From 4adb8dff9de53404d0dd6a736d2e9c7af56c25bb Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Tue, 10 Oct 2023 12:25:20 +0100 Subject: [PATCH] DSOS-2233: add epel role (#361) * add epel role * fix * use role for installing epel * use role for installing epel * use role for installing epel * ansible-script fix * add ansible-script for testing * Commit changes made by code formatters --------- Co-authored-by: github-actions[bot] --- .../group_vars/server_type_base_rhel610.yml | 1 + .../group_vars/server_type_base_rhel79.yml | 1 + .../group_vars/server_type_base_rhel85.yml | 1 + ansible/group_vars/server_type_nomis_db.yml | 1 + ansible/group_vars/server_type_nomis_web.yml | 1 + ansible/group_vars/server_type_nomis_xtag.yml | 1 + ansible/roles/ansible-script/files/ansible.sh | 1 + ansible/roles/collectd/meta/main.yml | 1 + .../roles/collectd/tasks/collectd_install.yml | 83 +---------------- ansible/roles/epel/README.md | 3 + ansible/roles/epel/defaults/main.yml | 3 + ansible/roles/epel/tasks/install-from-rpm.yml | 92 +++++++++++++++++++ ansible/roles/epel/tasks/main.yml | 20 ++++ .../secretsmanager-passwords/meta/main.yml | 1 + .../secretsmanager-passwords/tasks/main.yml | 1 - ansible/roles/ssm-passwords/meta/main.yml | 3 + ansible/roles/ssm-passwords/tasks/main.yml | 1 - 17 files changed, 132 insertions(+), 83 deletions(-) create mode 100644 ansible/roles/epel/README.md create mode 100644 ansible/roles/epel/defaults/main.yml create mode 100644 ansible/roles/epel/tasks/install-from-rpm.yml create mode 100644 ansible/roles/epel/tasks/main.yml create mode 100644 ansible/roles/ssm-passwords/meta/main.yml diff --git a/ansible/group_vars/server_type_base_rhel610.yml b/ansible/group_vars/server_type_base_rhel610.yml index 050e62459..ffa6d73cf 100644 --- a/ansible/group_vars/server_type_base_rhel610.yml +++ b/ansible/group_vars/server_type_base_rhel610.yml @@ -7,5 +7,6 @@ server_type_roles_list: - domain-search - amazon-cloudwatch-agent - autoscale-group-hooks-state + - ansible-script roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}" diff --git a/ansible/group_vars/server_type_base_rhel79.yml b/ansible/group_vars/server_type_base_rhel79.yml index d3e91fefd..17a7a1e5e 100644 --- a/ansible/group_vars/server_type_base_rhel79.yml +++ b/ansible/group_vars/server_type_base_rhel79.yml @@ -6,6 +6,7 @@ server_type_roles_list: - set-ec2-hostname - domain-search - amazon-cloudwatch-agent + - ansible-script - autoscale-group-hooks-state roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}" diff --git a/ansible/group_vars/server_type_base_rhel85.yml b/ansible/group_vars/server_type_base_rhel85.yml index 4fb28c147..da2abfbe4 100644 --- a/ansible/group_vars/server_type_base_rhel85.yml +++ b/ansible/group_vars/server_type_base_rhel85.yml @@ -7,6 +7,7 @@ server_type_roles_list: - set-ec2-hostname - domain-search - amazon-cloudwatch-agent + - ansible-script - autoscale-group-hooks-state roles_list: "{{ (ami_roles_list | default([]) | difference(server_type_roles_list | default([]))) + (server_type_roles_list | default([])) }}" diff --git a/ansible/group_vars/server_type_nomis_db.yml b/ansible/group_vars/server_type_nomis_db.yml index d5602d19b..a91f74e23 100644 --- a/ansible/group_vars/server_type_nomis_db.yml +++ b/ansible/group_vars/server_type_nomis_db.yml @@ -5,6 +5,7 @@ server_type_roles_list: - get-ec2-facts - set-ec2-hostname - domain-search + - ansible-script - oracle-11g - oracle-secure-backup - oracle-db-backup diff --git a/ansible/group_vars/server_type_nomis_web.yml b/ansible/group_vars/server_type_nomis_web.yml index f0260504d..b384fcda5 100644 --- a/ansible/group_vars/server_type_nomis_web.yml +++ b/ansible/group_vars/server_type_nomis_web.yml @@ -5,6 +5,7 @@ server_type_roles_list: - autoscale-group-hooks - set-ec2-hostname - domain-search + - ansible-script - nomis-weblogic - nomis-release-deployment - collectd-service-metrics diff --git a/ansible/group_vars/server_type_nomis_xtag.yml b/ansible/group_vars/server_type_nomis_xtag.yml index 3dcd782bc..15e8d091c 100644 --- a/ansible/group_vars/server_type_nomis_xtag.yml +++ b/ansible/group_vars/server_type_nomis_xtag.yml @@ -6,6 +6,7 @@ server_type_roles_list: - autoscale-group-hooks - set-ec2-hostname - domain-search + - ansible-script - nomis-xtag-weblogic - collectd-service-metrics - autoscale-group-hooks-state diff --git a/ansible/roles/ansible-script/files/ansible.sh b/ansible/roles/ansible-script/files/ansible.sh index 2500f758e..3fdb96fb6 100755 --- a/ansible/roles/ansible-script/files/ansible.sh +++ b/ansible/roles/ansible-script/files/ansible.sh @@ -51,6 +51,7 @@ run_ansible() { else cd $ansible_dir/${ansible_repo} git pull + git checkout "$branch" fi cd $ansible_dir diff --git a/ansible/roles/collectd/meta/main.yml b/ansible/roles/collectd/meta/main.yml index 4ff987c1c..6b6318525 100644 --- a/ansible/roles/collectd/meta/main.yml +++ b/ansible/roles/collectd/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - role: get-ec2-facts + - role: epel diff --git a/ansible/roles/collectd/tasks/collectd_install.yml b/ansible/roles/collectd/tasks/collectd_install.yml index 5c74aa38a..2c5704c2c 100644 --- a/ansible/roles/collectd/tasks/collectd_install.yml +++ b/ansible/roles/collectd/tasks/collectd_install.yml @@ -1,84 +1,5 @@ --- -- name: is collectd installed +- name: Install collectd ansible.builtin.yum: - list: collectd + name: "collectd" state: present - register: collectd_installed_state - check_mode: no - changed_when: false - ignore_errors: true - -- name: set fact for collectd installed or not - set_fact: - collectd_installed: "{{ collectd_installed_state.results is defined and collectd_installed_state.results | length > 0 and 'installed' in collectd_installed_state.results[0].yumstate }}" - -- name: debug collectd_installed - ansible.builtin.debug: - msg: "{{ collectd_installed }}" - -- name: Ensure the EPEL repository is available on Rhel 6 - block: - - name: Ensure the EPEL repository is available on Rhel 6 - ansible.builtin.package: - name: epel-release - state: installed - register: epel_release_installed - ignore_errors: true - - - name: Add epel-release to repolist on Rhel 6 - ansible.builtin.shell: | - wget https://dl.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm - yum install -y epel-release-6-8.noarch.rpm - when: epel_release_installed is failed - ignore_errors: true # role to be re-run without failing - - # using shell as yum module doesn't run on Rhel6 due to old python version - - name: Install collectd agent - ansible.builtin.shell: | - yum install -y collectd - # block - when: (ansible_distribution_major_version == '6') and (not collectd_installed) - -- name: Ensure the EPEL repository is available on Rhel 7 - block: - - name: Ensure the EPEL repository is available - ansible.builtin.package: - name: epel-release - state: installed - register: epel_release_installed - ignore_errors: true - - - name: Add epel-release to repolist - ansible.builtin.shell: | - yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - when: epel_release_installed is failed - ignore_errors: true - - - name: install collectd from epel-release - ansible.builtin.package: - name: collectd - state: installed - # block - when: (ansible_distribution_major_version == '7') and (not collectd_installed) - -- name: Ensure the EPEL repository is available on Rhel 8 - block: - - name: Ensure the EPEL repository is available on Rhel 8 - ansible.builtin.package: - name: epel-release - state: installed - register: epel_release_installed - ignore_errors: true - - - name: Add epel-release to repolist on Rhel 8 - ansible.builtin.shell: | - wget https://dl.fedoraproject.org/pub/archive/epel/8.5/Everything/x86_64/Packages/e/epel-release-8-15.el8.noarch.rpm - yum install -y epel-release-8-15.el8.noarch.rpm - when: epel_release_installed is failed - - - name: Install collectd agent - ansible.builtin.dnf: - name: collectd - state: installed - # block - when: ansible_distribution_major_version >= "8" and not collectd_installed diff --git a/ansible/roles/epel/README.md b/ansible/roles/epel/README.md new file mode 100644 index 000000000..fbb1649a9 --- /dev/null +++ b/ansible/roles/epel/README.md @@ -0,0 +1,3 @@ +Enable epel repo + +I've seen occasional 403 errors on the URLs hence the option to download from S3. diff --git a/ansible/roles/epel/defaults/main.yml b/ansible/roles/epel/defaults/main.yml new file mode 100644 index 000000000..2393c5309 --- /dev/null +++ b/ansible/roles/epel/defaults/main.yml @@ -0,0 +1,3 @@ +--- +artefacts_s3_bucket_name: mod-platform-image-artefact-bucket20230203091453221500000001 +artefacts_s3_bucket_path: hmpps/epel diff --git a/ansible/roles/epel/tasks/install-from-rpm.yml b/ansible/roles/epel/tasks/install-from-rpm.yml new file mode 100644 index 000000000..56a4b5850 --- /dev/null +++ b/ansible/roles/epel/tasks/install-from-rpm.yml @@ -0,0 +1,92 @@ +--- +- name: Set RHEL6 epel facts + set_fact: + epel_rpm_filename: epel-release-6-8.noarch.rpm + epel_rpm_url: https://dl.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm + epel_gpg_key_filename: RPM-GPG-KEY-EPEL-6.txt + epel_gpg_key_url: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-6.txt + when: ansible_distribution_major_version == '6' + +- name: Set RHEL7+ epel facts + set_fact: + epel_rpm_filename: "epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" + epel_rpm_url: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm" + epel_gpg_key_filename: "RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}.txt" + epel_gpg_key_url: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}.txt" + when: ansible_distribution_major_version in ['7', '8', '9'] + +- name: Fail if unexpected OS + fail: + msg: "Unsupported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: ansible_distribution_major_version not in ['6', '7', '8', '9'] + +- name: Get SELinux state + ansible.builtin.shell: getenforce || true + changed_when: false + check_mode: false + register: epel_selinux_mode + +# The fedoraproject URL sometimes gives 403s so safer to use S3 method +- name: Install from S3 + block: + - name: Create rpm directory + ansible.builtin.file: + path: "/root/epel" + state: directory + + - name: Copy from S3 + amazon.aws.aws_s3: + bucket: "{{ artefacts_s3_bucket_name }}" + object: "{{ artefacts_s3_bucket_path }}/{{ item }}" + dest: "/root/epel/{{ item }}" + mode: get + overwrite: latest + loop: + - "{{ epel_rpm_filename }}" + - "{{ epel_gpg_key_filename }}" + + - name: Temporarily set SELinux state to Permissive + ansible.builtin.shell: setenforce Permissive + when: epel_selinux_mode.stdout|lower == "enforcing" + + - name: Import rpm key from S3 + ansible.builtin.rpm_key: + state: present + key: "/root/epel/{{ epel_gpg_key_filename }}" + + - name: Install epel RPM from S3 + ansible.builtin.yum: + state: present + name: "/root/epel/{{ epel_rpm_filename }}" + + always: + - name: Restore SELinux state to Enforcing + ansible.builtin.shell: setenforce Enforcing + when: epel_selinux_mode.stdout|lower == "enforcing" + + # block + when: artefacts_s3_bucket_name is defined + +- name: Install from URL + block: + - name: Set SELinux state to Permissive + ansible.builtin.shell: setenforce Permissive + when: epel_selinux_mode.stdout|lower == "enforcing" + + - name: Import rpm key from URL + ansible.builtin.rpm_key: + state: present + key: "{{ epel_gpg_key_url }}" + + - name: Install epel RPM from URL + ansible.builtin.yum: + state: present + name: "{{ epel_rpm_url }}" + + always: + - name: Restore SELinux state to Enforcing + ansible.builtin.shell: setenforce Enforcing + when: epel_selinux_mode.stdout|lower == "enforcing" + + # block + when: artefacts_s3_bucket_name is not defined diff --git a/ansible/roles/epel/tasks/main.yml b/ansible/roles/epel/tasks/main.yml new file mode 100644 index 000000000..743dc388a --- /dev/null +++ b/ansible/roles/epel/tasks/main.yml @@ -0,0 +1,20 @@ +--- +# try the easy way first +- name: Add EPEL repository + ansible.builtin.yum: + name: epel-release + state: present + ignore_errors: yes + register: epel_yum + tags: + - amibuild + - ec2provision + - ec2patch + +# otherwise install from RPM +- import_tasks: install-from-rpm.yml + tags: + - amibuild + - ec2provision + - ec2patch + when: ansible_distribution in ['RedHat', 'OracleLinux'] and epel_yum is failed diff --git a/ansible/roles/secretsmanager-passwords/meta/main.yml b/ansible/roles/secretsmanager-passwords/meta/main.yml index eaef83a42..3df25ad8c 100644 --- a/ansible/roles/secretsmanager-passwords/meta/main.yml +++ b/ansible/roles/secretsmanager-passwords/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - role: get-modernisation-platform-facts + - role: epel diff --git a/ansible/roles/secretsmanager-passwords/tasks/main.yml b/ansible/roles/secretsmanager-passwords/tasks/main.yml index 0f90ad0ff..58a8a538e 100644 --- a/ansible/roles/secretsmanager-passwords/tasks/main.yml +++ b/ansible/roles/secretsmanager-passwords/tasks/main.yml @@ -13,7 +13,6 @@ ansible.builtin.yum: name: "jq" state: present - enablerepo: "epel" # Using the cli instead of native ansible as we need to assume a role # to access secrets in other accounts diff --git a/ansible/roles/ssm-passwords/meta/main.yml b/ansible/roles/ssm-passwords/meta/main.yml new file mode 100644 index 000000000..c6a68df09 --- /dev/null +++ b/ansible/roles/ssm-passwords/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: epel diff --git a/ansible/roles/ssm-passwords/tasks/main.yml b/ansible/roles/ssm-passwords/tasks/main.yml index cae07a8ba..c2b24f1e9 100644 --- a/ansible/roles/ssm-passwords/tasks/main.yml +++ b/ansible/roles/ssm-passwords/tasks/main.yml @@ -8,7 +8,6 @@ ansible.builtin.yum: name: "jq" state: present - enablerepo: "epel" - name: Get SSM Parameters set_fact: