From cff7a0f1bc09bff3009fea560f057cc5c6a5d7a2 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Tue, 13 Mar 2018 19:29:33 +0000
Subject: [PATCH] Add disable_selinux_do_reboot variable
This allows the user to control whether hosts will be rebooted to apply
an SELinux policy configuration change. We cannot do this in CI, where
the Ansible control host is the host being configured.
Change-Id: I431ed26d907a534e2e99a8032152340d109fd49e
---
.../roles/disable-selinux/defaults/main.yml | 3 +
ansible/roles/disable-selinux/tasks/main.yml | 71 +++++++++----------
2 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/ansible/roles/disable-selinux/defaults/main.yml b/ansible/roles/disable-selinux/defaults/main.yml
index 979f3f93..23fd5cd3 100644
--- a/ansible/roles/disable-selinux/defaults/main.yml
+++ b/ansible/roles/disable-selinux/defaults/main.yml
@@ -1,4 +1,7 @@
---
+# Whether to reboot to apply SELinux config changes.
+disable_selinux_do_reboot: true
+
# Number of seconds to wait for hosts to become accessible via SSH after being
# rebooted.
disable_selinux_reboot_timeout:
diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml
index 76ed6484..ce67f5c6 100644
--- a/ansible/roles/disable-selinux/tasks/main.yml
+++ b/ansible/roles/disable-selinux/tasks/main.yml
@@ -13,45 +13,42 @@
register: selinux_result
become: True
-- name: Set a fact to determine whether we are running locally
- set_fact:
- is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
- when: selinux_result | changed
+- block:
+ - name: Set a fact to determine whether we are running locally
+ set_fact:
+ is_local: "{{ lookup('pipe', 'hostname') in [ansible_hostname, ansible_nodename] }}"
-# Any SSH connection errors cause ansible to fail the task. We therefore
-# perform a manual SSH connection and allow the command to fail.
-- name: Reboot the system to apply SELinux changes (remote)
- local_action:
- # Use -tt to force a pseudo tty.
- module: >
- command
- ssh -tt {{ ansible_user }}@{{ ansible_host | default(inventory_hostname) }}
- sudo shutdown -r now "Applying SELinux changes"
- register: reboot_result
- failed_when:
- - reboot_result | failed
- - "'closed by remote host' not in reboot_result.stderr"
- when:
- - selinux_result | changed
- - not is_local | bool
+ # Any SSH connection errors cause ansible to fail the task. We therefore
+ # perform a manual SSH connection and allow the command to fail.
+ - name: Reboot the system to apply SELinux changes (remote)
+ local_action:
+ # Use -tt to force a pseudo tty.
+ module: >
+ command
+ ssh -tt {{ ansible_user }}@{{ ansible_host | default(inventory_hostname) }}
+ sudo shutdown -r now "Applying SELinux changes"
+ register: reboot_result
+ failed_when:
+ - reboot_result | failed
+ - "'closed by remote host' not in reboot_result.stderr"
+ when: not is_local | bool
-- name: Reboot the system to apply SELinux changes (local)
- command: shutdown -r now "Applying SELinux changes"
- become: True
- when:
- - selinux_result | changed
- - is_local | bool
+ - name: Reboot the system to apply SELinux changes (local)
+ command: shutdown -r now "Applying SELinux changes"
+ become: True
+ when: is_local | bool
-# If we're running this locally we won't get here.
-- name: Wait for the system to boot up (remote)
- local_action:
- module: wait_for
- host: "{{ ansible_host | default(inventory_hostname) }}"
- port: 22
- state: started
- # Wait for 10 seconds before polling to ensure the node has shutdown.
- delay: 10
- timeout: "{{ disable_selinux_reboot_timeout }}"
+ # If we're running this locally we won't get here.
+ - name: Wait for the system to boot up (remote)
+ local_action:
+ module: wait_for
+ host: "{{ ansible_host | default(inventory_hostname) }}"
+ port: 22
+ state: started
+ # Wait for 10 seconds before polling to ensure the node has shutdown.
+ delay: 10
+ timeout: "{{ disable_selinux_do_reboot_timeout }}"
+ when: not is_local | bool
when:
+ - disable_selinux_do_reboot | bool
- selinux_result | changed
- - not is_local | bool
--
GitLab