*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Normal view History Permalink
setup_host.yml 4.43 KiB
Newer Older
Wimmer, Elias's avatar
Initial commit
Wimmer, Elias committed
1 2 3 
- name: Update the /etc/hosts file with node name
  lineinfile:
    dest: "/etc/hosts"
Wimmer, Elias's avatar
first working version  
Wimmer, Elias committed
4 5 
    regexp: ".*\t{{ hostvars[item]['inventory_hostname']}}"
    line: "{{ hostvars[item]['ansible_host'] }}\t{{ hostvars[item]['inventory_hostname']}}"
Wimmer, Elias's avatar
Initial commit
Wimmer, Elias committed
6 7 
    state: present
    backup: yes
Wimmer, Elias's avatar
first working version  
Wimmer, Elias committed
8 
  loop: "{{ groups['all'] }}"
Wimmer, Elias's avatar
Initial commit
Wimmer, Elias committed
9
Lahmer, Thomas's avatar
merged some tasks from glance for setup_host.yaml  
Lahmer, Thomas committed
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 
- name: disable firewalld
  ansible.builtin.systemd:
    name: "firewalld"
    enabled: no
    masked: no
    state: stopped
  ignore_errors: True #this command is not idempotent it seems

- name: enable nftables
  ansible.builtin.systemd:
    name: "nftables"
    enabled: yes
    state: started
    masked: no

- name: add kernel params
  template:
    src: kernel_params.conf.j2
    dest: /etc/sysctl.d/rke2_kernel_params.conf
  register: kernel_params

- name: load kernel params
  shell: sysctl --system
  when: kernel_params.changed

- name: add group - etcd 
  group:
    name: etcd
    state: present

- name: add user - etcd
  user:
    name: etcd
    group: etcd
entlein's avatar
try to remove the rocky user if it exists  
entlein committed
45 46 47 48 49 50 51 
- name: remove rocky user at uid 1000
  user:
    name: rocky
    state: absent 
    remove: yes
  ignore_errors: True
Lahmer, Thomas's avatar
Download of cacerts and update-ca-trust  
Lahmer, Thomas committed
52 53 54 55 56 57 58 59 60 
- name: Download root CA
  get_url:
    url: https://curl.se/ca/cacert.pem
    dest: /etc/ssl/certs

- name: Update CA trust
  shell: update-ca-trust
entlein's avatar
since the cloud init is consistently ignored, lets put this into ansible  
entlein committed
61 62 63 64 65 66 
- name: Resize the disks if volume was expanded (experimental)
  shell: |
    /usr/bin/growpart /dev/vda 2 
    /usr/sbin/pvresize -y -q /dev/vda2 
    /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root
entlein's avatar
now I ll totally disable it, not just put it into permissive mode, its annoying me too much  
entlein committed
67 
- name: Disable SELinux
entlein's avatar
trying to properly relabel the seftype of the /etc/certs dir  
entlein committed
68 
  selinux:
entlein's avatar
until statement in wait condition was incorrect  
entlein committed
69 70 
    policy: targeted
    state: permissive
entlein's avatar
adding iptables exception SE Linux policies  
entlein committed
71
entlein's avatar
using a kubectl rollout restart instead of the dodgy wait condition  
entlein committed
72 73 74 75 
- name: Copy SELinux Policies
  template:
    src: ../selinux/my-openstack.te
    dest: /etc/selinux/targeted/policy/my-openstack.te
entlein's avatar
now I ll totally disable it, not just put it into permissive mode, its annoying me too much  
entlein committed
76 
  when: ( 'control-plane' in group_names )
entlein's avatar
using a kubectl rollout restart instead of the dodgy wait condition  
entlein committed
77 78 79 80 81 82 

- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
    semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
    semodule -i /etc/selinux/targeted/policy/my-openstack.pp
entlein's avatar
now I ll totally disable it, not just put it into permissive mode, its annoying me too much  
entlein committed
83 
  when: ( 'control-plane' in group_names )
entlein's avatar
adding SELinux stuff such that Openstack cloud controller can boot while SELinux is set to enforced  
entlein committed
84
Lahmer, Thomas's avatar
adjusted selinux policies  
Lahmer, Thomas committed
85 86 87 88 89 90 
- name: Copy SELinux Policies (kube-apiserver)
  template:
    src: ../selinux/my-kube-apiserver.te
    dest: /etc/selinux/targeted/policy/my-kube-apiserver.te
  when: ( 'control-plane' in group_names )
Lahmer, Thomas's avatar
loading of added selinux policies  
Lahmer, Thomas committed
91 92 93 94 95 96 97 
- name: Build SELinux exception module (kube-apiserver)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-kube-apiserver.mod /etc/selinux/targeted/policy/my-kube-apiserver.te
    semodule_package -o /etc/selinux/targeted/policy/my-kube-apiserver.pp -m /etc/selinux/targeted/policy/my-kube-apiserver.mod
    semodule -i /etc/selinux/targeted/policy/my-kube-apiserver.pp
  when: ( 'control-plane' in group_names )
Lahmer, Thomas's avatar
adjusted selinux policies  
Lahmer, Thomas committed
98 99 100 101 102 103 
- name: Copy SELinux Policies (prometheus/node_exporter)
  template:
    src: ../selinux/my-prometheus_master.te
    dest: /etc/selinux/targeted/policy/my-prometheus.te
  when: ( 'control-plane' in group_names )
Lahmer, Thomas's avatar
loading of added selinux policies  
Lahmer, Thomas committed
104 105 106 107 108 109 110 111 112 113 114 115 116 
- name: Copy SELinux Policies (prometheus/node_exporter) on agents
  template:
    src: ../selinux/my-prometheus_agent.te
    dest: /etc/selinux/targeted/policy/my-prometheus.te
  when: ( 'control-plane' not in group_names )


- name: Build SELinux exception module (prometheus/node_exporter)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-prometheus.mod /etc/selinux/targeted/policy/my-prometheus.te
    semodule_package -o /etc/selinux/targeted/policy/my-prometheus.pp -m /etc/selinux/targeted/policy/my-prometheus.mod
    semodule -i /etc/selinux/targeted/policy/my-prometheus.pp
Lahmer, Thomas's avatar
adjusted selinux policies  
Lahmer, Thomas committed
117 118 119 120 121 122 
- name: Copy SELinux Policies (hubble) on agents
  template:
    src: ../selinux/my-hubble.te
    dest: /etc/selinux/targeted/policy/my-hubble.te
  when: ( 'control-plane' not in group_names )
Lahmer, Thomas's avatar
loading of added selinux policies  
Lahmer, Thomas committed
123 124 125 126 127 
- name: Build SELinux exception module (hubble)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-hubble.mod /etc/selinux/targeted/policy/my-hubble.te
    semodule_package -o /etc/selinux/targeted/policy/my-hubble.pp -m /etc/selinux/targeted/policy/my-hubble.mod
    semodule -i /etc/selinux/targeted/policy/my-hubble.pp
Lahmer, Thomas's avatar
adjusted selinux policies  
Lahmer, Thomas committed
128 129 130 
  when: ( 'control-plane' not in group_names )
Wimmer, Elias's avatar
Initial commit
Wimmer, Elias committed
131 132 133 134 135 136 137 138 139 140 
- name: Ensure /var/lib/rancher/rke2/server/manifests
  file:
    path: /var/lib/rancher/rke2/server/manifests
    state: directory
    recurse: yes

- name: Ensure /etc/rancher/rke2
  file:
    path: /etc/rancher/rke2
    state: directory
Wimmer, Elias's avatar
first working version  
Wimmer, Elias committed
141 
    recurse: yes
entlein's avatar
upgrading packages and kernel, manually tested only at this point  
entlein committed
142
entlein's avatar
reverting most of the ansible logic to pre-selinux and hoping my policy exception is now corect  
entlein committed
143 144 145 146 147 
- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing

[ 18.Mar 15h : 3,685 users | 903 groups | 4,951 projects ]