cff7a0f1bc
This allows the user to control whether hosts will be rebooted to apply an SELinux policy configuration change. We cannot do this in CI, where the Ansible control host is the host being configured. Change-Id: I431ed26d907a534e2e99a8032152340d109fd49e
55 lines
1.7 KiB
YAML
55 lines
1.7 KiB
YAML
---
|
|
- name: Ensure required packages are installed
|
|
yum:
|
|
name: "{{ item }}"
|
|
state: installed
|
|
become: True
|
|
with_items:
|
|
- libselinux-python
|
|
|
|
- name: Ensure SELinux is disabled
|
|
selinux:
|
|
state: disabled
|
|
register: selinux_result
|
|
become: True
|
|
|
|
- block:
|
|
- name: Set a fact to determine whether we are running locally
|
|
set_fact:
|
|
is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
|
|
|
|
# Any SSH connection errors cause ansible to fail the task. We therefore
|
|
# perform a manual SSH connection and allow the command to fail.
|
|
- name: Reboot the system to apply SELinux changes (remote)
|
|
local_action:
|
|
# Use -tt to force a pseudo tty.
|
|
module: >
|
|
command
|
|
ssh -tt {{ ansible_user }}@{{ ansible_host | default(inventory_hostname) }}
|
|
sudo shutdown -r now "Applying SELinux changes"
|
|
register: reboot_result
|
|
failed_when:
|
|
- reboot_result | failed
|
|
- "'closed by remote host' not in reboot_result.stderr"
|
|
when: not is_local | bool
|
|
|
|
- name: Reboot the system to apply SELinux changes (local)
|
|
command: shutdown -r now "Applying SELinux changes"
|
|
become: True
|
|
when: is_local | bool
|
|
|
|
# If we're running this locally we won't get here.
|
|
- name: Wait for the system to boot up (remote)
|
|
local_action:
|
|
module: wait_for
|
|
host: "{{ ansible_host | default(inventory_hostname) }}"
|
|
port: 22
|
|
state: started
|
|
# Wait for 10 seconds before polling to ensure the node has shutdown.
|
|
delay: 10
|
|
timeout: "{{ disable_selinux_do_reboot_timeout }}"
|
|
when: not is_local | bool
|
|
when:
|
|
- disable_selinux_do_reboot | bool
|
|
- selinux_result | changed
|