Merge branch 'devel' into ikke-t-selinux-fix

2026-02-16 18:50:04 -03:30 · 2018-10-17 21:44:48 +03:00
parent b4919f9ebd ac08033d3e
commit 42a0192425
136 changed files with 2940 additions and 4336 deletions
--- a/installer/inventory
+++ b/installer/inventory
@@ -10,6 +10,7 @@ dockerhub_base=ansible

 # Openshift Install
 # Will need to set -e openshift_password=developer -e docker_registry_password=$(oc whoami -t)
+#           or set -e openshift_token=TOKEN
 # openshift_host=127.0.0.1:8443
 # openshift_project=awx
 # openshift_user=developer
@@ -32,6 +33,8 @@ dockerhub_base=ansible
 # task_mem_request=2

 # Common Docker parameters
+awx_task_hostname=awx
+awx_web_hostname=awxweb
 postgres_data_dir=/tmp/pgdocker
 host_port=80

@@ -65,6 +68,10 @@ pg_password=awxpass
 pg_database=awx
 pg_port=5432

+# RabbitMQ Configuration
+rabbitmq_password=awxpass
+rabbitmq_erlang_cookie=cookiemonster
+
 # Use a local distribution build container image for building the AWX package
 # This is helpful if you don't want to bother installing the build-time dependencies as
 # it is taken care of already.
@@ -78,8 +85,8 @@ pg_port=5432

 # This will create or update a default admin (superuser) account in AWX, if not provided
 # then these default values are used
-# default_admin_user=admin
-# default_admin_password=password
+admin_user=admin
+admin_password=password

 # AWX Secret key
 # It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt
@@ -111,3 +118,9 @@ secret_key=awxsecret
 # /etc/pki/ca-trust in the awx_task and awx_web containers.
 # NOTE: only obeyed in local_docker install
 #ca_trust_dir=/etc/pki/ca-trust
+
+# Include /etc/nginx/awx_extra.conf
+# Note the use of glob pattern for nginx
+# which makes include "optional" - i.e. not fail
+# if file is absent
+#extra_nginx_include="/etc/nginx/awx_extra[.]conf"
--- a/installer/roles/image_build/files/launch_awx.sh
+++ b/installer/roles/image_build/files/launch_awx.sh
@@ -8,7 +8,7 @@ fi
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$DATABASE_HOST port=$DATABASE_PORT" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$MEMCACHED_HOST port=11211" all
 ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m wait_for -a "host=$RABBITMQ_HOST port=5672" all
-ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m postgresql_db -U $DATABASE_USER -a "name=$DATABASE_NAME owner=$DATABASE_USER login_user=$DATABASE_USER login_host=$DATABASE_HOST login_password=$DATABASE_PASSWORD port=$DATABASE_PORT" all
+ANSIBLE_REMOTE_TEMP=/tmp ANSIBLE_LOCAL_TEMP=/tmp ansible -i "127.0.0.1," -c local -v -m postgresql_db --become-user $DATABASE_USER -a "name=$DATABASE_NAME owner=$DATABASE_USER login_user=$DATABASE_USER login_host=$DATABASE_HOST login_password=$DATABASE_PASSWORD port=$DATABASE_PORT" all

 awx-manage collectstatic --noinput --clear
 supervisord -c /supervisor.conf
--- a/installer/roles/image_build/files/supervisor_task.conf
+++ b/installer/roles/image_build/files/supervisor_task.conf
@@ -2,8 +2,8 @@
 nodaemon = True
 umask = 022

-[program:celery]
-command = /var/lib/awx/venv/awx/bin/celery worker -A awx -B -l debug --autoscale=50,4 -Ofair -s /var/lib/awx/beat.db -n celery@%(ENV_HOSTNAME)s
+[program:dispatcher]
+command = awx-manage run_dispatcher
 directory = /var/lib/awx
 environment = LANGUAGE="en_US.UTF-8",LANG="en_US.UTF-8",LC_ALL="en_US.UTF-8",LC_CTYPE="en_US.UTF-8"
 #user = {{ aw_user }}
@@ -15,18 +15,6 @@ stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0

-[program:celery-watcher]
-command = /usr/bin/awx-manage watch_celery
-directory = /var/lib/awx
-environment = LANGUAGE="en_US.UTF-8",LANG="en_US.UTF-8",LC_ALL="en_US.UTF-8",LC_CTYPE="en_US.UTF-8"
-autostart = true
-autorestart = true
-stopwaitsecs = 5
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-
 [program:callback-receiver]
 command = awx-manage run_callback_receiver
 directory = /var/lib/awx
@@ -50,7 +38,7 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0

 [group:tower-processes]
-programs=celery,celery-watcher,callback-receiver,channels-worker
+programs=dispatcher,callback-receiver,channels-worker
 priority=5

 # TODO: Exit Handler
--- a/installer/roles/image_build/tasks/main.yml
+++ b/installer/roles/image_build/tasks/main.yml
@@ -128,7 +128,7 @@
  delegate_to: localhost

 - name: Stage nginx.conf
-  copy:
+  template:
    src: nginx.conf
    dest: "{{ docker_base_path }}/nginx.conf"
  delegate_to: localhost
@@ -217,5 +217,5 @@
  file:
    path: "{{ docker_base_path }}"
    state: absent
-  when: cleanup_docker_base|default(True)
+  when: cleanup_docker_base|default(True)|bool
  delegate_to: localhost
--- a/installer/roles/image_build/templates/Dockerfile.j2
+++ b/installer/roles/image_build/templates/Dockerfile.j2
@@ -41,6 +41,7 @@ RUN yum -y install epel-release && \
    rm -rf /root/.cache

 RUN mkdir -p /var/log/tower
+RUN chmod -R g+w /var/log/tower
 RUN mkdir -p /etc/tower
 COPY {{ awx_sdist_file }} /tmp/{{ awx_sdist_file }}
 RUN OFFICIAL=yes pip install /tmp/{{ awx_sdist_file }}
--- a/installer/roles/image_build/templates/nginx.conf
+++ b/installer/roles/image_build/templates/nginx.conf
@@ -86,6 +86,9 @@ http {
            uwsgi_read_timeout 120s;
            uwsgi_pass uwsgi;
            include /etc/nginx/uwsgi_params;
+            {%- if extra_nginx_include is defined %}
+            include {{ extra_nginx_include }};
+            {%- endif %}
            proxy_set_header X-Forwarded-Port 443;
        }
    }
--- a/installer/roles/image_push/tasks/main.yml
+++ b/installer/roles/image_push/tasks/main.yml
@@ -25,7 +25,7 @@
        tag: "{{ awx_version }}"
        state: absent
  delegate_to: localhost
-  when: docker_remove_local_images|default(False)
+  when: docker_remove_local_images|default(False)|bool

 - name: Tag and Push Container Images
  block:
--- a/installer/roles/kubernetes/defaults/main.yml
+++ b/installer/roles/kubernetes/defaults/main.yml
@@ -1,4 +1,6 @@
 ---
+dockerhub_version: "{{ lookup('file', playbook_dir + '/../VERSION') }}"
+
 admin_user: 'admin'
 admin_email: 'root@localhost'
 admin_password: ''
--- a/installer/roles/kubernetes/tasks/openshift_auth.yml
+++ b/installer/roles/kubernetes/tasks/openshift_auth.yml
@@ -23,12 +23,35 @@
    - openshift_user is defined
    - openshift_password is defined
    - openshift_token is not defined
+  register: openshift_auth_result
+  ignore_errors: true
  no_log: true

+- name: OpenShift authentication failed on TLS verification
+  fail:
+    msg: "Failed to verify TLS, consider settings openshift_skip_tls_verify=True {{ openshift_auth_result.stderr  | default('certificate does not match hostname') }}"
+  when:
+    - openshift_skip_tls_verify is not defined or not openshift_skip_tls_verify
+    - openshift_auth_result.rc is defined and openshift_auth_result.rc != 0
+    - openshift_auth_result.stderr is defined and (openshift_auth_result.stderr | search("certificate that does not match its hostname"))
+
+- name: OpenShift authentication failed
+  fail:
+    msg: "{{ openshift_auth_result.stderr | default('Invalid credentials') }}"
+  when: openshift_auth_result.rc is defined and openshift_auth_result.rc != 0
+
 - name: Authenticate with OpenShift via token
  shell: |
    {{ openshift_oc_bin }} login {{ openshift_host }} \
      --token {{ openshift_token }} \
      --insecure-skip-tls-verify={{ openshift_skip_tls_verify | default(false) | bool }}
  when: openshift_token is defined
+  register: openshift_auth_result
+  ignore_errors: true
  no_log: true
+
+- name: OpenShift authentication failed
+  fail:
+    msg: "{{ openshift_auth_result.stderr | default('Invalid token') }}"
+  when: openshift_auth_result.rc is defined and openshift_auth_result.rc != 0
+
--- a/installer/roles/kubernetes/templates/deployment.yml.j2
+++ b/installer/roles/kubernetes/templates/deployment.yml.j2
@@ -115,6 +115,7 @@ metadata:
  name: {{ kubernetes_deployment_name }}
  namespace: {{ kubernetes_namespace }}
 spec:
+  serviceName: {{ kubernetes_deployment_name }}
  replicas: 1
  template:
    metadata:
@@ -139,6 +140,24 @@ spec:
            - name: "{{ kubernetes_deployment_name }}-confd"
              mountPath: "/etc/tower/conf.d/"
              readOnly: true
+          env:
+            - name: DATABASE_USER
+              value: {{ pg_username }}
+            - name: DATABASE_NAME
+              value: {{ pg_database }}
+            - name: DATABASE_HOST
+              value: {{ pg_hostname|default('postgresql') }}
+            - name: DATABASE_PORT
+              value: "{{ pg_port|default('5432') }}"
+            - name: DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ kubernetes_deployment_name }}-secrets"
+                  key: pg_password
+            - name: MEMCACHED_HOST
+              value: {{ memcached_hostname|default('localhost') }}
+            - name: RABBITMQ_HOST
+              value: {{ rabbitmq_hostname|default('localhost') }}
          resources:
            requests:
              memory: "{{ web_mem_request }}Gi"
--- a/installer/roles/local_docker/defaults/main.yml
+++ b/installer/roles/local_docker/defaults/main.yml
@@ -3,3 +3,11 @@ dockerhub_version: "{{ lookup('file', playbook_dir + '/../VERSION') }}"

 rabbitmq_version: "3.7.4"
 rabbitmq_image: "ansible/awx_rabbitmq:{{rabbitmq_version}}"
+rabbitmq_default_vhost: "awx"
+rabbitmq_erlang_cookie: "cookiemonster"
+rabbitmq_port: "5672"
+rabbitmq_default_username: "guest"
+rabbitmq_default_password: "guest"
+
+postgresql_version: "9.6"
+postgresql_image: "postgres:{{postgresql_version}}"
--- a/installer/roles/local_docker/tasks/standalone.yml
+++ b/installer/roles/local_docker/tasks/standalone.yml
@@ -4,7 +4,7 @@
    name: postgres
    state: started
    restart_policy: unless-stopped
-    image: postgres:9.6
+    image: "{{ postgresql_image }}"
    volumes:
      - "{{ postgres_data_dir }}:/var/lib/postgresql/data:Z"
    env:
@@ -22,8 +22,10 @@
    restart_policy: unless-stopped
    image: "{{ rabbitmq_image }}"
    env:
-      RABBITMQ_DEFAULT_VHOST: "awx"
-      RABBITMQ_ERLANG_COOKIE: "cookiemonster"
+      RABBITMQ_DEFAULT_VHOST: "{{ rabbitmq_default_vhost }}"
+      RABBITMQ_ERLANG_COOKIE: "{{ rabbitmq_erlang_cookie }}"
+      RABBITMQ_DEFAULT_USER: "{{ rabbitmq_default_username }}"
+      RABBITMQ_DEFAULT_PASS: "{{ rabbitmq_default_password }}"
  register: rabbitmq_container_activate

 - name: Activate memcached container
@@ -80,16 +82,14 @@
    state: started
    restart_policy: unless-stopped
    image: "{{ awx_web_docker_actual_image }}"
-    volumes: >
-      {{
-        [project_data_dir + ':/var/lib/awx/projects:z'] if project_data_dir is defined else []
-        + [ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro'] if ca_trust_dir is defined else []
-      }}
+    volumes:
+      - "{{ project_data_dir + ':/var/lib/awx/projects:z' if project_data_dir is defined else [] }}"
+      - "{{ ca_trust_dir + ':/etc/pki/ca-trust/source/anchors:ro' if ca_trust_dir is defined else [] }}"
    user: root
    ports:
      - "{{ host_port }}:8052"
    links: "{{ awx_web_container_links|list }}"
-    hostname: awxweb
+    hostname: "{{ awx_web_hostname }}"
    dns_search_domains: "{{ awx_container_search_domains.split(',') if awx_container_search_domains is defined else omit }}"
    dns_servers: "{{ awx_alternate_dns_servers.split(',') if awx_alternate_dns_servers is defined else omit }}"
    env:
@@ -102,15 +102,20 @@
      DATABASE_PASSWORD: "{{ pg_password }}"
      DATABASE_PORT: "{{ pg_port }}"
      DATABASE_HOST: "{{ pg_hostname_actual }}"
-      RABBITMQ_USER: "guest"
-      RABBITMQ_PASSWORD: "guest"
+      RABBITMQ_USER: "{{ rabbitmq_default_username }}"
+      RABBITMQ_PASSWORD: "{{ rabbitmq_default_password }}"
      RABBITMQ_HOST: "rabbitmq"
-      RABBITMQ_PORT: "5672"
-      RABBITMQ_VHOST: "awx"
+      RABBITMQ_PORT: "{{ rabbitmq_port }}"
+      RABBITMQ_VHOST: "{{ rabbitmq_default_vhost }}"
      MEMCACHED_HOST: "memcached"
      MEMCACHED_PORT: "11211"
      AWX_ADMIN_USER: "{{ default_admin_user|default('admin') }}"
      AWX_ADMIN_PASSWORD: "{{ default_admin_password|default('password') }}"
+  register: awx_web_container
+
+- name: Update CA trust in awx_web container
+  command: docker exec awx_web '/usr/bin/update-ca-trust'
+  when: awx_web_container.changed

 - name: Activate AWX Task Container
  docker_container:
@@ -125,7 +130,7 @@
      }}
    links: "{{ awx_task_container_links|list }}"
    user: root
-    hostname: awx
+    hostname: "{{ awx_task_hostname }}"
    dns_search_domains: "{{ awx_container_search_domains.split(',') if awx_container_search_domains is defined else omit }}"
    dns_servers: "{{ awx_alternate_dns_servers.split(',') if awx_alternate_dns_servers is defined else omit }}"
    env:
@@ -138,11 +143,11 @@
      DATABASE_PASSWORD: "{{ pg_password }}"
      DATABASE_HOST: "{{ pg_hostname_actual }}"
      DATABASE_PORT: "{{ pg_port }}"
-      RABBITMQ_USER: "guest"
-      RABBITMQ_PASSWORD: "guest"
+      RABBITMQ_USER: "{{ rabbitmq_default_username }}"
+      RABBITMQ_PASSWORD: "{{ rabbitmq_default_password }}"
      RABBITMQ_HOST: "rabbitmq"
-      RABBITMQ_PORT: "5672"
-      RABBITMQ_VHOST: "awx"
+      RABBITMQ_PORT: "{{ rabbitmq_port }}"
+      RABBITMQ_VHOST: "{{ rabbitmq_default_vhost }}"
      MEMCACHED_HOST: "memcached"
      MEMCACHED_PORT: "11211"
      AWX_ADMIN_USER: "{{ default_admin_user|default('admin') }}"
--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@@ -12,7 +12,7 @@ services:
      {% endif %}
    ports:
      - "{{ host_port }}:8052"
-    hostname: awxweb
+    hostname: {{ awx_web_hostname }}
    user: root
    restart: unless-stopped
    {% if (project_data_dir is defined) or (ca_trust_dir is defined) %}
@@ -71,7 +71,7 @@ services:
      {% if pg_hostname is not defined %}
      - postgres
      {% endif %}
-    hostname: awx
+    hostname: {{ awx_task_hostname }}
    user: root
    restart: unless-stopped
    {% if (project_data_dir is defined) or (ca_trust_dir is defined) %}