library/roles/dnet_user_services_perms: Manage more directories. Logs in /var/log/dnet

library/roles/iptables/templates/iptables-rules.v6.j2: Fix the reject options library/roles/tomcat: Install a catalina.properties that matches the one used by the multiple instances role library/roles/tomcat/templates/tomcat-server.xml.j2: Do not generate a random password when the shutdown port is disabled
2015-07-16 13:25:02 +02:00 · 2015-07-16 13:25:02 +02:00 · 10441129fc
parent d9d908e1a2
commit 10441129fc
9 changed files with 282 additions and 46 deletions
--- a/dnet_user_services_perms/defaults/main.yml
+++ b/dnet_user_services_perms/defaults/main.yml
@ -4,3 +4,7 @@ dnet_group: dnet

 dnet_data_directories:
  - /var/lib/dnet
+
+dnet_log_directories:
+  - /var/log/dnet
+  - /var/log/dnet/search  
--- a/dnet_user_services_perms/tasks/main.yml
+++ b/dnet_user_services_perms/tasks/main.yml
@ -13,18 +13,95 @@
  with_items: dnet_data_directories
  tags: [ 'tomcat', 'dnet', 'users' ]

-# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+- name: Create the dnet log dirs
+  file: name={{ item }} state=directory owner={{ tomcat_user }} group={{ dnet_group }} mode=0750
+  with_items: dnet_log_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the read/write permissions on the dnet data dirs
  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
-  with_items:
-#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
-    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  with_items: dnet_data_directories
  tags: [ 'tomcat', 'dnet', 'users' ]

- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+- name: Set the default read/write permissions on the dnet data dirs
  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
-  with_items:
-#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
-    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  with_items: dnet_data_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the read permissions on the dnet log dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  with_items: dnet_log_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read permissions on the dnet log dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  with_items: dnet_log_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+#
+# Acls for the single tomcat instance
+#
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  when: tomcat_m_instances is not defined
+  with_items:
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. single tomcat instance
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  when: tomcat_m_instances is not defined
+  with_items:
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ tomcat_common_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read permissions on the tomcat log directory. single tomcat instance
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  when: tomcat_m_instances is not defined
+  with_items:
+    - [ '{{ tomcat_logdir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read permissions on the tomcat log directory. single tomcat instance
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  when: tomcat_m_instances is not defined
+  with_items:
+    - [ '{{ tomcat_logdir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+#
+# Same steps, but when we are using multiple tomcat instances
+#
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances
+  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  when: tomcat_m_instances is defined
+  with_nested:
+    - ' {{ tomcat_m_instances }}'
+    - [ 'webapps', 'common', 'common/classes' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read/write permissions on the tomcat webapps and common/classes directories. multiple tomcat instances
+  acl: name={{ item.0.instance_path }}/{{ item.1 }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  when: tomcat_m_instances is not defined
+  when: tomcat_m_instances is defined
+  with_nested:
+    - ' {{ tomcat_m_instances }}'
+    - [ 'webapps', 'common', 'common/classes' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read permissions on the tomcat log directory. multiple tomcat instances
+  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present
+  when: tomcat_m_instances is defined
+  with_items: tomcat_m_instances
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read permissions on the tomcat log directory. multiple tomcat instances
+  acl: name={{ tomcat_m_instances_logdir_base }}/{{ item.http_port }} entity={{ dnet_group }} etype=group permissions=rx state=present default=yes
+  when: tomcat_m_instances is defined
+  with_items: tomcat_m_instances
  tags: [ 'tomcat', 'dnet', 'users' ]

--- a/iptables/templates/iptables-rules.v6.j2
+++ b/iptables/templates/iptables-rules.v6.j2
@ -3,8 +3,8 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 {% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
+-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
 {% else %}
 -A INPUT -j {{ iptables_default_policy }}
 -A FORWARD -j {{ iptables_default_policy }}
--- a/openldap-server/defaults/main.yml
+++ b/openldap-server/defaults/main.yml
@ -11,6 +11,18 @@ openldap_slapd_tcp_port: 389
 openldap_slapd_ssl_port: 636
 openldap_slapd_ssl_only: False

+# Set slapd_admin_pwd in a vault file
+slapd_debconf_params:
+  - { question: 'slapd/password1', value: '{{ slapd_admin_pwd }}', vtype: 'password' }
+  - { question: 'slapd/password2', value: '{{ slapd_admin_pwd }}', vtype: 'password' }
+  - { question: 'slapd/internal/adminpw', value: '{{ slapd_admin_pwd }}', vtype: 'password' }
+  - { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }
+  - { question: 'shared/organization', value: 'Organization', vtype: 'text' }
+  - { question: 'slapd/purge_database', value: 'false', vtype: 'boolean' }
+  - { question: 'slapd/allow_ldap_v2', value: 'true', vtype: 'boolean' }
+  - { question: 'slapd/backend', value: 'HDB', vtype: 'select' }
+  - { question: 'slapd/domain', value: 'DNS Domain Name', vtype: 'text' }
+
 # openldap_allowed_clients:
 #   - ip/32
 #   - net/24
--- a/tomcat-multiple-instances/files/catalina.properties
+++ b/tomcat-multiple-instances/files/catalina.properties
@ -87,13 +87,15 @@ shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
 # - Apple JDK JARs
 tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
 bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
-annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
 catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
 jasper.jar,jasper-el.jar,ecj-*.jar,\
 tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-jni.jar,tomcat-spdy.jar,\
 tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
 tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
 tomcat-jdbc.jar,\
+tools.jar,\
 commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
 commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
 commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
@ -101,15 +103,22 @@ commons-math*.jar,commons-pool*.jar,\
 jstl.jar,\
 geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
 ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
-jmx-tools.jar,jta*.jar,log4j*.jar,mail*.jar,slf4j*.jar,\
+jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
 xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
-dnsns.jar,ldapsec.jar,localedata.jar,sunjce_provider.jar,sunmscapi.jar,\
-sunpkcs11.jar,jhall.jar,tools.jar,\
-sunec.jar,zipfs.jar,\
-apple_provider.jar,AppleScriptEngine.jar,CoreAudio.jar,dns_sd.jar,\
-j3daudio.jar,j3dcore.jar,j3dutils.jar,jai_core.jar,jai_codec.jar,\
-mlibwrapper_jai.jar,MRJToolkit.jar,vecmath.jar,\
-junit.jar,junit-*.jar,ant-launcher.jar
+junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
+cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
+jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
+xom-*.jar
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for Servlet 3.0 pluggability features. These features include web
+# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
+# must be a comma separated list of JAR file names.
+org.apache.catalina.startup.ContextConfig.jarsToSkip=
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for TLDs. The list must be a comma separated list of JAR file names.
+org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar

 #
 # String cache configuration.
--- a/tomcat/defaults/main.yml
+++ b/tomcat/defaults/main.yml
@ -2,6 +2,11 @@
 tomcat_version: 7
 tomcat_pkg_state: installed
 tomcat_service_enabled: True
+tomcat_pkgs:
+  - tomcat'{{ tomcat_version }}'
+  - libtomcat'{{ tomcat_version }}'-java
+  - tomcat'{{ tomcat_version }}'-common
+  - libapr1
 tomcat_user: tomcat7
 tomcat_max_threads: 200
 tomcat_min_heap_size: 2048m
@ -31,6 +36,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
 tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
 tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
 tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
+tomcat_common_dir: '{{ tomcat_catalina_base_dir }}/common/'
 tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
 tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'

--- a/tomcat/files/catalina.properties
+++ b/tomcat/files/catalina.properties
@ -0,0 +1,131 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageAccess unless the
+# corresponding RuntimePermission ("accessClassInPackage."+package) has
+# been granted.
+package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+#
+# List of comma-separated packages that start with or equal this string
+# will cause a security exception to be thrown when
+# passed to checkPackageDefinition unless the
+# corresponding RuntimePermission ("defineClassInPackage."+package) has
+# been granted.
+#
+# by default, no packages are restricted for definition, and none of
+# the class loaders supplied with the JDK call checkPackageDefinition.
+#
+package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
+
+#
+#
+# List of comma-separated paths defining the contents of the "common"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank,the JVM system loader will be used as Catalina's "common"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar,${catalina.base}/common/classes,${catalina.base}/common/*.jar
+
+#
+# List of comma-separated paths defining the contents of the "server"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
+# If left as blank, the "common" loader will be used as Catalina's "server"
+# loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar,${catalina.base}/server/classes,${catalina.base}/server/*.jar
+
+#
+# List of comma-separated paths defining the contents of the "shared"
+# classloader. Prefixes should be used to define what is the repository type.
+# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
+# the "common" loader will be used as Catalina's "shared" loader.
+# Examples:
+#     "foo": Add this folder as a class repository
+#     "foo/*.jar": Add all the JARs of the specified folder as class
+#                  repositories
+#     "foo/bar.jar": Add bar.jar as a class repository
+# Please note that for single jars, e.g. bar.jar, you need the URL form
+# starting with file:.
+shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar,${catalina.base}/shared/classes,${catalina.base}/shared/*.jar
+
+# List of JAR files that should not be scanned using the JarScanner
+# functionality. This is typically used to scan JARs for configuration
+# information. JARs that do not contain such information may be excluded from
+# the scan to speed up the scanning process. This is the default list. JARs on
+# this list are excluded from all scans. Scan specific lists (to exclude JARs
+# from individual scans) follow this. The list must be a comma separated list of
+# JAR file names.
+# The JARs listed below include:
+# - Tomcat Bootstrap JARs
+# - Tomcat API JARs
+# - Catalina JARs
+# - Jasper JARs
+# - Tomcat JARs
+# - Common non-Tomcat JARs
+# - Test JARs (JUnit, Cobertura and dependencies)
+tomcat.util.scan.DefaultJarScanner.jarsToSkip=\
+bootstrap.jar,commons-daemon.jar,tomcat-juli.jar,\
+annotations-api.jar,el-api.jar,jsp-api.jar,servlet-api.jar,websocket-api.jar,\
+catalina.jar,catalina-ant.jar,catalina-ha.jar,catalina-tribes.jar,\
+jasper.jar,jasper-el.jar,ecj-*.jar,\
+tomcat-api.jar,tomcat-util.jar,tomcat-coyote.jar,tomcat-dbcp.jar,\
+tomcat-jni.jar,tomcat-spdy.jar,\
+tomcat-i18n-en.jar,tomcat-i18n-es.jar,tomcat-i18n-fr.jar,tomcat-i18n-ja.jar,\
+tomcat-juli-adapters.jar,catalina-jmx-remote.jar,catalina-ws.jar,\
+tomcat-jdbc.jar,\
+tools.jar,\
+commons-beanutils*.jar,commons-codec*.jar,commons-collections*.jar,\
+commons-dbcp*.jar,commons-digester*.jar,commons-fileupload*.jar,\
+commons-httpclient*.jar,commons-io*.jar,commons-lang*.jar,commons-logging*.jar,\
+commons-math*.jar,commons-pool*.jar,\
+jstl.jar,\
+geronimo-spec-jaxrpc*.jar,wsdl4j*.jar,\
+ant.jar,ant-junit*.jar,aspectj*.jar,jmx.jar,h2*.jar,hibernate*.jar,httpclient*.jar,\
+jmx-tools.jar,jta*.jar,log4j.jar,log4j-1*.jar,mail*.jar,slf4j*.jar,\
+xercesImpl.jar,xmlParserAPIs.jar,xml-apis.jar,\
+junit.jar,junit-*.jar,hamcrest*.jar,org.hamcrest*.jar,ant-launcher.jar,\
+cobertura-*.jar,asm-*.jar,dom4j-*.jar,icu4j-*.jar,jaxen-*.jar,jdom-*.jar,\
+jetty-*.jar,oro-*.jar,servlet-api-*.jar,tagsoup-*.jar,xmlParserAPIs-*.jar,\
+xom-*.jar
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for Servlet 3.0 pluggability features. These features include web
+# fragments, annotations, SCIs and classes that match @HandlesTypes. The list
+# must be a comma separated list of JAR file names.
+org.apache.catalina.startup.ContextConfig.jarsToSkip=
+
+# Additional JARs (over and above the default JARs listed above) to skip when
+# scanning for TLDs. The list must be a comma separated list of JAR file names.
+org.apache.catalina.startup.TldConfig.jarsToSkip=tomcat7-websocket.jar
+
+#
+# String cache configuration.
+tomcat.util.buf.StringCache.byte.enabled=true
+#tomcat.util.buf.StringCache.char.enabled=true
+#tomcat.util.buf.StringCache.trainThreshold=500000
+#tomcat.util.buf.StringCache.cacheSize=5000
--- a/tomcat/tasks/tomcat-pkgs.yml
+++ b/tomcat/tasks/tomcat-pkgs.yml
@ -1,38 +1,31 @@
 ---
 - name: Install the tomcat packages
  apt: pkg={{ item }} state={{ tomcat_pkg_state }}
-  with_items:
-    - tomcat'{{ tomcat_version }}'
-    - libtomcat'{{ tomcat_version }}'-java
-    - tomcat'{{ tomcat_version }}'-common
-    - libapr1
-  tags:
-    - tomcat
+  with_items: tomcat_pkgs
+  tags: tomcat

 - name: Create the tomcat tmp directory
  file: dest={{ tomcat_tmp_dir }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }}
-  notify:
-    tomcat restart
-  tags:
-    - tomcat
+  notify: tomcat restart
+  tags: tomcat
  
 - name: Configure tomcat defaults
  template: src=tomcat-default.j2 dest=/etc/default/tomcat{{ tomcat_version }}
-  when:
-    - tomcat_install_default_conf is defined and tomcat_install_default_conf
-  notify:
-    tomcat restart
-  tags:
-    - tomcat
+  when: tomcat_install_default_conf
+  notify: tomcat restart
+  tags: tomcat

 - name: Configure tomcat server.xml
  template: src=tomcat-server.xml.j2 dest={{ tomcat_conf_dir }}/server.xml
-  when:
-    - tomcat_install_default_conf is defined and tomcat_install_default_conf
-  notify:
-    tomcat restart
-  tags:
-    - tomcat
+  when: tomcat_install_default_conf
+  notify: tomcat restart
+  tags: tomcat
+
+- name: Install a slightly modified catalina.properties
+  copy: src=catalina.properties dest={{ tomcat_conf_dir }}/catalina.properties owner=root group={{ tomcat_user }} mode=0644
+  when: tomcat_install_default_conf
+  notify: tomcat restart
+  tags: tomcat

 - name: Create some directories that the package do not creates itself
  file: dest={{ tomcat_catalina_home_dir }}/{{ item }} state=directory owner={{ tomcat_user }} group={{ tomcat_user }} mode=0755
@ -40,5 +33,4 @@
    - common/classes
    - server/classes
    - shared/classes
-  tags:
-    - tomcat
+  tags: tomcat
--- a/tomcat/templates/tomcat-server.xml.j2
+++ b/tomcat/templates/tomcat-server.xml.j2
@ -18,8 +18,13 @@
 <!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
- -->
+     -->
+{% if tomcat_shutdown_port == -1 %}
+<Server port="{{ tomcat_shutdown_port }}"
+        shutdown="TOMCAT_SHUTDOWN_DISABLED">
+{% else %}
 <Server port="{{ tomcat_shutdown_port }}" shutdown="{{ tomcat_shutdown_pwd }}">
+ {% endif %}
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->