mode 100644 index 00000000..630b0cbb --- /dev/null +++ b/vagrant/defaults/main.yml @@ -0,0 +1,10 @@ +--- +vagrant_install: False +vagrant_package_from_site: False +vagrant_site_version: 1.7.4 +vagrant_url: 'https://dl.bintray.com/mitchellh/vagrant/vagrant_{{ vagrant_site_version }}_x86_64.deb' + +vagrant_package_list: + - 'linux-headers-{{ ansible_kernel }}' + - vagrant + - virtualbox diff --git a/vagrant/tasks/main.yml b/vagrant/tasks/main.yml new file mode 100644 index 00000000..82e6624d --- /dev/null +++ b/vagrant/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Install the vagrant packages and requirements + apt: name={{ item }} state={{ pkg_state }} + with_items: vagrant_package_list + tags: vagrant + +- name: Get the package from the vagrant site + get_url: url='{{ vagrant_url }}' dest=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb + when: vagrant_package_from_site + tags: vagrant + +- name: Install the package from the vagrant site + apt: deb=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb + when: vagrant_package_from_site + tags: vagrant From eeac0b7c6de44397388b4dba0262898309490ff4 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 19:54:14 +0200 Subject: [PATCH 20/26] library: Try to fix the denyhosts contidionals again. --- ubuntu-deb-general/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index b79b4b71..87895154 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -112,8 +112,8 @@ is_debian6: "('{{ ansible_distribution }}' == 'Debian' and {{ ansible_lsb['major is_debian5: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 5" is_debian4: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} == 4" is_not_debian6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} != 6" -is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} <= 7" -is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} < 6" +is_debian_7_or_older: "'{{ ansible_distribution }}' == 'Debian' and {{ ansible_distribution_major_version }} <= 7" +is_debian_less_than6: "'{{ ansible_distribution }}' == 'Debian' and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_distribution_major_version }} < 6" is_not_debian_less_than_6: "('{{ ansible_distribution }}' != 'Debian') or (('{{ ansible_distribution }}' == 'Debian' or '{{ ansible_distribution }}' == 'Ubuntu') and '{{ ansible_distribution_version }}' != 'lenny/sid' and {{ ansible_lsb['major_release'] }} >= 6)" is_hardy: "'{{ ansible_distribution_release }}' == 'hardy'" From 45e8cb392c2ee48de435c5d0d2f5b1c103c197f5 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 19:58:42 +0200 Subject: [PATCH 21/26] library/roles/ubuntu-deb-general/tasks/main.yml: Execute the denyhosts part twice, with two different sets of conditionals (sigh) --- ubuntu-deb-general/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ubuntu-deb-general/tasks/main.yml b/ubuntu-deb-general/tasks/main.yml index 93cb5832..ade07398 100644 --- a/ubuntu-deb-general/tasks/main.yml +++ b/ubuntu-deb-general/tasks/main.yml @@ -10,7 +10,9 @@ - include: disable-ipv6-old-servers.yml when: disable_ipv6 - include: denyhost.yml - when: ( is_debian_7_or_older ) or ( is_ubuntu_less_than_trusty ) + when: is_debian_7_or_older +- include: denyhost.yml + when: is_ubuntu_less_than_trusty - include: munin.yml when: configure_munin - include: pubkeys.yml From 2390e8d31f0dd27da6d4b2472c3997cba2ac28d2 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 12 Aug 2015 22:16:09 +0200 Subject: [PATCH 22/26] library/roles/vagrant: Also install virtualbox from the virtualbox.org repository. --- vagrant/defaults/main.yml | 5 +++-- vagrant/tasks/main.yml | 25 ++++++++++++++++++------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/vagrant/defaults/main.yml b/vagrant/defaults/main.yml index 630b0cbb..9bbd268c 100644 --- a/vagrant/defaults/main.yml +++ b/vagrant/defaults/main.yml @@ -3,8 +3,9 @@ vagrant_install: False vagrant_package_from_site: False vagrant_site_version: 1.7.4 vagrant_url: 'https://dl.bintray.com/mitchellh/vagrant/vagrant_{{ vagrant_site_version }}_x86_64.deb' +virtualbox_version: 5.0 vagrant_package_list: - 'linux-headers-{{ ansible_kernel }}' - - vagrant - - virtualbox + - 'virtualbox-{{ virtualbox_version }}' + diff --git a/vagrant/tasks/main.yml b/vagrant/tasks/main.yml index 82e6624d..24cf35ba 100644 --- a/vagrant/tasks/main.yml +++ b/vagrant/tasks/main.yml @@ -1,15 +1,26 @@ --- -- name: Install the vagrant packages and requirements - apt: name={{ item }} state={{ pkg_state }} - with_items: vagrant_package_list - tags: vagrant - - name: Get the package from the vagrant site get_url: url='{{ vagrant_url }}' dest=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb when: vagrant_package_from_site - tags: vagrant + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox repository key + apt_key: url=https://www.virtualbox.org/download/oracle_vbox.asc state=present + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox repository + apt_repository: repo='deb http://download.virtualbox.org/virtualbox/debian {{ ansible_distribution_release }} contrib' state=present update_cache=yes + when: vagrant_package_from_site + tags: [ 'vagrant', 'virtualbox' ] + +- name: Install the virtualbox package and vagrant requirements + apt: name={{ item }} state={{ pkg_state }} + with_items: vagrant_package_list + tags: [ 'vagrant', 'virtualbox' ] - name: Install the package from the vagrant site apt: deb=/opt/vagrant_{{ vagrant_site_version }}_x86_64.deb when: vagrant_package_from_site - tags: vagrant + tags: [ 'vagrant', 'virtualbox' ] + From 226da8cd0fce284c3dbecb40d37c36ab7cd0d636 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 24 Aug 2015 15:56:46 +0200 Subject: [PATCH 23/26] library/roles/tomcat: special treatment for the server.xml file: use a dedicated variable to decide if install it or not. d4science-gcube/group_vars/mediawiki/all.yml: change the d4science (imarine) wiki database name. --- mysql/tasks/manage_my_db.yml | 9 ++------- tomcat-multiple-instances/defaults/main.yml | 2 +- tomcat/defaults/main.yml | 1 + tomcat/tasks/tomcat-pkgs.yml | 2 +- 4 files changed, 5 insertions(+), 9 deletions(-) diff --git a/mysql/tasks/manage_my_db.yml b/mysql/tasks/manage_my_db.yml index f70bcab3..dfbd6e4a 100644 --- a/mysql/tasks/manage_my_db.yml +++ b/mysql/tasks/manage_my_db.yml @@ -5,9 +5,7 @@ when: - mysql_db_data is defined - item.name is defined - tags: - - mysql - - mysql_db + tags: [ 'mysql', 'mysql_db' ] - name: Add a user for the databases mysql_user: name={{ item.0.user }} password={{ item.0.pwd }} host={{ item.1 }} priv={{ item.0.name }}.*:"{{ item.0.user_grant }}" state=present @@ -17,7 +15,4 @@ when: - mysql_db_data is defined - item.0.name is defined - tags: - - mysql - - mysql_db - + tags: [ 'mysql', 'mysql_db' ] diff --git a/tomcat-multiple-instances/defaults/main.yml b/tomcat-multiple-instances/defaults/main.yml index 49cbba47..2c1958c6 100644 --- a/tomcat-multiple-instances/defaults/main.yml +++ b/tomcat-multiple-instances/defaults/main.yml @@ -49,5 +49,5 @@ tomcat_m_jmx_localhost_only: False # This is only an example. Insert a line for each tomcat instance. 'app_contexts' can be used to automatically configure apache or nginx virtualhost http/ajp proxy # #tomcat_m_instances: -# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}',default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '8182', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_port: '8100', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } +# - { http_enabled: True, http_port: '8180', http_address: '0.0.0.0', ajp_enabled: False, ajp_port: '8109', ajp_address: '127.0.0.1', restart_timeout: '{{ tomcat_m_restart_timeout }}', shutdown_port: '8105', java_home: '{{ jdk_java_home }}', user: '{{ tomcat_m_default_user }}', user_home: '{{ tomcat_m_instances_base_path }}', user_shell: '{{ tomcat_m_default_user_shell }}', instance_path: '{{ tomcat_m_instances_base_path }}/8180', max_threads: '{{ tomcat_m_max_threads }}', autodeploy: '{{ tomcat_m_webapps_autodeploy }}', unpack: '{{ tomcat_m_webapps_unpack }}', install_server_xml: True, default_conf: True, java_opts: '{{ tomcat_m_java_opts }}', java_gc_opts: '{{ tomcat_m_java_gc_opts }}', other_java_opts: '{{ tomcat_m_other_java_opts }}', jmx_enabled: '{{ tomcat_m_jmx_enabled }}', jmx_auth_enabled: '{{ tomcat_m_jmx_auth_enabled }}', jmx_auth_dir: '{{ tomcat_m_instances_base_path }}/8180/conf', jmx_port: '8182', jmx_monitorpass: '{{ set_in_a_vault_file }}', jmx_controlpass: '{{ set_in_a_vault_file }}', remote_debugging: '{{ tomcat_m_enable_remote_debugging }}', remote_debugging_port: '8100', access_log_enabled: True, log_rotation_freq: daily, log_retain: 30, allowed_hosts: [ 'xxx.xxx.xxx.xxx/32', 'yyy.yyy.yyy.yyy/32' ], app_contexts: [ 'app1', 'app2' ] } diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml index a876f054..0b271416 100644 --- a/tomcat/defaults/main.yml +++ b/tomcat/defaults/main.yml @@ -16,6 +16,7 @@ tomcat_java_opts: "-Xms{{ tomcat_min_heap_size }} -Xmx{{ tomcat_heap_size }} -XX tomcat_java_gc_opts: "-XX:+UseConcMarkSweepGC" #tomcat_other_java_opts: "-Djsse.enableSNIExtension=false" tomcat_other_java_opts: "" +tomcat_install_server_xml: True tomcat_install_default_conf: True tomcat_load_additional_default_conf: True tomcat_http_enabled: True diff --git a/tomcat/tasks/tomcat-pkgs.yml b/tomcat/tasks/tomcat-pkgs.yml index b7817854..45896f21 100644 --- a/tomcat/tasks/tomcat-pkgs.yml +++ b/tomcat/tasks/tomcat-pkgs.yml @@ -17,7 +17,7 @@ - name: Configure tomcat server.xml template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml - when: tomcat_install_default_conf + when: tomcat_install_server_xml notify: tomcat restart tags: tomcat From fdf0ba0472f682bf79fcf6246737c027bd5ff48f Mon Sep 17 00:00:00 2001 From: "claudio.atzori" Date: Wed, 26 Aug 2015 15:48:07 +0200 Subject: [PATCH 24/26] added user giorgos.alexiou --- ssh-keys/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ssh-keys/defaults/main.yml b/ssh-keys/defaults/main.yml index 44e78abb..33e264af 100644 --- a/ssh-keys/defaults/main.yml +++ b/ssh-keys/defaults/main.yml @@ -36,6 +36,7 @@ lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9j sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605 sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709 christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH +giorgos_alexiou: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC41bHkxohyGdSI0gtTMhZmTTUgiFStUT2VTee7CEQ6YUtik/mFbe3JzZJxuxbmRNnxY3s9x5EwCiNbMZKQ19b8d+lBoiytxIiXGpj44waE8z8qVfdks8SWJ7KwIoB7Gjoi6SH2BT9mvXhnU8DWm3Y4NkPRG76y/CqlG0gOyJdMLUUvP1lZupnHApYSBTKZ3r+wPWJnqAzQH1Kl1MG2xk57ULPkgthQ/mkW4EsNo+NfqgQs1konJCWBkK5t8L5awU/U4jlyGgfDmjk5x2qsDMMHCZ25onsXWXsxHdeVLjCxb0MfoXh13ld1wuwR7UbHcTDopyZNKLJZMrC6YSoHx0M/ user@Macintosh.local # Use the list when you want to give access to non root users ssh_users_list: From 20ad4bcf6e300c61bbd752849d24a8c45bbe90d9 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 27 Aug 2015 17:14:27 +0200 Subject: [PATCH 25/26] library/roles/dnet_user_services_perms: The role now permits to deal with services other than tomcat. dnet-openaire/virtuoso.yml: Use the dnet_user_services_perms to set up ACLs and sudo. library/roles/ssh-keys/defaults/main.yml: All the keys have been moved to library/vars/isti-global.yml. --- dnet_user_services_perms/README.md | 2 +- dnet_user_services_perms/defaults/main.yml | 12 ++ .../tasks/dnet-additional-packages.yml | 13 ++ .../tasks/dnet-data-dirs.yml | 30 +++++ .../tasks/dnet-groups.yml | 25 ++++ .../tasks/dnet-tomcat-acls.yml | 68 ++++++++++ .../tasks/dnet-users-data-dirs.yml | 17 +++ dnet_user_services_perms/tasks/main.yml | 126 ++---------------- .../tasks/sudo-config.yml | 5 + .../templates/dnet-sudoers.j2 | 2 +- ssh-keys/defaults/main.yml | 37 ----- 11 files changed, 181 insertions(+), 156 deletions(-) create mode 100644 dnet_user_services_perms/tasks/dnet-additional-packages.yml create mode 100644 dnet_user_services_perms/tasks/dnet-data-dirs.yml create mode 100644 dnet_user_services_perms/tasks/dnet-groups.yml create mode 100644 dnet_user_services_perms/tasks/dnet-tomcat-acls.yml create mode 100644 dnet_user_services_perms/tasks/dnet-users-data-dirs.yml create mode 100644 dnet_user_services_perms/tasks/sudo-config.yml diff --git a/dnet_user_services_perms/README.md b/dnet_user_services_perms/README.md index 7c16a155..8cd98a17 100644 --- a/dnet_user_services_perms/README.md +++ b/dnet_user_services_perms/README.md @@ -1,3 +1,3 @@ This role sets acls that permit unprivileged users to: - write inside a list of directories -- restart the tomcat instances +- restart the tomcat instances (default). Or manage other services. diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml index c5769562..86970e34 100644 --- a/dnet_user_services_perms/defaults/main.yml +++ b/dnet_user_services_perms/defaults/main.yml @@ -1,6 +1,8 @@ --- +dnet_standard_installation: True dnet_user: tomcat7 dnet_group: dnet +dnet_sudoers_group: dnetsu dnet_data_directories: - /var/lib/dnet @@ -8,3 +10,13 @@ dnet_data_directories: dnet_log_directories: - /var/log/dnet - /var/log/dnet/search + +# Define the following if you want some directories readable and writable by the dnet group but outside the dnet app data dirs +#dnet_users_data_directories: +# - { name: '/data/1', create: 'True' } +# - { name: '/data/2', create: 'False' } + +# Define the following array when you want to add commands to the sudoers file +#dnet_sudo_commands: +# - /etc/init.d/virtuoso-opensource-7 +# - /sbin/reboot diff --git a/dnet_user_services_perms/tasks/dnet-additional-packages.yml b/dnet_user_services_perms/tasks/dnet-additional-packages.yml new file mode 100644 index 00000000..980005e4 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-additional-packages.yml @@ -0,0 +1,13 @@ +--- +- name: Install additional packages, if needed + apt: pkg={{ item }} state=installed + with_items: dnet_additional_packages + when: dnet_additional_packages is defined + tags: ['dnet', 'pkgs'] + +- name: Install additional python modules, if needed + pip: name={{ item }} state=present + with_items: dnet_additional_python_modules + when: dnet_additional_python_modules is defined + tags: ['dnet', 'pkgs'] + diff --git a/dnet_user_services_perms/tasks/dnet-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-data-dirs.yml new file mode 100644 index 00000000..b896164a --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-data-dirs.yml @@ -0,0 +1,30 @@ +--- +- name: Create the dnet data dirs + file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Create the dnet log dirs + file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750 + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read/write permissions on the dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the dnet data dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + with_items: dnet_data_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the dnet log dirs + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + with_items: dnet_log_directories + tags: [ 'tomcat', 'dnet', 'users' ] diff --git a/dnet_user_services_perms/tasks/dnet-groups.yml b/dnet_user_services_perms/tasks/dnet-groups.yml new file mode 100644 index 00000000..d04599e3 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-groups.yml @@ -0,0 +1,25 @@ +--- +- name: Add the dnet groups, if it does not exist already + group: name={{ item }} state=present + with_items: + - '{{ dnet_group }}' + - '{{ dnet_sudoers_group }}' + tags: [ 'dnet', 'users' ] + +- name: Add all the users to the dnet group + user: name={{ item.login }} groups={{ dnet_group }}, append=yes + with_items: users_system_users + tags: [ 'dnet', 'users' ] + +- name: Add selected users to the dnet sudoers group + user: name={{ item.login }} groups={{ dnet_sudoers_group }}, append=yes + with_items: users_system_users + when: item.dnet_sudoers_user + tags: [ 'dnet', 'users' ] + +- name: Remove selected users to the dnet sudoers group + user: name={{ item.login }} groups={{ dnet_group }} + with_items: users_system_users + when: not item.dnet_sudoers_user + tags: [ 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml new file mode 100644 index 00000000..e0b1a3e7 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-tomcat-acls.yml @@ -0,0 +1,68 @@ +--- + +# +# Acls for the single tomcat instance +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. single tomcat instance + acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is not defined + with_items: + - [ '{{ tomcat_logdir }}' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# +# Same steps, but when we are using multiple tomcat instances +# +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present + when: tomcat_m_instances is defined + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances + acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + when: tomcat_m_instances is defined + with_nested: + - '{{ tomcat_m_instances }}' + - [ 'webapps', 'common', 'common/classes' ] + tags: [ 'tomcat', 'dnet', 'users' ] + +# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default +- name: Set the read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present + when: tomcat_m_instances is defined + with_items: tomcat_m_instances + tags: [ 'tomcat', 'dnet', 'users' ] + +- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances + acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes + when: tomcat_m_instances is defined + with_items: tomcat_m_instances + tags: [ 'tomcat', 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml new file mode 100644 index 00000000..90f03a27 --- /dev/null +++ b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml @@ -0,0 +1,17 @@ +--- +- name: Create the users dnet data dirs + file: name={{ item.name }} state=directory owner=root group={{ dnet_group }} mode=0750 + with_items: dnet_users_data_directories + when: item.create + tags: [ 'dnet', 'users' ] + +- name: Set the read/write permissions on the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present + with_items: dnet_users_data_directories + tags: [ 'dnet', 'users' ] + +- name: Set the default read/write permissions on the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes + with_items: dnet_users_data_directories + tags: [ 'dnet', 'users' ] + diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml index cec4b533..da095841 100644 --- a/dnet_user_services_perms/tasks/main.yml +++ b/dnet_user_services_perms/tasks/main.yml @@ -1,118 +1,10 @@ --- -- name: Add the all the users to the dnet group - user: name={{ item.login }} groups={{ dnet_group }} - with_items: users_system_users - tags: [ 'dnet', 'users' ] - -- name: Install the sudoers config that permits the dnet users to restart tomcat - template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440 - tags: [ 'tomcat', 'dnet', 'sudo', 'users' ] - -- name: Create the dnet data dirs - file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750 - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Create the dnet log dirs - file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750 - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the read/write permissions on the dnet data dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the dnet data dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - with_items: dnet_data_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the read permissions on the dnet log dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the dnet log dirs - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - with_items: dnet_log_directories - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Install additional packages, if needed - apt: pkg={{ item }} state=installed - with_items: dnet_additional_packages - when: dnet_additional_packages is defined - tags: ['dnet', 'pkgs'] - -- name: Install additional python modules, if needed - pip: name={{ item }} state=present - with_items: dnet_additional_python_modules - when: dnet_additional_python_modules is defined - tags: ['dnet', 'pkgs'] - -# -# Acls for the single tomcat instance -# -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read permissions on the tomcat log directory. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_logdir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the tomcat log directory. single tomcat instance - acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - when: tomcat_m_instances is not defined - with_items: - - [ '{{ tomcat_logdir }}' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# -# Same steps, but when we are using multiple tomcat instances -# -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances - acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present - when: tomcat_m_instances is defined - with_nested: - - '{{ tomcat_m_instances }}' - - [ 'webapps', 'common', 'common/classes' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances - acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes - when: tomcat_m_instances is defined - with_nested: - - '{{ tomcat_m_instances }}' - - [ 'webapps', 'common', 'common/classes' ] - tags: [ 'tomcat', 'dnet', 'users' ] - -# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default -- name: Set the read permissions on the tomcat log directory. multiple tomcat instances - acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present - when: tomcat_m_instances is defined - with_items: tomcat_m_instances - tags: [ 'tomcat', 'dnet', 'users' ] - -- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances - acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes - when: tomcat_m_instances is defined - with_items: tomcat_m_instances - tags: [ 'tomcat', 'dnet', 'users' ] - +- include: dnet-groups.yml +- include: sudo-config.yml +- include: dnet-data-dirs.yml + when: dnet_standard_installation +- include: dnet-users-data-dirs.yml + when: dnet_users_data_directories is defined +- include: dnet-additional-packages.yml +- include: dnet-tomcat-acls.yml + when: dnet_standard_installation diff --git a/dnet_user_services_perms/tasks/sudo-config.yml b/dnet_user_services_perms/tasks/sudo-config.yml new file mode 100644 index 00000000..efcb2c75 --- /dev/null +++ b/dnet_user_services_perms/tasks/sudo-config.yml @@ -0,0 +1,5 @@ +--- +- name: Install the sudoers config that permits the dnet users to execute some privileged commands + template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440 + tags: [ 'tomcat', 'dnet', 'sudo', 'users' ] + diff --git a/dnet_user_services_perms/templates/dnet-sudoers.j2 b/dnet_user_services_perms/templates/dnet-sudoers.j2 index d37971d0..34bd9498 100644 --- a/dnet_user_services_perms/templates/dnet-sudoers.j2 +++ b/dnet_user_services_perms/templates/dnet-sudoers.j2 @@ -1,3 +1,3 @@ -%{{ dnet_group }} ALL=(ALL) NOPASSWD: /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-* +%{{ dnet_sudoers_group }} ALL=(ALL) NOPASSWD: {% if tomcat_m_instances is defined %}/etc/init.d/tomcat7, /etc/init.d/tomcat-instance-*{% endif %}{% if dnet_sudo_commands is defined %}{% for cmd in dnet_sudo_commands %}{{ cmd }}{% if not loop.last %},{% endif %}{% endfor %}{% endif %} diff --git a/ssh-keys/defaults/main.yml b/ssh-keys/defaults/main.yml index 33e264af..e3d2ec8a 100644 --- a/ssh-keys/defaults/main.yml +++ b/ssh-keys/defaults/main.yml @@ -1,42 +1,5 @@ --- manage_root_ssh_keys: True -# -# Example: -# user_ssh_key: [ '{{ sandro_labruzzo }}','{{ michele_artini }}', '{{ claudio_atzori }}' ] -# -cm_pubkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJN8XR/N4p6FfymWJy7mwR3vbUboC4P+7CgZalflhK5iH0P7c24/zZDY9Y5QIq58IViY7napqZuRkNHnHcvm9mxtSxQ16qe03NulABN5V/ljgR0sQAWz8pwv68LDpR9uBSCbXDdDCUUlS+zOxCHA6s7O7PSFavX4An1Vd/mjwoeR4eLRQXNcKsK2Pu/BZ3TCLmWyi2otnxFiJ8IoKW1CvjxKWmt5BvAvys0dfsdnTSVz9yiUMwN5Oj8cw/jhKqadnkvqTGfGl1ELm9L2V7hT6LM0cIom9oRsQf+JJ6loBe3UUZGaAhY2jmARmZdX3qV9Wh+UtxaWMEAXB9mf/2cK9f jenkins@cm -ci_pubkey: ssh-dss AAAAB3NzaC1kc3MAAACBAPwK/P1MAOksk1vT8YQd4/d9apwx2Npbs1ynNq3jZloDClbR9bOyNQ41SA5HcSHvgRYHTDySw2nCDWew+FB5VqoEqmTecpy7MoPYyxOuRByx26LwgBIt7f3Dj1hrepwiWtrvY16dw7SYEs6+Bm8VGXRmlvGPORzuyP8plagI2641AAAAFQCknhxNYiauoYAfjcx1LONccKwjZQAAAIAJ097QfL/ehWEiaEI710t8wksckio1fhS9zLckNDyBaqMYYBQUSru/orWy6hkoF1hpCiRuhyKj5HyzIZmHRk0oPg6F6Kiq/9AKZAxH/mKD5Dsw0FVANQMuOq5DH2O3NYxlBEh/8tEqSg3BoNsv563i48FJ1DJeOd8/Ldi4tBcxswAAAIBu/R99IT3aOYkoC9z5I7qg0nL5duth4gMsJRJZbwoTtdY4ABF94GBHeb8RlQ+o7dxiUyBp0P5ME0p9Mc0OsTZPsLzYsnZfpzPIWmlNGaPPQExKFhpXkAwJ0zuDAatf9Tc7eT7bhf/vDsZXS4GKJ4HtRIVb6z5jvjq9Y27/HNC/6Q== jenkins@ci -claudio_atzori: ssh-dss AAAAB3NzaC1kc3MAAACBAPMUiX2cCrDItmblQgA2sRZ5SixdDvwmVG0yPk67wb2oZF8MCGCGwwt9eWI8EecMKIevoWF63pn8poUveqvnRRFfGCjly8Rl6cNM3QZRmc5hjU3HcG/eFDCs92+vGdYfN/UV1qi2xIKU8204VfpnpWfsPlBqion/mR/kfLgCD0RTAAAAFQD6xPbDfMl0mkPGNL591eYHlKbtwQAAAIBJjhez8Gy8WGMJdcd/0B8rgEuHhDA9SQTknc/V88OMMthe3T5dWwwesT0DU4fPbn9Be6QWU+SNrBESmB64UpreCeodvh9pnfe0xerYWMplELlHM1yRtCCDQp2iDXK/oRTZne3IX8+OPx1OSKkWzQAVls4PV92CDSS8h1B9yvutiAAAAIAd8tasvTEmFpjaqszB6gkCdTlRHuVshRdrvAE8NBg9n0EzN3GdIyzJMmMAtTb0oJZZ3KGnKZic/gGGbqEY48PMbd9/WpWTf8SJz1ccpt3EQMbvLBJUwsJQ8ObBYhVe3SIwucwsZguIiPNdHIje+g1fc1DQHd5ALt3ljAYCPW+Yug== claudio@claudio-desktop -michele_artini: ssh-dss AAAAB3NzaC1kc3MAAAEBAKYA5eODSPDAcAhTqXQQP5mzPmLfS7J929Ncl5eqTj6KsjayfNnKsKDPzXGD/YGEGTP82VQuBzk42c1WLoUi5GnB5kZUWfdrKJLbr4JXcVUYnNNIwWIc1L9YunmbFN2zllHUXHrKn6EeKjR6H5xT0KPOX17MUa462jA2FLvesaqOoomm/AeNBF1UkCx0mRJEAMGq+I3xSBQJVhUOFmRJ7n6b4X0E3GXxtpkAwHiBiHX1GtNh2gMeTkIBHeZrS90l7DOumM8Y5KOP+fBd5scxodHKG2p+t3gwzwU2RoF5Hq8OvT4B3Dr5qPZKBIrB6kh6/5rLv8O0Lbky2aeoiYaIR0sAAAAVAO1EMaAsE93IDppRLlV+EjNn/4HbAAABAQCDPZHdR+uG0jfsed/ONPzecBDAJ4qS99D50hqrmQIRtsuhwo9KFsJ1cVjgSYjToqg8XuPZaO26E1riHnFAGoExQFNdev++kGtMfT3sxHOLwDd19fA3KNftFY0oqzDkLuD4D1+8gWk7WmTk8M5O5McFuuAr5TmXFdFNT49/6Z+XOuIQxyuEq9kJxSbO+dag4699lm3ZadSq6SEC2u0WAgyaIYUorYPJyYETSvUpsBtv37+oGbbz7dfbZ5pnmYi70BFiC2G7fA79shn0X/+Gk2Wp7RTDP/OB++RZFcrjHFQtvETdGSviq2Lxl1C7zp61qAmd0TZJBZ19k29nXIrILEnJAAABAFRqkJyVwZerL+E2jbF5LP89NW9HsjrBOEBekohR5zQY1KUPDirbReaGdf5hM6tvRxQCjlD+VMNq2VFRDC+RqOot5+KIyCaom4sXeYZiJBWa1Zx5YLbUZnYBGIpsa+IICA4drYwInGUN2EhClPwfDvZzFhd422kZFjiLYNM1HQ9f5TbKf1cPLSE/OitxU6+/NrCbMaRO2QPrjAB2EQG2s3DB9qfMBPg/Re7DyGJgMBn6KUXZ6JRvVssASvF7WsRaf5zRpug335CymndSS4fvQY74XJiVtB4vqDZle+WhXut8jvZ1Zl525fZZg9smZ2anqVWGGRxael7hjvlwYXbazkw= michele@pc-artini -andrea_dellamico: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ9n6B+J5S7NPnwjejPC2WrvcRzC07WPnAoQ7ZHZ0Mv9JakyWItswzI3Drz/zI0mCamyuye+9dWz9v/ZRwUfBobVyXuptRaZIwxlMC/KsTZofpp3RHOBTteZ4/VM0VhEeiOHu+GuzNE0fRB2gsusWeMMae2cq4TjVAOMcQmJX496L703Smc14gFrP8y/P9jbC5HquuVnPR29PsW4mHidPmjdKkO7QmDfFAj44pEUGeInYOJe708C03NCpsjHw8AVdAJ6Pf16EOdDH+z8D6CByVO3s8UT0HJ85BRoIy6254/hmYLzyd/eRnCXHS/dke+ivrlA3XxG4+DmqjuJR/Jpfx adellam@semovente -sandro_labruzzo: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+PFOSF+U9pvWTH/9TYZer3oDvTU2q6wVPs0dvgYc9Ak1Wdzmq4Dj9nyeLBW3G1i5ddqFrr/QSjIroX2/y8Z8Dq+OZLRpBhSyLF9bV0jKbytJJYhkzIJHgE/ITTdbNQVZstjPZ0D4c/0lrbMwiiwsKWRqphmvMKFmgkO4M4w1qm8B3UYPHF3lZfw+vm+rgVv+FiOltgsRm+LU0IszeiiOd1WgPWUVYixFnNUVzDkXRDatO5//M1XMHM/PoontgnsCP2j9kxIptYgguiNZUIeMUFljw3SbV84NrVUSpL6/fzmvsEv05rkRT0+P8oPYIhxO1alKr99H9ADg7pU36rWaN sandro@sandro-pc -hadoop_test_cluster: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDi7O89HLqa3HMEkmCVF6/V/IWw8G8eaKWOOzDsLtQAFFti9rWHckyCSxNhtYuuiGLhn5Mad0E7JaguexU5j+Rm9Vu30ducF6DefJsOqQ5TfQhzN60w5f+y59BqWDSHBBawEhfuS2B5qj9iL76w8ZgMsqS+6WXiT792F9DoelYfKBODQi8/AE5C93iQiYyyFIrvy37KUfvBlzjSkNNHb5A36PlHmQBZD3WhROaZfjUfXifFzOSs9bERazttXG8HeElt7zbE40OSse2HG3y34gB+TvGIYbd3scQUiL5dEWt4cDSDBrEU6b1rG04uZgkscxCFwTDxPrHUVXS0ou03N4nr Hadoop test -tommaso_piccioli: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzcHuDU7PgJwz34AsVG0E2+ZRx17ZKW1uDEGABNk3Z60/c9LTwWKPj6kcIRy6RzFJI5X+IgPJnYouXVmJsIWjVL8IRk8fP1ffJC6Fyf6H7+fCxu/Wwed5OoOCvKeZ0bEmJ1tlXFM6+EnxKqLCvz3fsNy8e4WKMnpS1hT8K6YB7PMjt60S3wOaxds1Lv4NmmgnfGM5uZFYrZCx1/GJCzNSh7AEEEUIVQ1B8xmXbet7whNiwDmiOnXSlt38dkIYT8kNMuRCj/r9wPr7FmoUCOFzUVXTcnuYagKyURrZ8QDyHbK6XQLYXgvCz/lWoErGFbDqpmBHHyvKSeLPxYfJpWJ70w== tom@tom -backup_agent: ssh-dss AAAAB3NzaC1kc3MAAACBANBn5i7oJd12+GAeDVSAiPqCxcCDzWe41g3Vy/LhbYKwG0smPNJRfvyf7lKWkgolJfMJZrk7bBVhJoApkV7vkFkrSPueyRC+/ohjafpOsmxRYiOaSrDZ2c9TbGFVZTh23pUXoDPp2Z0N8l471b9Mx/nqgtflCV+IVICcDZbUhcCTAAAAFQC+fmfljTFllCMKsgrSJcQAtiIT/QAAAIEAvrsLfmQzHQjt4G5FhcPVbvP87KUsDh0xksCfMRP6bQBz/3mcnt7V5/MLll/CZMiOWjRK3ww9zCYHprUwQtAZSllFWiGUKw1tDvf1ZQGESYP/vvWwcpPZpVsRHlhRtuMsQchSRxw03yYOqEEa2akWzQlvaZ4CWWym931mZg6zY4AAAACAG/l8dU/QEMK1JP3rDV0kZYvcxjUC9Mxw5ScTyVqVnxDL75ssX9HiQamsiTk0dYNyl8qkB38FfkB4LhEb8FkHs4toN+nTNPPlLqhpYMs+anwyNy32LnXAVP02VJ2+3exwGe0b5vtIFpj+j8s7YZMHN5x6d4xhZ9oq5M2pJN6M48E= root@dlibbackup -monja_dariva: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuQJvgDc8lQB+EArajGPEirRuYxGcInfiM3uRS0P5Dhqch6cuNdMFFjCoQVFL2Dvs7QNSRm8mvnPLWOCYLEFPBdXlA63w+n3VWoVOs0lUgQM77/axetd/K8BCkJlcA/exvVxLtzc5k8hN1k3OJY/Npi2Xa4WyEMV6t7+vYK3MXPjFBy4Y/aLWZvHcCn0zUbeB8T8PJ2S8taCIOMzemUzjGs3c0f4y6oaJx1gPw31PCahkaVS4ZLSt+0y3DRaGiXjyzgbQPf1whBOT4SSiX3SgdMvxA/Fzz2sSAn9PNfKq+/vygn7qDB79qzBhOXs36dPuwmsqggxIZasGUT/YfRp5Cw== monja@pc-monja -andrea_manzi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoCquwjgvRQXrHJ7sjY7/mFv0hEev4dljYKYz3Rf9r1rExQ6zku4tCvLkwmc+1U4ui2GCMQ70Hp1BbVdU01WVdAb6ESLAqk4m2NFiNxSsxerEyyOgnCvTA+Pcb1beVHgEm1/IA+6MgVPg71nE2OETpaoDNBGn+AmCdLqC67lXM9KlEaoLFFGY8ZbwJifWdidH/fk3rQojnGhxnFOidVu8QeV+b5kNTyVA2CUbCZCFZANIs/ZrDOmP5nmtA35vkIRU0OV6iBeJmcYsMwXmh8kiR6KoKVcH7gMMxTpBr/wjvdak7BeiZirP9poKE7XBiyHeatqQgEUOALsolkCYk8YJUw== andrea.manzi@shell.research-infrastructures.eu -antonis_lempesis: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8nr14q0s/8V9Nv3bz7xCk9FwKbtN21qx33PDTUS/NjwHX/AQIE1ZFbepPOnzLuPy8LUtzrEI+cEMDjn37CLiZWjnZkPOaIV7ELUBvwIk6JBe6iXSq93atYJWxQQsPuc1uoAFWLayxExMRl+P0UQCP7pQmTg4v8U4VflCp0LLBglgBl5glIiw2fLAfc+JawefWGnp92djuvqii8zm5nUmgJ+5DjbSD0rMO+vYXme5ig6v6b2YFG0cUHiNk8evM6M+OWmtz1uzP6kfQ4SjCNpzib6Rub8hgPlkJH/z4S+7lF1e6uwohQyicwu6hfTfIL+IRRCrNTGtzcDmk405/nIETQ== antonislebesis@ekton.lan -alessia_bardi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvfQoH4uRROhIUY5VTthAiY0Ga0cbg3smsT366C4Nd3TtU5ciBterRQv0YkvdQ4zS+e3D47PFRAuEyJEAJMp9+odhmjT6WPLhMYmE42b0qk+WC4uXG7V2rTX+wNvX4HaVHnlPai/6Of85rZ1AKbeMB2LLKMvj0n1HovVg6VbLUfrrxfkcTfgE27mukoRQy4RuZjQRjdJ1o7g4geA05CrFjDOriqwl4WDXWUNSkx2MwtOZ58ZLAVu84ce+RYvzxHC/wZptOx6U35fsoAaK7NPIiwbRbSbQqlAMnQauCLYTvfFKFkqY2JXp9q6lSsW4S5VnEeJjWvO/e7rxOmdbxGzx9w== lexis@lexis02 -andrea_mannocci: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtTV2pjWXgTmX5h9J7VtQbYZ2NoQyZmLKl5gHvBKcX4pgBNYR+OA0620l3I3bTLPzqx93y6N/GIi2ewutyk7n2a5qFAIZxhrQYR5rSQn07apTDSh9CKyAyy6baM/jQmZN4ba6ObHIFdtIPHyY0Z/2ni6ohWXuOPIC+me+/x4R6P5s7y6x4IoMOGcEtn+puJ1gAdMBhkn7IqMAbdMj3WbsBjDAJ2lT8Dbyet8fkW4TENxd0teRW9jGeSP8rtuapnAF6rgcvPn/gk3/0wnBsXjtlBe5VEJTsNXY50RoB+PdkLgT4h6613v2WtR6ZoCEVNLXbsJ2BabrCmntyEEJVdbMJ andrea@pc-andrea -marek_horst: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0tbauAEn91q209ek50lv6jeBGsYy+N25XPVE9e173L3oW/NR1DuIXdn/zpHy5sLKpWk2nLkGJxNBdAFlKKxDKzRRZ7aX8qB490o5H4GTGgdxIQtp8x66CvIjMyM4kYLExVb4WVV7yMxCxuClMk6/m0vo3h77VzL08e3uyLoa5FZ3RPbOFb6QvnH4QEoFp/6Hos9mJF2bY/w2DqUrUVgUeAO9k9uilqhv+rwHdsq20g9OXHNlWOOtNtrWq0pn1FU1jCooZsbqLeBcEGlvD/I1FxqLi7x5llpNVfHTmEHoczTmuo0sqAGmSxHWnz3C4KtVTHVqxLS6hSUp55j6DQwPnw== -eri_katsari: ssh-dss AAAAB3NzaC1kc3MAAACBALsZPjtXRreOknW7KAoBCiJ/QqFfHjz2JD0hTl/MQOPTNfn8532F1tpQDqMKz0H1XIljJas7EvrVDMNDO7iX5CbTmfLh2ds8ssPQ/LwH8ArNfsWaWyELVWJExXA9Xizcb8PApWScUEeRgP22ZTgnHYSX7zCQGhSn1Kb4vQ3H8MxbAAAAFQC8PJWnks+PWgqtO7Gb8SOV8oP3YQAAAIEArfQ69en2ZHku2T4FONfhjFLy7AKpq6Rh40KCGTSgowtbyyYVk0aRupqMlVolYwlbeY+/o21EFb1+Wy9nFDNsu1uY/1mESdLs256rRy6VJx8/VvuYg4r7TdSqypOa0QsqzCbExwZR4witez5yMQKZji8kmRKWKRsByFVk2OR0IxkAAACARQlw/skGy5wfkWd41YqsoDhfMLVNLAS2dKnUkLdifUKjymcSHC2WrYq2LfxVxrd9CFFp/yurlQ01v/818GX7nE9zBiRhhFS944Lk05CmInmcDt/J2iGq65bA/7iem9EhXkU+5Up1uYFgdubPEL7Za+Pk+Z9NMdqqjtco9Q0A6v8= eri@eri-duffy -marko_mikulicic: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYNjCquDDIpGqJgr8DTkRd0Y1ngmrq+FFMb+UnALdm3I1Uch07Z+TAkcrkpr9RdyTjP3mNIUUyI18Z6NgUC2TR4x7wVA9eV0uGWP8BiocXWPjVhQJhtDkXldkP93ylyYlLJ4VQ+xGinKdg7ZA4KTpG6rnjL999AA4W0utj5B8Dj0l/wvp96ONq1ZOTzOc3h0t9NGVQLbXstNakQkPcb5E2hyt4QOOahpZ6TG2is460G5yEgV3xHT/VRJQn0OjKeHnXlDwXs53qwjeNrESMEv4wD2qufgAXKbPGK7+3GReE8VkkhwnEY1/ET4LaTyqg6eIp0mIiScDvBV0/UCNX8c49 mkm -jochen_schirrwagen: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqVJeLtXaqseUP3cHSIQw+6Piv6s0PmezFbj34oqcN81/JlzmTtpOd8GBX6N8Weo40HbKhlghOl08+3WP2fW3eg9vaST6xCy8BvzLcqb8LPBSlTXa8imAK9AWkR4peFi1zYpIciZpkAwaFtfpdSR/zJip2s61EgWhinUPHs/0PzCCM32P4Yc0qYygb+htv4AthZWChEbHSY7eNrXIOOvyQtUSbpGJ78VCEdlKuy+ehhTxlMOBxcKca1PSWU3jSmzkSxnUotr2IXiRK1bUVZYpXXd7K89EZfPpb3DG1z8UBf9n0obLdI0yvaka8z8l1KxbwuAhN9MyzHITALbniYIHOw== jochen@jochen-laptop ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo5A+f0wdqoXCGEFBpePV892cq9MswIgK9vmDJ22TdHKQrN5h1sIHeXjxO3vnaktb62evFqZw1kueA0dwQhEA+Kvpc5qN1s+GfIxs4PbNjiNWNVgwrfGK11vlW/LP2GgbfZ7pl+Gxj6Qu65/A2eMf4c9ZjAOnHck6RQSttrfIjR0kLpqEB3o2x8s89vu/P5PG7mN+IsfW9Ow/612m+8ZG84qnVAo36lK9mgEFUToozIHfON14uC8VGTnsN9ff9S98GJkW8Ga3ha9voPwkp794LBHZlQj01Pwm4ZOx+tdOfTNXx06szjswacWXsW4zaTyH9MZP9LumubGG7eOse0y0bw== jochen@jochen-desktop ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAo5A+f0wdqoXCGEFBpePV892cq9MswIgK9vmDJ22TdHKQrN5h1sIHeXjxO3vnaktb62evFqZw1kueA0dwQhEA+Kvpc5qN1s+GfIxs4PbNjiNWNVgwrfGK11vlW/LP2GgbfZ7pl+Gxj6Qu65/A2eMf4c9ZjAOnHck6RQSttrfIjR0kLpqEB3o2x8s89vu/P5PG7mN+IsfW9Ow/612m+8ZG84qnVAo36lK9mgEFUToozIHfON14uC8VGTnsN9ff9S98GJkW8Ga3ha9voPwkp794LBHZlQj01Pwm4ZOx+tdOfTNXx06szjswacWXsW4zaTyH9MZP9LumubGG7eOse0y0bw== jochen@jochen-desktop -old_nikon_gasparis: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpwiKTTbiaRtuloEgvTRwjDjzrYSjUOUfjZ/o7FlfvtkApA09bSbbtVpMid60TYzf2tK1ie0Y0rCnaQ0wiaSQFqGkw47VsewBOpyJC+pWXz6GLMMJUEY6viDSuUDbn7ADJqak4YscVi2vZCSwWwslA+jBqWimDdE+8hIKNqQQA3klZ1zp84HayUdJY4jt3nbpQkOpVUdE/1cggVdq523hF2u+mjyR3ctILVyyPArxPInYILZxhaS8AvX8ZPADIE5Ki0zowC2UsvbZZzauJzJQ/KuK1tvZVD2AaEg+06Kj1RWWxIlYgXpO+XYGoYEViPMHUdf1h+zt+t6UxXshWPeWd nikonas@di.uoa.gr -nikon_gasparis: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3b+t/2RQjw8d07zV30tD0qysEFNTeeAsFqazdrvPa+bbm6wZ75Gkka4+wWmVZdd56gIh4yx4L4avnnzeQfUTREgrhNmlHRPdVB5rpJNa/3bQ+J/O3SpyRcGawPKNJWlhwCWaILag0lm3O+4ukuzN2WXFxHGyiiz0FLPXS7Yps2k3OZVHPx7GhGkr+K26c3oELR/yTCCgQxrZwMpy9xOLhXgPZRlzj4Y/KQBgRojbhhrFmmKe3k7g8u2Kb/oSDl5+kSOWzV7qrvHkHDUc2K1bp+lrG6L8QNLivZzOVQ/VeBBGGRhSL5D2JdC4T7+q89dsmPQM6Zu3lWBKQk/Jw/1gZ nikonas@mpagasas-I2 -roberto_cirillo: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvkwppFE+K5MjKqtkGJN63wkcwaqZG4HkgPqMSWrXmCfDPJ3FxjDHV9aQRJYVKZObc9+SsFc9IYXwB2A8FI0XwPkCH2hfFKDVNO4TktO/SrM+4tXbEfEDWX/PduBQLootYaMEVj++p2+s/mxVnxTAMzsR4txC9tkWR4JO4VJ2cpZfM8po4p1wA4YteW6Oiv0PqUEsLtPtBHGuCgovo8WS+qxcxpeBBnewEssgis2dzDSqx5HUmaOETAxxEHflapHWQLum0JjvXsG5jlf9jL44XJPkcHXAYk3gnhtyM0moJpUya+GX7+ttfWWvwxs0tYNDXNMRn91r1hMLWmas4D+T/Q== rcirillo@rcirillo-cnr -fabio_sinibaldi: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArNhKFcJ6T08sn7kTTLf+rO9HEvgOvqfhv5HQ2sRf2tFYfjfCb0zHKnMkgW+sy5gMU10Lyx1r7juXCvqRC955uIM97m1B1Xc6sVqASVKuGPhCKfhxEaMAyBcWFdE+HYbCOPYVN+JMrcwWfbblwiZTtK1OCqaEUvDDI7cFeU68noXwggEp46T48eqMUdi541D9Y+BVx9HYAo6OCQz0+6eXwxJL+tpRcAAXIMMWv362CYHoOgIU45R7xVSMLY1k/HLrcEAblwxEaSpduCH5cWUXZE/56IyxpvP44BxZkVhNdqJLmg4hxBQWhoMNYiTZxbLay3W2TwBCM111cAtUx4M/jQ== fabio@pc-fabio -gianpaolo_coro: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAkLUsStIPUVZVWiHyiI2poDnB70CjOJttbFLc5hBd6ViomiFil9u9q5Q0M1JBFFSv8Yfl1Rmc9zOh/52lJolxPGn8r22uGgDHVv71IJ04nS5KaRGIbv2WoZbYBc85oyZk5Fv/emY9Ace/t8icgDl5xJddeLfK6rTU64MZ7NGycIc= coro@coro-PC -katerina_iatropoulou_old: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA29WTITAKDhIE4lYt41hEtL3TnE+bIrlZAdAzSKySHOXPI8Q1vxanvprnL8BU0okgfZJDx3qxcTWLbwpcdWvGbO2SIA8JSKl2viQqfYDc5VtWFd4xo5z9y5BRrNDOOel+XAZjamx8lv8c44Au0ACV+jCAhnzwJA4Iso1KuNsuj2M= kiatrop@rudie -katerina_iatropoulou: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/gQ8huY5CSl7cGPiNE8OdNvlE4A0lXe08gSiEKIYVh9qz57ALoZLSP3To4cKIhfmFssSAewu/0A0IX9llOGlsOVkC4aGOlO03l0mAiVS7bVQd+5S51Gh+ijWsJjSg4bLoRINn1NkNNZ8J8GK2+vBGqxB25LcG6giRdPs2/jb5UHd9tqqrPdO/rJWV4OrTDkevYb2qfnubuvZgrf+C9bD1l0Xnklr2zY0R6RCkSpmVhQfwpXU0KGb9pW7oJS897XB7GCawKfufOdmYqyjG3o9nMi5+cIVNKfhT14wSv6D1FUQIIQnzJPE22SBmWIzkS4ovGP2cRObVTcIRwO5U4H8x kiatrop@rudie -farah_karim: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzKSQSk3ntKGUW2Cy8lt/44BTK2+UxMM4W2XO4CrcwgUxxlgIfpL4UjyuSKIygRdU/lL/4xHJdRNzA7PSEiHnBhIeLiF9QWw1mO2GVdJ4/1G5J/XEZ3sL7zyEdwwks7FsnT4U9PO9drNDZ1AmIK8eDKtX9EJcOFflulOknbIHjIq29gXcXbrhQaV3rNHS8vGDkv3fkpJT9Wi8BEUMeMFYsa3k3pc3nPysCQR+xsVJ1Ht+1gpU71W7fACaI1ltYaCToPAJasU19Tz6xE3edl9/Dz6HIL5FcVNSbLFEiyQhd5oL1ITCXJOwzyqobrUUdRK/30iIBRRFW00AIGQCDV0S3 hadoop@karim-ThinkPad-S1-Yoga -luca_frosini: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDlTQulSJFayTJyOOecgsct35u7uvVQGX/Da11UZVxvJzw2sQKOMSCMBBGF9zUlcMoP/qvF425jVMM71S8kamCcqgSN528fp9W/Nhw7s15NbCE3H9tJ3B+u5ESOYsRfgogeTIyL26aIY/2rke0DoKDIMU3YlOtN/1ipt5cY9uV3ootxTM126y2WChICGo0h77M/Ta1pIccUE0XbuaA1HwlJBkfDzQ2kh5tkaC7mjeETstOQzpEoPFoVr0qwSPz1Y6l8uiedpDZejrq64Z2zRcSxjEQ1wuA9r8uO7TJQttUKK8m/dHMe6q3WAiFc9sOYe4tf/GEmziB8VloMTNCPJQiz lucafrosini@pc-frosini -francesco_mangiacrapa: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDa0NzwaCcauxAFlsupU2xG2eff9nzep9bnb8pISbX2lk+K4yoJvJOAz9W9klJtpPX/IUJx18YR4jjDNcdiYWNh4Y+5jKT2EhSPNkj7Vw2MhA/ZeOrfHx7JNtL8gdxa8XxYB0ZoZqutRppmaRwWmGGwdVh0wyUzWR/v0OT01IuQGYVneLKIjUtx+BcWGsosWISaOQzVbv9iTFbSwgjbkKFHzHasxwKsrK4t1wvbzuxwhVC+5/VKghBJWN219m/PO+itww/fSes0KpI5X/7q8jrYzUgYwrKwt290U41Fx8syDQ6101YnRzMXZRyZwuVNh2S7WosGWebg5nPS4IjKho/F francesco-mangiacrapa@ubuntu-francesco-i24 -lucia_vadicamo: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAqR/WChJL0M/EOQ1Jg7x7H5dmgb9jb/Rs+ZsWFdEvIlbNzZPUhTofvazHHLObR/RtLl4+9jjG83bNJHOTysrtY0c4BOcgBRFm3HRAr6TTU7bpoC0bleycKWmgXbP3nVfRgwd0N0tlmsDMBopdfZ7BwUH3SARQ8ssWbi1ahTP6IiYE6oCOxzDhXHRRGIdHhcRbE6vFaN+BTQKX/1zfFimPnuhiQUyZwX1KtBNnjxbxaNTIUbyDUxmyLo3S66EnNqXD6n4jDDWXJb0HkI4eDTtGFxaF02PSzXr8X3ZTWDBX+/YkzaWeesvtubYa0QlZ19D2+WJZJi0SmPDf7XifPtq0iu2UB4DFPQeRGAIctxmxTSMQMhngblSdSY6R+ZXG8yxtd/b3iNQaD3s8xkjYeXouno6djnJyIA/Wu2Asn6zLJC5qyVTTNUq5QNMIoNoX4Eq74eri2yzieQGRegDNie5NxjiRyo4kdHV3gihRDm53MCUL1aKz0SijmSfNeaP8weO77qKXaYNbuiEJYtU2io14mOHYHfMlvFf059QcqxQUAEOWl1YrELExHJmNJKjl/2/nCq6Ns4JMDEHicisjTfE5GAZHJVFgKRVroRzySHfxRTBXXyPDPzjN9aZy7HKSFiUXnKKS3jrVsbQ5xKdtOOzo6Uy3mIakTQ/JWDbzQ0fMwoE= lucia.vadicamo@isti.cnr.it -sahar_vahdati_old: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIB38nRuOy6g0UEkYLZ5v+VGQIbZAFjylEtbmZJAN3OMm+wcgoCTIBvytZ6Ajp8ZTT1tTqo2rsAVb8O5pv08Qaunl5VBfvEUyqNdYX9SY1kB5PzKtBZBbkkUI4AE7BNJKKuki0nYvOHP5p07FdobC2OjILGxci4zn37X+CGEykNrXQ== rsa-key-20150605 -sahar_vahdati: ssh-dss AAAAB3NzaC1kc3MAAAEBAMAfb7STRygwnvobeoYs+znGDFSauwFJ53SGiqxWvws7VO84JLCGPrInrnFYhU6eJAWd7W24ebQhBLqEKprJ85+j068F8kBL3EoR3yyS47jHeM9nZtQEoPuPJIdQotKEUcsEB0qXsdxrK/g2xOwEE/QTvxHHoHdrlrV5i8nL2iRJZTLn1OdoyHTUJMX778RJuqsApY9duyi6Sx7YshF4uFqNiarrEUu0ldG2K8akBwQEvDBJuXsDKD5GJmRzBbqDX8xswTORelvcVtDk/TD0wMMKudBNQfktTPXATBCx6oPQ3gzBlLDF4KrnwKZ+I75c6/Q+AIz3OMM8vrcB6JMLk0MAAAAVAPKLs+YuP5ulRX484PevayNHavKJAAABAFcjNAQ1KxUKaNBeDMtNj8WWkMyx02HUPWf8ztKetTyvavK4ILTrQAwsgvH3dmOMSnm4ckWMSxQ/v+zbU/mKNddyNo7BJqRT4rKbQUvp5Mg5E+PkZNZaiTu9C8rLIa1JbUoEyssqLAlFbIviJlwpLgaf+jY7ZCJso7kCYRWkcXMaEnNvqCd5u8IAGBZijI/L9TtAIyjgYoh4pYdAPWjYTjH+nH9xpIuN7KQEVq1ba/WyAe9xVNPta+fnuHiUHbUpNaExhIs4pskfCI5EuBBgxtixkSPssZaNFlWXx2rwFLnfvnLxeG9t7qbXs5LPoo0x0miq/eo+jgIHel9uEvN/BNYAAAEAQ/qXwtXcw1aA7PoKOTOmwaproFmcnu/7unEEu16/G4F2t76kz4CwehGgq19MnbgfzBL64qfs9A5UxI4HRJ6e5/Ik1a1dv/tSVSgA+rKJWeCZr1cTg5Y/u7OAk/mik0nL7r7TraofYvGAWl7ckYeN/28wv5TWSNB6CkPix69DgLvapjU5RG+7DPhzINc5MF75MjFRTnc5eAeC2wv2+3MzGzm78+i6UPpwd7Jj/BKTvtj0XinHJj+QNhkVtH6lAYDnAJNrQXpiGCKScVs1YCNbF9xHtBN1wlU99k+FdjLVsef3L348c3QWTVloXoh+HC0eNwt8QvLUyZLGyaCAy0ifvw== dsa-key-20150709 -christoph_lange: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvFxHqgmIkBfdyxRCMGhj2R+Bj05EBB7DlBrlKy6eM3K3EnPP+0dlMW+KhGwcu5sHFjyPtdngEO8AX1TQCUgifhd9++fBVAfUfKU5+dUqqyFFeQjQMqbf7pzWCJ9JjQ5tk1If9IzgBe/50ro0SCqIbod3FogSe4RZqQV1P0znxaHt4ngJSRYnRK+6gniMuT+SlcKgjDM8v8RP4ELWvE0ibduUGoyCEzmmroXgymcL7tpqHTdfo8o3mbcwqRGmCHEplQttFG57PwkJlcQvhKuJHo/Sgcyx2WuEFL/vZMFnuXhaNFg7I1UIO9bNwsLjsbnR9FEK9rjwwl8dKQHDh5R1zQ== clange@BACH -giorgos_alexiou: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC41bHkxohyGdSI0gtTMhZmTTUgiFStUT2VTee7CEQ6YUtik/mFbe3JzZJxuxbmRNnxY3s9x5EwCiNbMZKQ19b8d+lBoiytxIiXGpj44waE8z8qVfdks8SWJ7KwIoB7Gjoi6SH2BT9mvXhnU8DWm3Y4NkPRG76y/CqlG0gOyJdMLUUvP1lZupnHApYSBTKZ3r+wPWJnqAzQH1Kl1MG2xk57ULPkgthQ/mkW4EsNo+NfqgQs1konJCWBkK5t8L5awU/U4jlyGgfDmjk5x2qsDMMHCZ25onsXWXsxHdeVLjCxb0MfoXh13ld1wuwR7UbHcTDopyZNKLJZMrC6YSoHx0M/ user@Macintosh.local # Use the list when you want to give access to non root users ssh_users_list: From 29f67d04bb0fb6773eb1b2458d0f262d63302bd1 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 28 Aug 2015 20:06:40 +0200 Subject: [PATCH 26/26] library/roles/dnet_user_services_perms: Manage the case of existing files inside the directories where we set ACLs. --- dnet_user_services_perms/defaults/main.yml | 5 +++-- .../tasks/dnet-users-data-dirs.yml | 14 +++++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml index 86970e34..48288740 100644 --- a/dnet_user_services_perms/defaults/main.yml +++ b/dnet_user_services_perms/defaults/main.yml @@ -13,8 +13,9 @@ dnet_log_directories: # Define the following if you want some directories readable and writable by the dnet group but outside the dnet app data dirs #dnet_users_data_directories: -# - { name: '/data/1', create: 'True' } -# - { name: '/data/2', create: 'False' } +# - { name: '/data/1', create: True } +# - { name: '/data/2', create: False, file: False } +# - { name: '/data/bah', create: False, file: True } # Define the following array when you want to add commands to the sudoers file #dnet_sudo_commands: diff --git a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml index 90f03a27..ea97b2e8 100644 --- a/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml +++ b/dnet_user_services_perms/tasks/dnet-users-data-dirs.yml @@ -2,16 +2,24 @@ - name: Create the users dnet data dirs file: name={{ item.name }} state=directory owner=root group={{ dnet_group }} mode=0750 with_items: dnet_users_data_directories - when: item.create + when: item.create and not item.file tags: [ 'dnet', 'users' ] -- name: Set the read/write permissions on the users dnet data dirs +- name: Set the read/write/access permissions on the users dnet data dirs acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present with_items: dnet_users_data_directories + when: not item.file tags: [ 'dnet', 'users' ] -- name: Set the default read/write permissions on the users dnet data dirs +- name: Set the default read/write/access permissions on the users dnet data dirs acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes with_items: dnet_users_data_directories + when: not item.file + tags: [ 'dnet', 'users' ] + +- name: Set the read/write permissions on pre-existing files inside the users dnet data dirs + acl: name={{ item.name }} entity={{ dnet_group }} etype=group permissions=rw state=present + with_items: dnet_users_data_directories + when: item.file tags: [ 'dnet', 'users' ]