From aca74d05ae0391558adb8c7c827bda54abcc8c09 Mon Sep 17 00:00:00 2001 From: jeff Date: Wed, 14 Mar 2018 11:40:56 +0100 Subject: [PATCH 1/5] Add 'ca_trust_dir' variable to allow Custom CA sharing between host and containers --- installer/inventory | 6 ++++++ installer/local_docker/templates/docker-compose.yml.j2 | 8 +++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/installer/inventory b/installer/inventory index c181516ae4..65c24b1211 100644 --- a/installer/inventory +++ b/installer/inventory @@ -95,3 +95,9 @@ pg_port=5432 # AWX project data folder. If you need access to the location where AWX stores the projects # it manages from the docker host, you can set this to turn it into a volume for the container. #project_data_dir=/var/lib/awx/projects + +# CA Trust directory. If you need to provide custom CA certificates, supplying +# this variable causes this directory on the host to be bind mounted over +# /etc/pki/ca-trust in the awx_task and awx_web containers. +# NOTE: only obeyed in local_docker install +#ca_trust_dir=/etc/pki/ca-trust \ No newline at end of file diff --git a/installer/local_docker/templates/docker-compose.yml.j2 b/installer/local_docker/templates/docker-compose.yml.j2 index 4535937477..85ac70f9c3 100644 --- a/installer/local_docker/templates/docker-compose.yml.j2 +++ b/installer/local_docker/templates/docker-compose.yml.j2 @@ -15,10 +15,16 @@ services: hostname: awxweb user: root restart: unless-stopped - {% if project_data_dir is defined %} + {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: + {% endif %} + {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} + {% endif %} + {% if ca_trust_dir is defined %} + - "{{ ca_trust_dir +':/etc/pki/ca-trust:ro' }}" + {% endif %} {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) -%} {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %} dns_search: From f9f91ecf8140855e79df8dd81bfd1d95bad4b440 Mon Sep 17 00:00:00 2001 From: jeff Date: Wed, 14 Mar 2018 11:41:10 +0100 Subject: [PATCH 2/5] Add ca_trust_dir to task image --- installer/local_docker/templates/docker-compose.yml.j2 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/installer/local_docker/templates/docker-compose.yml.j2 b/installer/local_docker/templates/docker-compose.yml.j2 index 85ac70f9c3..dbedd11e6e 100644 --- a/installer/local_docker/templates/docker-compose.yml.j2 +++ b/installer/local_docker/templates/docker-compose.yml.j2 @@ -75,10 +75,16 @@ services: hostname: awx user: root restart: unless-stopped - {% if project_data_dir is defined %} + {% if (project_data_dir is defined) or (ca_trust_dir is defined) %} volumes: + {% endif %} + {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} + {% endif %} + {% if ca_trust_dir is defined %} + - "{{ ca_trust_dir +':/etc/pki/ca-trust:ro' }}" + {% endif %} {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) -%} {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %} dns_search: From 4fa0d2406a2c1a575b25280ae825b49f4291ddc9 Mon Sep 17 00:00:00 2001 From: jeff Date: Wed, 14 Mar 2018 15:16:26 +0100 Subject: [PATCH 3/5] Remove unneeded jinja endif --- installer/local_docker/templates/docker-compose.yml.j2 | 2 -- 1 file changed, 2 deletions(-) diff --git a/installer/local_docker/templates/docker-compose.yml.j2 b/installer/local_docker/templates/docker-compose.yml.j2 index dbedd11e6e..ab9d79b0b7 100644 --- a/installer/local_docker/templates/docker-compose.yml.j2 +++ b/installer/local_docker/templates/docker-compose.yml.j2 @@ -21,7 +21,6 @@ services: {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} - {% endif %} {% if ca_trust_dir is defined %} - "{{ ca_trust_dir +':/etc/pki/ca-trust:ro' }}" {% endif %} @@ -81,7 +80,6 @@ services: {% if project_data_dir is defined %} - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" {% endif %} - {% endif %} {% if ca_trust_dir is defined %} - "{{ ca_trust_dir +':/etc/pki/ca-trust:ro' }}" {% endif %} From db8df5f724fc016f61d610c14635be4219fbea7b Mon Sep 17 00:00:00 2001 From: Alexander Bauer Date: Fri, 2 Mar 2018 12:43:21 -0800 Subject: [PATCH 4/5] Add local_docker facility for bind-mounting ca-trust This implements one possible solution for #411, but does not solve it for Kubernetes or Openshift installations. # Conflicts: # installer/inventory --- installer/inventory | 2 +- installer/local_docker/tasks/standalone.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/installer/inventory b/installer/inventory index 65c24b1211..36d4452655 100644 --- a/installer/inventory +++ b/installer/inventory @@ -100,4 +100,4 @@ pg_port=5432 # this variable causes this directory on the host to be bind mounted over # /etc/pki/ca-trust in the awx_task and awx_web containers. # NOTE: only obeyed in local_docker install -#ca_trust_dir=/etc/pki/ca-trust \ No newline at end of file +#ca_trust_dir=/etc/pki/ca-trust diff --git a/installer/local_docker/tasks/standalone.yml b/installer/local_docker/tasks/standalone.yml index ac23f74e66..3c5fd29a60 100644 --- a/installer/local_docker/tasks/standalone.yml +++ b/installer/local_docker/tasks/standalone.yml @@ -79,7 +79,11 @@ state: started restart_policy: unless-stopped image: "{{ awx_web_docker_actual_image }}" - volumes: "{{ project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else omit }}" + volumes: > + {{ + [project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else [] + + [ca_trust_dir + ':/etc/pki/ca-trust:ro'] if ca_trust_dir is defined else [] + }} user: root ports: - "{{ host_port }}:8052" @@ -113,7 +117,11 @@ state: started restart_policy: unless-stopped image: "{{ awx_task_docker_actual_image }}" - volumes: "{{ project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else omit }}" + volumes: > + {{ + [project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else [] + + [ca_trust_dir + ':/etc/pki/ca-trust:ro'] if ca_trust_dir is defined else [] + }} links: "{{ awx_task_container_links|list }}" user: root hostname: awx From 709cb0ae2b84dd18d8c5013cb4ae8446e2531ce6 Mon Sep 17 00:00:00 2001 From: Alexander Bauer Date: Fri, 2 Mar 2018 13:11:03 -0800 Subject: [PATCH 5/5] fixup! Add local_docker facility for bind-mounting ca-trust --- installer/local_docker/tasks/standalone.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/installer/local_docker/tasks/standalone.yml b/installer/local_docker/tasks/standalone.yml index 3c5fd29a60..3e377157d5 100644 --- a/installer/local_docker/tasks/standalone.yml +++ b/installer/local_docker/tasks/standalone.yml @@ -81,7 +81,7 @@ image: "{{ awx_web_docker_actual_image }}" volumes: > {{ - [project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else [] + [project_data_dir + ':/var/lib/awx/projects:rw'] if project_data_dir is defined else [] + [ca_trust_dir + ':/etc/pki/ca-trust:ro'] if ca_trust_dir is defined else [] }} user: root @@ -119,7 +119,7 @@ image: "{{ awx_task_docker_actual_image }}" volumes: > {{ - [project_data_dir + ':/var/lib/awx/projects:rw' if project_data_dir is defined else [] + [project_data_dir + ':/var/lib/awx/projects:rw'] if project_data_dir is defined else [] + [ca_trust_dir + ':/etc/pki/ca-trust:ro'] if ca_trust_dir is defined else [] }} links: "{{ awx_task_container_links|list }}"