Add SELinux policy writing workshop (#1329)
The contains ansible playbooks to provide necessary files to run
SELinux policy writing workshop.
Co-authored-by: Lukas Vrabec <lvrabec@redhat.com>
New file |
| | |
| | | # Simple example |
| | | |
| | | A simple deplyoment creating a bastion host and two worker nodes. It can't get simpler ... |
| | | |
| | | ### Environment variables |
| | | |
| | | Deployment is controlled by two configuration files: |
| | | |
| | | * env_vars.yml |
| | | * sample_vars.yml |
| | | |
| | | `env_vars.yml` defines all configuration parameters that COULD be modified, whereas `sample_vars.yml` is a *template* for all environment specific values that HAVE to be changed. |
| | | |
| | | Start by creating a copy of `sample_vars.yml` and rename it (e.g. `my_sample_vars.yml`). Then modifiy all parameters to match your environment. |
| | | |
| | | #### Secrets |
| | | |
| | | Some deployments need **secrets** e.g. your AWS credentials or API tokens. |
| | | |
| | | DO NOT add these to git ! |
| | | |
| | | Instead create a file called e.g. `./ansible/my_secret_vars.yml` and store all secrets etc. there. This file can also be reused for other deplyoments. |
| | | |
| | | NOTE: |
| | | |
| | | Both `my_sample_vars.yml` `my_secret.vars.yml` are in the `.gitignore` configuration which SHOULD protect you from adding them to git! |
| | | |
| | | ### Run the Ansible playbooks |
| | | |
| | | Run follwoing commands from the `./ansible` folder: |
| | | |
| | | #### Install |
| | | |
| | | ```shell |
| | | ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml |
| | | ``` |
| | | |
| | | #### Uninstall |
| | | |
| | | ```shell |
| | | ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml |
| | | ``` |
New file |
| | |
| | | --- |
| | | - name: Build inventory |
| | | hosts: localhost |
| | | connection: local |
| | | gather_facts: False |
| | | become: no |
| | | tasks: |
| | | - when: cloud_provider == 'ec2' |
| | | block: |
| | | - name: Run infra-ec2-create-inventory Role |
| | | include_role: |
| | | name: infra-ec2-create-inventory |
| | | |
| | | - name: Run Common SSH Config Generator Role |
| | | include_role: |
| | | name: infra-common-ssh-config-generate |
| | | when: "'bastions' in groups" |
| | | |
| | | - name: Set ssh config |
| | | hosts: all |
| | | gather_facts: false |
| | | become: no |
| | | tasks: |
| | | - name: Set facts for remote access |
| | | set_fact: |
| | | ansible_ssh_extra_args: >- |
| | | {{ ansible_ssh_extra_args|d() }} |
| | | -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf |
| | | |
| | | - name: Unsubscribe systems |
| | | hosts: all |
| | | become: true |
| | | gather_facts: false |
| | | ignore_errors: true |
| | | tasks: |
| | | - shell: "subscription-manager unsubscribe --all" |
| | | |
| | | - name: Import default destroy playbook |
| | | import_playbook: ../../cloud_providers/{{cloud_provider}}_destroy_env.yml |
New file |
| | |
| | | |
| | | bastion_instance_type: |
| | | ec2: "t2.medium" |
| | | azure: Standard_A2_V2 |
| | | |
| | | bastion_instance_image: RHEL75 |
| | | |
| | | node_instance_type: |
| | | ec2: "t2.medium" |
| | | azure: Standard_A2_V2 |
| | | |
| | | node_instance_image: RHEL75 |
| | | |
| | | # How many do you want for each instance type |
| | | node_instance_count: 0 |
| | | |
| | | # Environment Instances |
| | | instances: |
| | | - name: "bastion" |
| | | count: 1 |
| | | unique: true |
| | | public_dns: true |
| | | dns_loadbalancer: false |
| | | image: "{{ bastion_instance_image }}" |
| | | flavor: |
| | | ec2: "t2.medium" |
| | | azure: Standard_A2_V2 |
| | | tags: |
| | | - key: "AnsibleGroup" |
| | | value: "bastions" |
| | | - key: "ostype" |
| | | value: "linux" |
| | | - key: "instance_filter" |
| | | value: "{{ env_type }}-{{ email }}" |
| | | volumes: |
| | | - name: '/dev/sda1' |
| | | size: 20 |
| | | security_groups: |
| | | - "BastionSG" |
| | | |
| | | - name: "node" |
| | | count: "{{node_instance_count}}" |
| | | public_dns: true |
| | | dns_loadbalancer: false |
| | | image: "{{ node_instance_image }}" |
| | | flavor: |
| | | ec2: "t2.medium" |
| | | azure: Standard_A2_V2 |
| | | tags: |
| | | - key: "AnsibleGroup" |
| | | value: "nodes" |
| | | - key: "ostype" |
| | | value: "linux" |
| | | - key: "instance_filter" |
| | | value: "{{ env_type }}-{{ email }}" |
| | | |
| | | |
| | | # DNS settings for environmnet |
| | | subdomain_base_short: "{{ guid }}" |
| | | subdomain_base_suffix: ".example.opentlc.com" |
| | | subdomain_base: "{{subdomain_base_short}}{{subdomain_base_suffix}}" |
| | | |
| | | zone_internal_dns: "{{guid}}.internal." |
| | | chomped_zone_internal_dns: "{{guid}}.internal" |
| | | |
| | | # Stuff that only GPTE cares about: |
| | | install_ipa_client: false |
| | | |
| | | |
| | | repo_method: file |
| | | repo_version: "3.10" |
| | | # Do you want to run a full yum update |
| | | update_packages: false |
| | | common_packages: |
| | | - python |
| | | - unzip |
| | | - bash-completion |
| | | - tmux |
| | | - wget |
| | | - git |
| | | - vim-enhanced |
| | | - at |
| | | |
| | | rhel_repos: |
| | | - rhel-7-server-rpms |
| | | - rhel-7-server-extras-rpms |
| | | - epel-release-latest-7 |
| | | |
| | | ###V2WORK, these should just be set as default listed in the documentation |
| | | install_bastion: true |
| | | install_common: true |
| | | ## SB Don't set software_to_deploy from here, always use extra vars (-e) or "none" will be used |
| | | #software_to_deploy: none |
| | | |
| | | |
| | | ## guid is the deployment unique identifier, it will be appended to all tags, |
| | | ## files and anything that identifies this environment from another. |
| | | # Using GUID is required, if it is not passed in the command line or uncommented |
| | | # here the deployment will fail |
| | | #guid: defaultguid |
| | | |
| | | |
| | | |
| | | ###V2WORK, these should just be set as default listed in the documentation |
| | | # This is where the ssh_config file will be created, this file is used to |
| | | # define the communication method to all the hosts in the deployment |
| | | deploy_local_ssh_config_location: "{{output_dir}}/" |
| | | |
| | | |
| | | ### If you want a Key Pair name created and injected into the hosts, |
| | | # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` |
| | | # you can use the key used to create the environment or use your own self generated key |
| | | # if you set "use_own_key" to false your PRIVATE key will be copied to the bastion. (This is {{key_name}}) |
| | | |
| | | ###V2WORK, these should just be set as default listed in the documentation |
| | | use_own_key: true |
| | | env_authorized_key: "{{guid}}key" |
| | | set_env_authorized_key: true |
| | | |
| | | ################################################################################ |
| | | ################################################################################ |
| | | ### AWS EC2 Specific Variables |
| | | ################################################################################ |
| | | ################################################################################ |
| | | |
| | | ### Route 53 Zone ID (AWS) |
| | | # This is the Route53 HostedZoneId where you will create your Public DNS entries |
| | | # This only needs to be defined if your CF template uses route53 |
| | | HostedZoneId: Z3IHLWJZOU9SRT |
| | | # The region to be used, if not specified by -e in the command line |
| | | aws_region: ap-southeast-2 |
| | | # The key that is used to connect to the AWS instance initially, it should |
| | | # exist in your aws account and the private key should exist on the local machine |
| | | # you are provisioning from. |
| | | #key_name: "default_key_name" |
| | | |
| | | ###V2WORK THIS SHOULD MOVE INTO THE ROLE |
| | | # This var is used to identify stack (cloudformation, azure resourcegroup, ...) |
| | | project_tag: "{{ env_type }}-{{ guid }}" |
| | | |
| | | ################################################################################ |
| | | ################################################################################ |
| | | ### Azure Specific Variables |
| | | ################################################################################ |
| | | ################################################################################ |
| | | # Create a dedicated resourceGroup for this deployment |
| | | az_destroy_method: resource_group |
| | | az_resource_group: "{{ project_tag }}" |
| | | |
| | | # you can operate differently: if you share on resourceGroup for all you deployments, |
| | | # you can specify a different resourceGroup and method: |
| | | #az_destroy_method: deployment |
| | | #az_resource_group: my-shared-resource-group |
New file |
| | |
| | | { |
| | | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", |
| | | "contentVersion": "1.0.0.0", |
| | | "parameters" : { |
| | | "guid": { |
| | | "type" : "string", |
| | | "minLength" : 3, |
| | | "metadata" : { |
| | | "description" : "GUID of the environment" |
| | | } |
| | | }, |
| | | "DNSZone": { |
| | | "type" : "string", |
| | | "minLength" : 3, |
| | | "metadata" : { |
| | | "description" : "dns zone of the environment, to update or create" |
| | | } |
| | | }, |
| | | "adminUsername" : { |
| | | "type" : "string", |
| | | "minLength" : 1, |
| | | "defaultValue" : "azure", |
| | | "metadata" : { |
| | | "description" : "User name for the Virtual Machine." |
| | | } |
| | | }, |
| | | "sshKeyData" : { |
| | | "type" : "securestring", |
| | | "metadata" : { |
| | | "description" : "SSH RSA public key file as a string." |
| | | } |
| | | }, |
| | | "vmSize" : { |
| | | "type" : "string", |
| | | "defaultValue" : "Basic_A2", |
| | | "allowedValues" : [ |
| | | "Basic_A2", |
| | | "Standard_A2", |
| | | "Standard_A3", |
| | | "Standard_A4", |
| | | "Standard_A5", |
| | | "Standard_A6", |
| | | "Standard_A7", |
| | | "Standard_A8", |
| | | "Standard_A9", |
| | | "Standard_A10", |
| | | "Standard_A11", |
| | | "Standard_D2", |
| | | "Standard_D3", |
| | | "Standard_D4", |
| | | "Standard_D11", |
| | | "Standard_D12", |
| | | "Standard_D13", |
| | | "Standard_D14", |
| | | "Standard_D2_v2", |
| | | "Standard_D3_v2", |
| | | "Standard_D4_v2", |
| | | "Standard_D5_v2", |
| | | "Standard_D11_v2", |
| | | "Standard_D12_v2", |
| | | "Standard_D13_v2", |
| | | "Standard_D14_v2", |
| | | "Standard_G1", |
| | | "Standard_G2", |
| | | "Standard_G3", |
| | | "Standard_G4", |
| | | "Standard_G5", |
| | | "Standard_DS2", |
| | | "Standard_DS3", |
| | | "Standard_DS4", |
| | | "Standard_DS11", |
| | | "Standard_DS12", |
| | | "Standard_DS13", |
| | | "Standard_DS14", |
| | | "Standard_DS2_v2", |
| | | "Standard_DS3_v2", |
| | | "Standard_DS4_v2", |
| | | "Standard_DS5_v2", |
| | | "Standard_DS11_v2", |
| | | "Standard_DS12_v2", |
| | | "Standard_DS13_v2", |
| | | "Standard_DS14_v2", |
| | | "Standard_GS1", |
| | | "Standard_GS2", |
| | | "Standard_GS3", |
| | | "Standard_GS4", |
| | | "Standard_GS5" |
| | | ], |
| | | "metadata" : { |
| | | "description" : "The size of the each Node Virtual Machine." |
| | | } |
| | | } |
| | | }, |
| | | "variables" : { |
| | | "subzone": "[concat('{{guid}}.',parameters('DNSZone'))]", |
| | | "location" : "[resourceGroup().location]", |
| | | "virtualNetworkName" : "[concat('VNet', parameters('guid'))]", |
| | | "addressPrefix" : "10.0.0.0/16", |
| | | "vnetId" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]", |
| | | "rhel" : { |
| | | "publisher" : "Redhat", |
| | | "offer" : "RHEL", |
| | | "sku" : "7-RAW", |
| | | "version" : "latest" |
| | | }, |
| | | "tenantId" : "[subscription().tenantId]", |
| | | "apiVersion" : "2015-06-15", |
| | | "apiVersionCompute" : "2015-06-15", |
| | | "apiVersionNetwork" : "2016-03-30", |
| | | "tmApiVersion" : "2015-11-01", |
| | | "apiVersionStorage" : "2015-06-15", |
| | | "apiVersionLinkTemplate" : "2015-01-01", |
| | | "nicName" : "OneVmNic", |
| | | "publicIPAddressType" : "Dynamic", |
| | | "subnetRef" : "[concat(variables('vnetID'),'/subnets/',variables('virtualNetworkName'))]", |
| | | "sshKeyPath" : "[concat('/home/',parameters('adminUsername'),'/.ssh/authorized_keys')]", |
| | | "sQuote" : "\"", |
| | | "vmStorageAccountContainerName": "vhds", |
| | | "storageAccountType": "Standard_LRS", |
| | | "vhdStorageType" : "Premium_LRS", |
| | | "storageAccountName": "[concat('vsts8',uniquestring(parameters('guid')))]" |
| | | }, |
| | | "resources": [ |
| | | { |
| | | "type": "Microsoft.Storage/storageAccounts", |
| | | "name": "[variables('StorageAccountName')]", |
| | | "apiVersion": "2016-01-01", |
| | | "location": "[resourceGroup().location]", |
| | | "sku": { |
| | | "name": "[variables('storageAccountType')]" |
| | | }, |
| | | "kind": "Storage", |
| | | "properties": { |
| | | } |
| | | }, |
| | | {% for instance in instances %} |
| | | |
| | | {% if instance['dns_loadbalancer']|d(false)|bool and not instance['unique']|d(false)|bool %} |
| | | { |
| | | "type": "Microsoft.Network/dnszones/a", |
| | | "name": "[concat(variables('subzone'), '/', '{{instance['name']}}')]", |
| | | "apiVersion": "2016-04-01", |
| | | "dependsOn": [ |
| | | {% for c in range(1,(instance['count'] |int)+1) %} |
| | | {% if instance['unique']|d(false)|bool %} |
| | | {% set instancename = instance['name'] %} |
| | | {% else %} |
| | | {% set instancename = instance['name'] + (loop.index|string) %} |
| | | {% endif %} |
| | | "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", |
| | | {% endfor %} |
| | | "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]", |
| | | ], |
| | | "properties": { |
| | | "TTL": 3600, |
| | | "ARecords": [ |
| | | { |
| | | {% for c in range(1,(instance['count'] |int)+1) %} |
| | | {% if instance['unique']|d(false)|bool %} |
| | | {% set instancename = instance['name'] %} |
| | | {% else %} |
| | | {% set instancename = instance['name'] + (loop.index|string) %} |
| | | {% endif %} |
| | | "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]" |
| | | {% endfor %} |
| | | } |
| | | ] |
| | | } |
| | | }, |
| | | {% endif %} |
| | | |
| | | |
| | | {% for c in range(1,(instance['count'] |int)+1) %} |
| | | |
| | | {% if instance['unique']|d(false)|bool %} |
| | | {% set instancename = instance['name'] %} |
| | | {% else %} |
| | | {% set instancename = instance['name'] + (loop.index|string) %} |
| | | {% endif %} |
| | | |
| | | {% if instance['public_dns']|d(false)|bool %} |
| | | { |
| | | "type": "Microsoft.Network/dnszones/a", |
| | | "name": "[concat(variables('subzone'), '/', '{{instancename}}')]", |
| | | "apiVersion": "2016-04-01", |
| | | "dependsOn": [ |
| | | "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", |
| | | "[resourceId('Microsoft.Network/dnsZones/', variables('subzone'))]", |
| | | ], |
| | | "properties": { |
| | | "TTL": 3600, |
| | | "ARecords": [ |
| | | { |
| | | "ipv4Address": "[reference('{{instancename}}-PublicIP').ipAddress]" |
| | | } |
| | | ] |
| | | } |
| | | }, |
| | | { |
| | | "apiVersion" : "2017-04-01", |
| | | "type" : "Microsoft.Network/publicIPAddresses", |
| | | "name" : "{{instancename}}-PublicIP", |
| | | "location" : "[resourceGroup().location]", |
| | | "properties" : { |
| | | "publicIPAllocationMethod" : "Static", |
| | | "dnsSettings" : { |
| | | "domainNameLabel" : "{{instancename}}-{{guid}}" |
| | | } |
| | | } |
| | | }, |
| | | { |
| | | "apiVersion" : "2017-04-01", |
| | | "type" : "Microsoft.Network/networkInterfaces", |
| | | "name" : "{{instancename}}-Interface", |
| | | "location" : "[resourceGroup().location]", |
| | | "dependsOn" : [ |
| | | "[resourceId('Microsoft.Network/publicIPAddresses/', '{{instancename}}-PublicIP')]", |
| | | "[resourceId('Microsoft.Network/virtualNetworks/', variables('virtualNetworkName'))]" |
| | | ], |
| | | "properties" : { |
| | | "ipConfigurations" : [ |
| | | { |
| | | "name" : "ipconfig1", |
| | | "properties" : { |
| | | "privateIPAllocationMethod" : "Dynamic", |
| | | "publicIPAddress" : { |
| | | "id" : "[resourceId('Microsoft.Network/publicIPAddresses','{{instancename}}-PublicIP')]" |
| | | }, |
| | | "subnet" : { |
| | | "id" : "[variables('subnetRef')]" |
| | | } |
| | | } |
| | | } |
| | | ] |
| | | } |
| | | }, |
| | | {% endif %} |
| | | { |
| | | "apiVersion" : "2017-03-30", |
| | | "type" : "Microsoft.Compute/virtualMachines", |
| | | "name" : "{{instancename}}", |
| | | "location" : "[resourceGroup().location]", |
| | | "dependsOn" : [ |
| | | "[resourceId('Microsoft.Network/networkInterfaces/', '{{instancename}}-Interface')]" |
| | | ], |
| | | "tags": { |
| | | "Name": "{{instancename}}", |
| | | "internaldns": "{{instancename}}.{{chomped_zone_internal_dns}}", |
| | | "owner": "{{ email | default('unknownuser') }}", |
| | | "Project": "{{project_tag}}", |
| | | {% for tag in instance['tags'] %} |
| | | "{{tag['key']}}": "{{tag['value']}}", |
| | | {% endfor %} |
| | | "{{project_tag}}": "{{ instance['name'] }}" |
| | | }, |
| | | "properties" : { |
| | | "hardwareProfile" : { |
| | | "vmSize" : "{{instance['flavor'][cloud_provider]}}" |
| | | }, |
| | | "osProfile" : { |
| | | "computerName" : "{{instancename}}", |
| | | "adminUsername" : "[parameters('adminUsername')]", |
| | | "linuxConfiguration" : { |
| | | "disablePasswordAuthentication" : "true", |
| | | "ssh" : { |
| | | "publicKeys" : [ |
| | | { |
| | | "path" : "[variables('sshKeyPath')]", |
| | | "keyData" : "[parameters('sshKeyData')]" |
| | | } |
| | | ] |
| | | } |
| | | } |
| | | }, |
| | | "storageProfile" : { |
| | | "imageReference" : "[variables('rhel')]", |
| | | "osDisk" : { |
| | | "caching" : "ReadWrite", |
| | | "name" : "{{instancename}}-osdisk", |
| | | "createOption" : "FromImage", |
| | | "diskSizeGB" : "{{instance['rootfs_size']|d('50')}}" |
| | | }, |
| | | "dataDisks" : [ |
| | | {% for vol in instance['volumes']|default([]) %} |
| | | { |
| | | "caching" : "None", |
| | | "createOption" : "Empty", |
| | | "lun" : "{{loop.index}}", |
| | | "name": "{{instancename}}-{{vol['device_name']}}", |
| | | "diskSizeGB" : "{{vol['volume_size']}}" |
| | | }, |
| | | {% endfor %} |
| | | ] |
| | | }, |
| | | "networkProfile" : { |
| | | "networkInterfaces" : [ |
| | | { |
| | | "id" : "[resourceId('Microsoft.Network/networkInterfaces','{{instancename}}-Interface')]" |
| | | } |
| | | ] |
| | | }, |
| | | "diagnosticsProfile" : { |
| | | "bootDiagnostics" : { |
| | | "enabled" : "false", |
| | | "storageUri" : "[concat(reference(concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName')), '2016-01-01').primaryEndpoints.blob)]" |
| | | } |
| | | } |
| | | } |
| | | }, |
| | | {% endfor %} |
| | | {% endfor %} |
| | | { |
| | | "name": "[variables('subzone')]", |
| | | "type": "Microsoft.Network/dnsZones", |
| | | "apiVersion": "2017-09-01", |
| | | "location" : "global", |
| | | }, |
| | | { |
| | | "apiVersion": "2017-05-10", |
| | | "name": "nestedTemplate", |
| | | "type": "Microsoft.Resources/deployments", |
| | | "resourceGroup": "dns", |
| | | "properties": { |
| | | "mode": "Incremental", |
| | | "template": { |
| | | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", |
| | | "contentVersion": "1.0.0.0", |
| | | "parameters": {}, |
| | | "variables": {}, |
| | | "resources": [ |
| | | ] |
| | | }, |
| | | "parameters": {} |
| | | } |
| | | }, |
| | | { |
| | | "apiVersion" : "[variables('apiVersion')]", |
| | | "type" : "Microsoft.Network/virtualNetworks", |
| | | "name" : "[variables('virtualNetworkName')]", |
| | | "location" : "[variables('location')]", |
| | | "tags" : { |
| | | "displayName" : "VirtualNetwork" |
| | | }, |
| | | "properties" : { |
| | | "addressSpace" : { |
| | | "addressPrefixes" : [ |
| | | "[variables('addressPrefix')]" |
| | | ] |
| | | }, |
| | | "subnets" : [ |
| | | { |
| | | "name" : "[variables('virtualNetworkName')]", |
| | | "properties" : { |
| | | "addressPrefix" : "[variables('addressPrefix')]" |
| | | } |
| | | } |
| | | ] |
| | | } |
| | | }, |
| | | { |
| | | "type" : "Microsoft.Network/networkSecurityGroups", |
| | | "name" : "[concat(resourceGroup().name, 'nsg')]", |
| | | "tags" : { |
| | | "displayName" : "NetworkSecurityGroup" |
| | | }, |
| | | "apiVersion" : "[variables('apiVersion')]", |
| | | "location" : "[resourceGroup().location]", |
| | | "properties" : { |
| | | "securityRules" : [ |
| | | { |
| | | "name" : "default-allow-openshift-router-https", |
| | | "properties" : { |
| | | "protocol" : "Tcp", |
| | | "sourcePortRange" : "*", |
| | | "destinationPortRange" : "443", |
| | | "sourceAddressPrefix" : "*", |
| | | "destinationAddressPrefix" : "*", |
| | | "access" : "Allow", |
| | | "priority" : 2000, |
| | | "direction" : "Inbound" |
| | | } |
| | | }, |
| | | { |
| | | "name" : "default-allow-openshift-router-http\n", |
| | | "properties" : { |
| | | "protocol" : "Tcp", |
| | | "sourcePortRange" : "*", |
| | | "destinationPortRange" : "80", |
| | | "sourceAddressPrefix" : "*", |
| | | "destinationAddressPrefix" : "*", |
| | | "access" : "Allow", |
| | | "priority" : 2001, |
| | | "direction" : "Inbound" |
| | | } |
| | | }, |
| | | { |
| | | "name" : "default-allow-openshift-master", |
| | | "properties" : { |
| | | "protocol" : "Tcp", |
| | | "sourcePortRange" : "*", |
| | | "destinationPortRange" : "8443", |
| | | "sourceAddressPrefix" : "*", |
| | | "destinationAddressPrefix" : "*", |
| | | "access" : "Allow", |
| | | "priority" : 2002, |
| | | "direction" : "Inbound" |
| | | } |
| | | }, |
| | | { |
| | | "name" : "default-allow-ssh", |
| | | "properties" : { |
| | | "protocol" : "Tcp", |
| | | "sourcePortRange" : "*", |
| | | "destinationPortRange" : "22", |
| | | "sourceAddressPrefix" : "*", |
| | | "destinationAddressPrefix" : "*", |
| | | "access" : "Allow", |
| | | "priority" : 2003, |
| | | "direction" : "Inbound" |
| | | } |
| | | } |
| | | ] |
| | | } |
| | | } |
| | | ], |
| | | "outputs" : { |
| | | } |
| | | } |
New file |
| | |
| | | [all:vars] |
| | | ########################################################################### |
| | | ### Ansible Vars |
| | | ########################################################################### |
| | | timeout=60 |
| | | ansible_become=yes |
| | | ansible_user={{remote_user}} |
| | | ansible_ssh_private_key_file="~/.ssh/{{guid}}key.pem" |
| | | ansible_ssh_common_args="-o StrictHostKeyChecking=no" |
| | | |
| | | [nodes] |
| | | ## These are the frontends |
| | | {% for host in groups['nodes']|d([]) %} |
| | | node{{loop.index}}.{{chomped_zone_internal_dns}} ansible_ssh_host=frontend{{loop.index}}.{{subdomain_base}} |
| | | {% endfor %} |
New file |
| | |
| | | [rhel-7-server-rpms] |
| | | name=Red Hat Enterprise Linux 7 |
| | | baseurl={{own_repo_path}}/rhel-7-server-rpms |
| | | enabled=1 |
| | | gpgcheck=0 |
| | | |
| | | [rhel-7-server-rh-common-rpms] |
| | | name=Red Hat Enterprise Linux 7 Common |
| | | baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms |
| | | enabled=1 |
| | | gpgcheck=0 |
| | | |
| | | [rhel-7-server-extras-rpms] |
| | | name=Red Hat Enterprise Linux 7 Extras |
| | | baseurl={{own_repo_path}}/rhel-7-server-extras-rpms |
| | | enabled=1 |
| | | gpgcheck=0 |
| | | |
| | | [rhel-7-server-optional-rpms] |
| | | name=Red Hat Enterprise Linux 7 Optional |
| | | baseurl={{own_repo_path}}/rhel-7-server-optional-rpms |
| | | enabled=1 |
| | | gpgcheck=0 |
| | | |
| | | [epel] |
| | | name=Extra Packages for Enterprise Linux 7 - $basearch |
| | | baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch |
| | | mirrorlist=http://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch |
| | | failovermethod=priority |
| | | enabled=1 |
| | | gpgcheck=0 |
| | | #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 |
New file |
| | |
| | | |
| | | - name: Step 002 Post Infrastructure |
| | | hosts: localhost |
| | | gather_facts: false |
| | | become: false |
| | | tasks: |
| | | - debug: |
| | | msg: "Step 002 Post Infrastructure" |
New file |
| | |
| | | |
| | | - name: Step 005 Post Software |
| | | hosts: localhost |
| | | gather_facts: false |
| | | become: false |
| | | tasks: |
| | | - debug: |
| | | msg: "Step 005 Post Software" |
| | | |
| | | - name: PostSoftware flight-check |
| | | hosts: localhost |
| | | connection: local |
| | | gather_facts: false |
| | | become: false |
| | | tags: |
| | | - post_flight_check |
| | | tasks: |
| | | - debug: |
| | | msg: "Post-Software checks completed successfully" |
New file |
| | |
| | | |
| | | - name: Step 000 Pre Infrastructure |
| | | hosts: localhost |
| | | gather_facts: false |
| | | become: false |
| | | tasks: |
| | | - debug: |
| | | msg: "Step 000 Pre Infrastructure" |
New file |
| | |
| | | |
| | | - name: Step 003 Pre Software |
| | | hosts: localhost |
| | | gather_facts: false |
| | | become: false |
| | | tasks: |
| | | - debug: |
| | | msg: "Step 003 Pre Software" |
| | | |
| | | - import_role: |
| | | name: infra-local-create-ssh_key |
| | | when: set_env_authorized_key | bool |
| | | |
| | | |
| | | - name: Configure all hosts with Repositories, Common Files and Set environment key |
| | | hosts: |
| | | - all:!windows |
| | | become: true |
| | | gather_facts: False |
| | | tags: |
| | | - common_tasks |
| | | roles: |
| | | - role: set-repositories |
| | | when: repo_method is defined |
| | | |
| | | - role: common |
| | | when: install_common | bool |
| | | |
| | | - role: set_env_authorized_key |
| | | when: set_env_authorized_key | bool |
| | | |
| | | - name: Configuring Bastion Hosts |
| | | hosts: bastions |
| | | become: true |
| | | gather_facts: False |
| | | roles: |
| | | - role: bastion |
| | | when: install_bastion | bool |
| | | tags: |
| | | - bastion_tasks |
| | | |
| | | - name: PreSoftware flight-check |
| | | hosts: localhost |
| | | connection: local |
| | | gather_facts: false |
| | | become: false |
| | | tags: |
| | | - presoftware_flight_check |
| | | tasks: |
| | | - debug: |
| | | msg: "Pre-Software checks completed successfully" |
New file |
| | |
| | | --- |
| | | # Sample configuration file. |
| | | # Make a copy (e.g. my_sample_vars.yml) and change the settings to match your environment. |
| | | # |
| | | # Usage: |
| | | # |
| | | # ansible-playbook main.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml |
| | | # |
| | | # To destroy your deployment: |
| | | # |
| | | # ansible-playbook destroy.yml -e @configs/simple-example/my_sample_vars.yml -e @my_secret_vars.yml |
| | | # |
| | | |
| | | env_type: simple-example # Name of config to deploy |
| | | output_dir: /tmp/workdir # Writable working scratch directory |
| | | node_instance_count: 2 # Number of nodes to deploy |
| | | email: name@example.com # User info for notifications |
| | | |
| | | guid: guid02 # Unique string used in FQDN |
| | | subdomain_base_suffix: .example.opentlc.com # Your domain used in FQDN |
| | | |
| | | # Path to yum repos |
| | | own_repo_path: http://admin.example.com/repos/version |
| | | |
| | | # Cloud specfic settings - example given here for AWS |
| | | |
| | | cloud_provider: ec2 # Which AgnosticD Cloud Provider to use |
| | | aws_region: us-east-1 # AWS Region to deploy in |
| | | HostedZoneId: Z3IHLWJZOU9SRT # You will need to change this |
| | | |
| | | key_name: ocpkey # Keyname must exist in AWS |
| | | |
| | | # DANGER ZONE |
| | | # |
| | | # AWS Credentials. These are required (don't sync them to your fork!!) |
| | | # aws_access_key_id: |
| | | # aws_secret_access_key: |
| | | # Create a file e.g. agnosticd/ansible/my_secret_vars.yml and put all your keys etc into it. |
| | | # |
New file |
| | |
| | | --- |
| | | - name: Step 004 Environment specific Software |
| | | hosts: localhost |
| | | gather_facts: False |
| | | become: false |
| | | tasks: |
| | | - debug: |
| | | msg: "Software tasks Started" |
| | | |
| | | |
| | | - name: Deploy Roles if infra_workloads defined |
| | | hosts: |
| | | - nodes |
| | | gather_facts: false |
| | | run_once: false |
| | | become: yes |
| | | tags: |
| | | - infra_workloads |
| | | tasks: |
| | | - name: apply infra workloads roles on nodes |
| | | when: |
| | | - infra_workloads|d("")|length > 0 |
| | | block: |
| | | - name: Apply role "{{ workload_loop_var }}" on nodes |
| | | include_role: |
| | | name: "{{ workload_loop_var }}" |
| | | vars: |
| | | ACTION: "provision" |
| | | loop: "{{ infra_workloads.split(',')|list }}" |
| | | loop_control: |
| | | loop_var: workload_loop_var |
| | | |
| | | - name: Configure bastion for SELinux workshop |
| | | hosts: all |
| | | gather_facts: false |
| | | become: true |
| | | vars: |
| | | avc: | |
| | | '---- |
| | | time->Mon Nov 17 01:45:36 2008 |
| | | type=AVC msg=audit(1226882736.442:86): avc: denied { getattr } for pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file |
| | | type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)' |
| | | |
| | | tasks: |
| | | - name: Install all needed packages |
| | | package: |
| | | state: present |
| | | name: |
| | | - selinux-policy-devel |
| | | - ansible |
| | | - policycoreutils |
| | | - policycoreutils-python-utils |
| | | - audit |
| | | - git |
| | | - setools-console |
| | | - selinux-policy-doc |
| | | - policycoreutils-newrole |
| | | - setroubleshoot-server |
| | | - make |
| | | - gcc-c++ |
| | | - rpm-build |
| | | - libcurl-devel |
| | | - cockpit |
| | | - cockpit-dashboard |
| | | - cockpit-shell |
| | | - cockpit-system |
| | | - cockpit-ws |
| | | - subscription-manager-cockpit |
| | | - cockpit-composer |
| | | - cockpit-session-recording |
| | | - cockpit-machines |
| | | - cockpit-packagekit |
| | | - cockpit-podman |
| | | - cockpit-storaged |
| | | |
| | | - name: Ensure cockpit is started |
| | | systemd: |
| | | name: "cockpit.socket" |
| | | state: "started" |
| | | enabled: true |
| | | daemon_reload: true |
| | | |
| | | - name: Enable SELinux |
| | | selinux: |
| | | policy: targeted |
| | | state: enforcing |
| | | |
| | | - name: Create testaudit file |
| | | copy: |
| | | mode: '0644' |
| | | owner: root |
| | | dest: /root/testaudit |
| | | content: "{{ avc }}" |
| | | |
| | | - name: Copy testaudit also to user dir |
| | | copy: |
| | | src: /root/testaudit |
| | | dest: /home/ec2-user |
| | | owner: ec2-user |
| | | group: ec2-user |
| | | mode: '0644' |
| | | force: true |
| | | remote_src: yes |
| | | |
| | | - name: Create .vimrc in user home dir |
| | | copy: |
| | | content: "" |
| | | dest: /home/ec2-user/.vimrc |
| | | owner: ec2-user |
| | | group: ec2-user |
| | | mode: '0644' |
| | | force: no |
| | | |
| | | - name: Software flight-check |
| | | hosts: localhost |
| | | connection: local |
| | | gather_facts: false |
| | | become: false |
| | | tags: |
| | | - post_flight_check |
| | | tasks: |
| | | - debug: |
| | | msg: "Software checks completed successfully" |
New file |
| | |
| | | = selinux-policy role |
| | | |
New file |
| | |
| | | --- |
| | | - name: Install all needed packages |
| | | block: |
| | | package: |
| | | state: present |
| | | name: |
| | | - selinux-policy-devel |
| | | - ansible |
| | | - policycoreutils |
| | | - policycoreutils-python-utils |
| | | - audit |
| | | - git |
| | | - setools-console |
| | | - selinux-policy-doc |
| | | - policycoreutils-newrole |
| | | - setroubleshoot-server |
| | | - make |
| | | - gcc-c++ |
| | | - rpm-build |
| | | - libcurl-devel |
| | | - cockpit |
| | | - cockpit-dashboard |
| | | - cockpit-shell |
| | | - cockpit-system |
| | | - cockpit-ws |
| | | - subscription-manager-cockpit |
| | | - cockpit-composer |
| | | - cockpit-session-recording |
| | | - cockpit-machines |
| | | - cockpit-packagekit |
| | | - cockpit-podman |
| | | - cockpit-storaged |
| | | check_mode: yes |
| | | |
| | | - name: Ensure cockpit is started |
| | | systemd: |
| | | name: "cockpit.socket" |
| | | state: "started" |
| | | enabled: true |
| | | daemon_reload: true |
| | | check_mode: yes |
| | | |
| | | - name: Check if SELinux is in Enforcing state |
| | | selinux: |
| | | policy: targeted |
| | | state: enforcing |
| | | check_mode: yes |
| | | |
| | | - name: Check if testaudit file exists |
| | | stat: |
| | | path: /root/testaudit |
| | | |