Attached is a patch for https://pagure.io/fedora-infrastructure/issue/8156
There were lots of places where I didn't know if a certain conditional
makes sense, for example checking for ansible_distribution == RedHat
when we maybe have only Fedora machines and that playbook would never
run on RHEL
I've added a couple of FIXME lines where I though that a closer look
might be required.
Thanks,
Karsten
>From dce06bcb335134a954de2c6fedf2788d870e75f9 Mon Sep 17 00:00:00 2001
From: Karsten Hopp <karsten@xxxxxxxxxx>
Date: Mon, 2 Sep 2019 12:14:18 +0200
Subject: [PATCH] update ansible_distribution_major_version conditionals
Signed-off-by: Karsten Hopp <karsten@xxxxxxxxxx>
---
handlers/restart_services.yml | 4 +-
playbooks/check-host.yml | 26 +++++-
playbooks/groups/download.yml | 3 +-
playbooks/groups/maintainer-test.yml | 2 +-
playbooks/manual/update-packages.yml | 12 +--
playbooks/transient_cloud_instance.yml | 5 +-
playbooks/transient_newcloud_instance.yml | 5 +-
roles/apache/tasks/main.yml | 18 +++-
roles/base/tasks/main.yml | 89 ++++++++++++++++---
roles/base/templates/krb5.conf.j2 | 2 +-
roles/basessh/tasks/main.yml | 24 ++++-
roles/basessh/templates/sshd_config | 7 +-
roles/chrony/tasks/main.yml | 1 +
roles/collectd/base/tasks/main.yml | 34 +++++--
roles/dnf-automatic/tasks/main.yml | 32 +++++--
roles/fas_client/tasks/main.yml | 2 +-
roles/git/server/tasks/main.yml | 21 ++++-
roles/iscsi_client/tasks/main.yml | 14 ++-
roles/kerneltest/templates/kerneltest.conf | 2 +-
roles/koji_hub/tasks/main.yml | 1 +
roles/mariadb_server/tasks/main.yml | 10 +--
roles/nagios_client/tasks/main.yml | 2 +-
roles/nfs/client/tasks/main.yml | 8 +-
roles/nginx/templates/etc/nginx/nginx.conf.j2 | 2 +-
roles/openqa/worker/tasks/tap-setup.yml | 2 +-
roles/openvpn/base/tasks/main.yml | 49 ++++++++--
roles/openvpn/client/tasks/main.yml | 45 +++++-----
roles/packages3/web/tasks/main.yml | 8 +-
roles/postgresql_server/tasks/main.yml | 18 +++-
roles/postgresql_server_bdr/tasks/main.yml | 3 +-
roles/rkhunter/tasks/main.yml | 11 +--
roles/rkhunter/templates/rkhunter.conf.j2 | 5 --
roles/rsyncd/tasks/main.yml | 20 ++++-
roles/sigul/server/tasks/main.yml | 16 +++-
roles/taskotron/grokmirror/tasks/main.yml | 11 ++-
.../resultsdb-backend/tasks/main.yml | 13 ++-
.../resultsdb-frontend/tasks/main.yml | 11 ++-
roles/taskotron/ssl-taskotron/tasks/main.yml | 10 ++-
.../taskotron-frontend/tasks/main.yml | 10 ++-
.../taskotron/taskotron-master/tasks/main.yml | 8 +-
.../taskotron/taskotron-proxy/tasks/main.yml | 10 ++-
roles/varnish/tasks/main.yml | 13 +--
tasks/2fa_client.yml | 10 ++-
tasks/cloud_setup_basic.yml | 24 ++++-
tasks/yumrepos.yml | 12 +--
45 files changed, 460 insertions(+), 175 deletions(-)
diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml
index 046adb7e1..1491f3727 100644
--- a/handlers/restart_services.yml
+++ b/handlers/restart_services.yml
@@ -77,8 +77,8 @@
#notify:
#- fix openvpn routing
-- name: restart openvpn (RHEL7)
- when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
+- name: restart openvpn (RHEL7+)
+ when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int >= 7
action: service name=openvpn-client@openvpn state=restarted
#notify:
#- fix openvpn routing
diff --git a/playbooks/check-host.yml b/playbooks/check-host.yml
index 33bff7b99..dbe61a4e5 100644
--- a/playbooks/check-host.yml
+++ b/playbooks/check-host.yml
@@ -17,16 +17,34 @@
- name: Get list of active loaded services with systemctl
shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
changed_when: False
- when: ansible_distribution_major_version|int > 6
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
register: loaded_active_services_systemctl
tags:
- check
- services
+ - name: Get list of active loaded services with systemctl
+ shell: '/bin/systemctl -t service --no-legend | egrep "loaded active" | tr -s " " | cut -d " " -f1'
+ changed_when: False
+ when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat'
+ register: loaded_active_services_systemctl
+ tags:
+ - check
+ - services
+
+ - name: Get list of inactive loaded services with systemctl
+ shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
+ changed_when: False
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
+ register: loaded_inactive_services_systemctl
+ tags:
+ - check
+ - services
+
- name: Get list of inactive loaded services with systemctl
shell: '/bin/systemctl -t service --no-legend | egrep -v "loaded active" | tr -s " " | cut -d " " -f1'
changed_when: False
- when: ansible_distribution_major_version|int > 6
+ when: ansible_distribution_major_version|int > 6 and ansible_distribution is 'RedHat'
register: loaded_inactive_services_systemctl
tags:
- check
@@ -36,7 +54,7 @@
- name: Get list of enabled services with chkconfig at current runlevel
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:on\" | awk '{print $1}'"
changed_when: False
- when: ansible_distribution_major_version|int <= 6
+ when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat'
register: enabled_services_chkconfig
tags:
- check
@@ -45,7 +63,7 @@
- name: Get list of disabled services with chkconfig at current runlevel
shell: "chkconfig | grep \"`runlevel | cut -d ' ' -f 2`:off\" | awk '{print $1}'"
changed_when: False
- when: ansible_distribution_major_version|int <= 6
+ when: ansible_distribution_major_version|int <= 6 and ansible_distribution is 'RedHat'
register: disabled_services_chkconfig
tags:
- check
diff --git a/playbooks/groups/download.yml b/playbooks/groups/download.yml
index f578aabc0..698ab7b9b 100644
--- a/playbooks/groups/download.yml
+++ b/playbooks/groups/download.yml
@@ -26,6 +26,7 @@
- "/srv/private/ansible/vars.yml"
- "/srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml"
+# FIXME: is checking for RedHat correct here ?
roles:
- base
- rkhunter
@@ -35,7 +36,7 @@
- collectd/base
- apache
- download
- - { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7'}
+ - { role: mod_limitipconn, when: ansible_distribution_major_version|int != '7' and ansible_distribution is 'RedHat'}
- rsyncd
- { role: nfs/client, when: datacenter == "phx2", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
- { role: nfs/client, when: datacenter == "rdu", mnt_dir: '/srv/pub', nfs_src_dir: 'fedora_ftp/fedora.redhat.com/pub' }
diff --git a/playbooks/groups/maintainer-test.yml b/playbooks/groups/maintainer-test.yml
index edb108c05..32e735e6e 100644
--- a/playbooks/groups/maintainer-test.yml
+++ b/playbooks/groups/maintainer-test.yml
@@ -65,7 +65,7 @@
dnf: state=present pkg={{ item }}
with_items:
- fedora-packager
- when: ansible_distribution_major_version|int > 21
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
tags:
- packages
diff --git a/playbooks/manual/update-packages.yml b/playbooks/manual/update-packages.yml
index 7b6eb9344..78a250e30 100644
--- a/playbooks/manual/update-packages.yml
+++ b/playbooks/manual/update-packages.yml
@@ -17,25 +17,25 @@
- name: yum update {{ package }} from main repo
yum: name="{{ package }}" state=latest update_cache=yes
- when: not testing and ansible_distribution_major_version|int < 22
+ when: not testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: yum update {{ package }} from testing repo
yum: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg update_cache=yes
- when: testing and ansible_distribution_major_version|int < 22
+ when: testing and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: dnf clean all (since we can't do it when updating)
command: dnf clean all
- when: not testing and ansible_distribution_major_version|int > 21
+ when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
- name: dnf update {{ package }} from main repo
dnf: name="{{ package }}" state=latest
- when: not testing and ansible_distribution_major_version|int > 21
+ when: not testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
- name: dnf clean all (since we can't do it when updating)
command: dnf clean all --enablerepo=infrastructure-tags-stg
- when: testing and ansible_distribution_major_version|int > 21
+ when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
- name: dnf update {{ package }} from testing repo
dnf: name="{{ package }}" state=latest enablerepo=infrastructure-tags-stg
- when: testing and ansible_distribution_major_version|int > 21
+ when: testing and ansible_distribution_major_version|int > 21 and ansible_distribution is 'Fedora'
diff --git a/playbooks/transient_cloud_instance.yml b/playbooks/transient_cloud_instance.yml
index 3ce042cf7..53300ccff 100644
--- a/playbooks/transient_cloud_instance.yml
+++ b/playbooks/transient_cloud_instance.yml
@@ -69,11 +69,12 @@
tasks:
- name: install cloud-utils (yum)
package: name=cloud-utils state=present
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
+# FIXME no Fedora ?
- name: install cloud-utils (dnf)
command: dnf install -y cloud-utils
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
diff --git a/playbooks/transient_newcloud_instance.yml b/playbooks/transient_newcloud_instance.yml
index 3b01af90b..207679d61 100644
--- a/playbooks/transient_newcloud_instance.yml
+++ b/playbooks/transient_newcloud_instance.yml
@@ -76,11 +76,12 @@
tasks:
- name: install cloud-utils (yum)
package: name=cloud-utils state=present
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
+# FIXME no Fedora ?
- name: install cloud-utils (dnf)
command: dnf install -y cloud-utils
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
- import_tasks: "{{ tasks_path }}/cloud_setup_basic.yml"
diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml
index 78ffe45b9..f65c7472e 100644
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -24,7 +24,19 @@
- name: hotfix - copy over new httpd init script
copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
owner=root group=root mode=0755
- when: ansible_distribution_major_version|int < 30
+ when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora'
+ notify:
+ - reload apache
+ tags:
+ - config
+ - hotfix
+ - apache
+
+# install hash randomization hotfix
+- name: hotfix - copy over new httpd init script
+ copy: src="{{ files }}/hotfix/httpd/httpd.init" dest=/etc/init.d/httpd
+ owner=root group=root mode=0755
+ when: ansible_distribution_major_version|int <= 8 and ansible_distribution is 'RedHat'
notify:
- reload apache
tags:
@@ -34,7 +46,7 @@
- name: hotfix - copy over new httpd sysconfig (el6)
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
- when: ansible_distribution_major_version|int == 6
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
notify:
- reload apache
tags:
@@ -44,7 +56,7 @@
- name: hotfix - copy over new httpd sysconfig (el7)
copy: src="{{ files }}/hotfix/httpd/httpd.sysconfig" dest=/etc/sysconfig/httpd
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
notify:
- reload apache
tags:
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index ab1b7447f..2b15887a7 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -11,11 +11,11 @@
- policycoreutils-python
tags:
- selinux
- when: ansible_distribution_major_version|int < 8
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: ensure packages required for semanage are installed (dnf)
package: name=policycoreutils-python-utils state=present
- when: ansible_distribution_major_version|int > 27 and ansible_cmdline.ostree is not defined
+ when: (ansible_distribution_major_version|int > 27 and ansible_distribution is 'Fedora') or (ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined
tags:
- selinux
@@ -52,7 +52,18 @@
ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
notify:
- restart NetworkManager
- when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
+ when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
+ tags:
+ - config
+ - resolvconf
+ - base
+ - ifcfg
+
+- name: disable resolv.conf control from NM
+ ini_file: dest=/etc/NetworkManager/NetworkManager.conf section=main option=dns value=none
+ notify:
+ - restart NetworkManager
+ when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist) and not nm_controlled_resolv
tags:
- config
- resolvconf
@@ -65,7 +76,19 @@
changed_when: false
failed_when: 'if_uuid.stdout == ""'
check_mode: no
- when: ansible_distribution_major_version|int >=7 and nmclitest is success and ( not ansible_ifcfg_blacklist )
+ when: ansible_distribution_major_version|int >=7 and ansible_distribution is 'RedHat' and nmclitest is success and ( not ansible_ifcfg_blacklist )
+ tags:
+ - config
+ - ifcfg
+ - base
+
+- name: get interface uuid
+ shell: nmcli -f "DEVICE,UUID" c show --active | grep -E '^eth|^br|^em'
+ register: if_uuid
+ changed_when: false
+ failed_when: 'if_uuid.stdout == ""'
+ check_mode: no
+ when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and nmclitest is success and ( not ansible_ifcfg_blacklist )
tags:
- config
- ifcfg
@@ -92,17 +115,25 @@
tags:
- packages
- base
- when: ansible_distribution_major_version|int < 22 and ansible_distribution_major_version|int != 8
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
+
+- name: global default packages to install (dnf)
+ dnf: state=present name="{{ global_pkgs_inst }}"
+ tags:
+ - packages
+ - base
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: global default packages to install (dnf)
dnf: state=present name="{{ global_pkgs_inst }}"
tags:
- packages
- base
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
- name: make sure hostname is set right on rhel7 hosts
hostname: name="{{inventory_hostname}}"
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
#
# We set builders root password in the koji_builder role, so do not set those here
@@ -137,7 +168,7 @@
tags:
- packages
- base
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: dist pkgs to install (yum)
package: state=present name={{ item }}
@@ -146,21 +177,35 @@
tags:
- packages
- base
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: dist pkgs to remove (dnf)
dnf: state=absent name="{{ base_pkgs_erase }}"
tags:
- packages
- base
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: dist pkgs to remove (dnf)
+ dnf: state=absent name="{{ base_pkgs_erase }}"
+ tags:
+ - packages
+ - base
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
+
+- name: dist pkgs to install (dnf)
+ dnf: state=present name="{{ base_pkgs_inst }}"
+ tags:
+ - packages
+ - base
+ when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
- name: dist pkgs to install (dnf)
dnf: state=present name="{{ base_pkgs_inst }}"
tags:
- packages
- base
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: dist disabled services
service: state=stopped enabled=false name={{ item }}
@@ -234,7 +279,18 @@
- name: enable journald persistence
file: path=/var/log/journal state=directory
owner=root group=systemd-journal mode=2755
- when: ansible_distribution_major_version|int >= 7
+ when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
+ tags:
+ - journald
+ - config
+ - base
+ notify:
+ - flush journald tmpfiles to persistent store
+
+- name: enable journald persistence
+ file: path=/var/log/journal state=directory
+ owner=root group=systemd-journal mode=2755
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
tags:
- journald
- config
@@ -346,7 +402,16 @@
- name: copy over our custom selinux module
copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
register: selinux_module
- when: ansible_distribution_major_version|int >= 27
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
+ tags:
+ - config
+ - selinux
+
+# Custom selinux policy to allow unix_chkpwd to map PAM database
+- name: copy over our custom selinux module
+ copy: src=selinux/mapchkpwd.pp dest=/usr/local/share/mapchkpwd.pp
+ register: selinux_module
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
tags:
- config
- selinux
diff --git a/roles/base/templates/krb5.conf.j2 b/roles/base/templates/krb5.conf.j2
index 5cad5d767..2ae9aa374 100644
--- a/roles/base/templates/krb5.conf.j2
+++ b/roles/base/templates/krb5.conf.j2
@@ -15,7 +15,7 @@
[realms]
{{ ipa_realm }} = {
-{% if ansible_distribution_major_version|default(0)|int == 6 %}
+{% if ansible_distribution_major_version|default(0)|int == 6 and and ansible_distribution is "RedHat" %}
kdc = ipa01{{ env_suffix }}.phx2.fedoraproject.org
{% else %}
kdc = https://id{{ env_suffix }}.fedoraproject.org/KdcProxy
diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml
index 49a5aff74..379e6a1c6 100644
--- a/roles/basessh/tasks/main.yml
+++ b/roles/basessh/tasks/main.yml
@@ -33,7 +33,27 @@
- config
- sshd
- selinux
- when: ansible_distribution_major_version|int < 30 and ansible_distribution_major_version|int != 8
+ when: ansible_distribution_major_version|int < 30 and ansible_distribution is 'Fedora'
+
+- name: make sure libselinux-python is installed
+ package: name=libselinux-python state=present
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
+
+- name: make sure python3-libselinux is installed
+ package: name=python3-libselinux state=present
+ tags:
+ - basessh
+ - sshd_config
+ - config
+ - sshd
+ - selinux
+ when: ansible_distribution_major_version|int >= 30 and ansible_distribution is 'Fedora'
- name: make sure python3-libselinux is installed
package: name=python3-libselinux state=present
@@ -43,7 +63,7 @@
- config
- sshd
- selinux
- when: ansible_distribution_major_version|int >= 30 or ansible_distribution_major_version|int == 8
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
- name: check if sshd port is already known by selinux
shell: semanage port -l | grep ssh
diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config
index 7ec4a855e..43f9b4d84 100644
--- a/roles/basessh/templates/sshd_config
+++ b/roles/basessh/templates/sshd_config
@@ -2,7 +2,7 @@ Protocol 2
Port {{ sshd_port }}
-{% if ansible_distribution_major_version == "6" %}
+{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %}
KexAlgorithms diffie-hellman-group-exchange-sha256
MACs hmac-sha2-512,hmac-sha2-256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
@@ -31,9 +31,10 @@ AllowAgentForwarding no
X11Forwarding no
PermitTunnel no
-{% if ansible_distribution_major_version == "6" %}
+{% if ansible_distribution_major_version == "6" and ansible_distribution is 'RedHat' %}
UsePrivilegeSeparation yes
-{% elif ansible_distribution_major_version == "7" %}
+#FIXME: How about RHEL8 and Fedora ? sandbox as well ?
+{% elif ansible_distribution_major_version == "7" and ansible_distribution is 'RedHat' %}
UsePrivilegeSeparation sandbox
{% endif %}
diff --git a/roles/chrony/tasks/main.yml b/roles/chrony/tasks/main.yml
index 2e5609f32..471207eda 100644
--- a/roles/chrony/tasks/main.yml
+++ b/roles/chrony/tasks/main.yml
@@ -26,3 +26,4 @@
- chrony
- service
- base
+ when: ansible_distribution_major_version|int != 8
diff --git a/roles/collectd/base/tasks/main.yml b/roles/collectd/base/tasks/main.yml
index 23d442774..7c8fc2e9b 100644
--- a/roles/collectd/base/tasks/main.yml
+++ b/roles/collectd/base/tasks/main.yml
@@ -6,21 +6,35 @@
package: name=collectd state=present
tags:
- collectd
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
# install pkg
- name: install collectd
dnf: name=collectd state=present
tags:
- collectd
- when: ansible_distribution_major_version|int > 21
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
+
+# install pkg
+- name: install collectd
+ dnf: name=collectd state=present
+ tags:
+ - collectd
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
+
+# install collectd-disk (it was split out)
+- name: install collectd-disk
+ dnf: name=collectd-disk state=present
+ tags:
+ - collectd
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
# install collectd-disk on F25+ (it was split out)
- name: install collectd-disk
dnf: name=collectd-disk state=present
tags:
- collectd
- when: ansible_distribution_major_version|int > 24
+ when: ansible_distribution_major_version|int > 24 and ansible_distribution is 'Fedora'
# install collected.conf
- name: /etc/collectd.conf
@@ -55,7 +69,15 @@
- collectd
notify:
- restart collectd
- when: collectd_apache and ansible_distribution_major_version|int < 22
+ when: collectd_apache and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
+
+- name: install collectd-apache (dnf)
+ dnf: state=present name=collectd-apache
+ tags:
+ - collectd
+ notify:
+ - restart collectd
+ when: collectd_apache and ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
- name: install collectd-apache (dnf)
dnf: state=present name=collectd-apache
@@ -63,7 +85,7 @@
- collectd
notify:
- restart collectd
- when: collectd_apache and ansible_distribution_major_version|int > 21
+ when: collectd_apache and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
- name: /etc/collectd/apache.conf
copy: src=apache.conf dest=/etc/collectd.d/apache.conf
@@ -77,7 +99,7 @@
package: name=libsemanage-python state=present
tags:
- collectd
- when: collectd_apache is defined and ansible_distribution_major_version|int < 22
+ when: collectd_apache is defined and ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: Let collectd talk to things over tcp
seboolean: name=collectd_tcp_network_connect state=yes persistent=yes
diff --git a/roles/dnf-automatic/tasks/main.yml b/roles/dnf-automatic/tasks/main.yml
index e8ccdecec..0ae341856 100644
--- a/roles/dnf-automatic/tasks/main.yml
+++ b/roles/dnf-automatic/tasks/main.yml
@@ -23,7 +23,7 @@
- name: enable and start dnf-automatic
command: systemctl enable dnf-automatic.timer
- when: ansible_distribution_major_version|int < 26
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
args:
creates: /etc/systemd/system/basic.target.wants/dnf-automatic.timer
tags:
@@ -35,31 +35,51 @@
check_mode: no
changed_when: 1 != 1
ignore_errors: true
- when: ansible_distribution_major_version|int < 26
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: start dnf-automatic.timer if it is not active
command: systemctl start dnf-automatic.timer
- when: automaticative is failed and ansible_distribution_major_version|int < 26
+ when: automaticative is failed and ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: enable and start dnf-automatic f26+
command: systemctl enable dnf-automatic-install.timer
- when: ansible_distribution_major_version|int >= 26
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
register: dnfautomaticenable
changed_when: dnfautomaticenable.rc != 0
tags:
- config
+ - name: enable and start dnf-automatic RHEL8+
+ command: systemctl enable dnf-automatic-install.timer
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
+ register: dnfautomaticenable
+ changed_when: dnfautomaticenable.rc != 0
+ tags:
+ - config
+
+ - name: check if dnf-automatic-install.timer is active
+ command: systemctl is-active dnf-automatic-install.timer
+ register: automaticative
+ check_mode: no
+ changed_when: 1 != 1
+ ignore_errors: true
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
+
- name: check if dnf-automatic-install.timer is active
command: systemctl is-active dnf-automatic-install.timer
register: automaticative
check_mode: no
changed_when: 1 != 1
ignore_errors: true
- when: ansible_distribution_major_version|int >= 26
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
+
+ - name: start dnf-automatic-install.timer if it is not active
+ command: systemctl start dnf-automatic-install.timer
+ when: automaticative is failed and ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
- name: start dnf-automatic-install.timer if it is not active
command: systemctl start dnf-automatic-install.timer
- when: automaticative is failed and ansible_distribution_major_version|int >= 26
+ when: automaticative is failed and ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
- name: disable silly makecache timer
systemd: name=dnf-makecache masked=yes
diff --git a/roles/fas_client/tasks/main.yml b/roles/fas_client/tasks/main.yml
index 19f8bb1ca..8d61314fb 100644
--- a/roles/fas_client/tasks/main.yml
+++ b/roles/fas_client/tasks/main.yml
@@ -21,7 +21,7 @@
- name: install nss_db on rhel or fedora 25 or greater hosts only
package: state=present name=nss_db
- when: ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int > 24
+ when: ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora'
tags:
- packages
- fas_client
diff --git a/roles/git/server/tasks/main.yml b/roles/git/server/tasks/main.yml
index 11cf165de..78fb6db47 100644
--- a/roles/git/server/tasks/main.yml
+++ b/roles/git/server/tasks/main.yml
@@ -8,7 +8,20 @@
# If NOT using xinetd
- name: delete stock git daemon config
file: path="/usr/lib/systemd/system/git.service" state=absent
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
+ tags: git/server
+
+- name: delete stock git daemon config
+ file: path="/usr/lib/systemd/system/git.service" state=absent
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
+ tags: git/server
+
+- name: configure git daemon
+ template: >
+ src="git@.service.j2"
+ dest="/usr/lib/systemd/system/git@.service"
+ mode=0644
+ when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
tags: git/server
- name: configure git daemon
@@ -16,13 +29,13 @@
src="git@.service.j2"
dest="/usr/lib/systemd/system/git@.service"
mode=0644
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
tags: git/server
# If using xinetd
- name: install xinetd
package: name=xinetd state=present
- when: ansible_distribution_major_version|int == 6
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
tags: git/server
- name: install the xinetd config file
@@ -30,7 +43,7 @@
src="git.j2"
dest="/etc/xinetd.d/git"
mode=0644
- when: ansible_distribution_major_version|int == 6
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
tags: git/server
notify:
- restart xinetd
diff --git a/roles/iscsi_client/tasks/main.yml b/roles/iscsi_client/tasks/main.yml
index c03caeca1..336dd7611 100644
--- a/roles/iscsi_client/tasks/main.yml
+++ b/roles/iscsi_client/tasks/main.yml
@@ -11,7 +11,7 @@
- device-mapper-multipath
tags:
- packages
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution == "RedHat"
- name: install packages needed for iscsi_client (dnf)
package:
@@ -21,7 +21,17 @@
- device-mapper-multipath
tags:
- packages
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution == "Fedora" and ansible_cmdline.ostree is not defined
+
+- name: install packages needed for iscsi_client (dnf)
+ package:
+ state: present
+ name:
+ - iscsi-initiator-utils
+ - device-mapper-multipath
+ tags:
+ - packages
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution == "RedHat" and ansible_cmdline.ostree is not defined
- name: enable iscsi service
service: state=started enabled=yes name=iscsi
diff --git a/roles/kerneltest/templates/kerneltest.conf b/roles/kerneltest/templates/kerneltest.conf
index 13681c63e..a665f515b 100644
--- a/roles/kerneltest/templates/kerneltest.conf
+++ b/roles/kerneltest/templates/kerneltest.conf
@@ -1,5 +1,5 @@
-{% if ansible_distribution_major_version == '6' %}
+{% if ansible_distribution_major_version == '6 and ansible_distribution is 'RedHat' %}
Alias /kerneltest/static /usr/lib/python2.6/site-packages/kerneltest/static/
{% else %}
Alias /kerneltest/static /usr/lib/python2.7/site-packages/kerneltest/static/
diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml
index b620cfb7b..8cfffa77b 100644
--- a/roles/koji_hub/tasks/main.yml
+++ b/roles/koji_hub/tasks/main.yml
@@ -363,6 +363,7 @@
- selinux
- koji_hub
when: ansible_distribution == "RedHat" and ansible_distribution_major_version|int == 7
+# FIXME wht about RHEL8+ ?
- name: Set httpd to run on boot
service: name=httpd enabled=yes
diff --git a/roles/mariadb_server/tasks/main.yml b/roles/mariadb_server/tasks/main.yml
index 494020e2e..e382ca26b 100644
--- a/roles/mariadb_server/tasks/main.yml
+++ b/roles/mariadb_server/tasks/main.yml
@@ -1,18 +1,10 @@
-- name: ensure packages required for mariadb are installed
- package:
- state: present
- name:
- - mariadb-server
- - MySQL-python
- when: ansible_distribution_major_version|int < 22
-
- name: ensure packages required for mariadb are installed
package:
state: present
name:
- mariadb-server
- MySQL-python
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_cmdline.ostree is not defined
- name: copy my.cnf
copy: src={{ item }} dest=/etc/my.cnf owner=root group=root mode=0644
diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 4fc1616ca..385e72474 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -77,7 +77,7 @@
- name: install our custom selinux module
command: semodule -i /usr/share/nrpe/fi-nrpe.pp
- when: ansible_distribution_major_version|int == 7 and selinux_module is changed
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat' and selinux_module is changed
tags:
- config
- nagios_client
diff --git a/roles/nfs/client/tasks/main.yml b/roles/nfs/client/tasks/main.yml
index e1d6a29d8..1302ffeb4 100644
--- a/roles/nfs/client/tasks/main.yml
+++ b/roles/nfs/client/tasks/main.yml
@@ -1,6 +1,6 @@
- name: install network-scripts package
package: name=network-scripts state=installed
- when: ansible_distribution_major_version|int >= 29
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
tags:
- nfs/client
@@ -51,12 +51,12 @@
tags:
- nfs/client
-- name: enable nfs-related services and run them (rhel 7 and Fedora)
+- name: enable nfs-related services and run them (rhel 7+ and Fedora)
service: name={{ item }} enabled=true state=started
with_items:
- rpcbind
- nfs-lock
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
tags:
- nfs/client
@@ -67,7 +67,7 @@
- rpcbind
- nfs
- nfslock
- when: ansible_distribution_major_version|int == 6
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
tags:
- nfs/client
diff --git a/roles/nginx/templates/etc/nginx/nginx.conf.j2 b/roles/nginx/templates/etc/nginx/nginx.conf.j2
index 0f396060c..ad3eba068 100644
--- a/roles/nginx/templates/etc/nginx/nginx.conf.j2
+++ b/roles/nginx/templates/etc/nginx/nginx.conf.j2
@@ -2,7 +2,7 @@ user nginx;
worker_processes {{ nginx_worker_processes }};
error_log /var/log/nginx/error.log {{ nginx_error_level }};
-{% if ansible_distribution_major_version == "7" %}
+{% if ansible_distribution_major_version == "7" and ansible_distribution is "RedHat" %}
pid /run/nginx.pid;
{% else %}
pid /var/run/nginx.pid;
diff --git a/roles/openqa/worker/tasks/tap-setup.yml b/roles/openqa/worker/tasks/tap-setup.yml
index 5949dd739..87ea98764 100644
--- a/roles/openqa/worker/tasks/tap-setup.yml
+++ b/roles/openqa/worker/tasks/tap-setup.yml
@@ -11,7 +11,7 @@
state: present
tags:
- packages
- when: ansible_distribution_major_version|int >= 29
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
- name: Enable ipv4_forward in sysctl
sysctl: name=net.ipv4.ip_forward value=1 state=present sysctl_set=yes reload=yes
diff --git a/roles/openvpn/base/tasks/main.yml b/roles/openvpn/base/tasks/main.yml
index 8ca236528..8550c60cd 100644
--- a/roles/openvpn/base/tasks/main.yml
+++ b/roles/openvpn/base/tasks/main.yml
@@ -1,6 +1,8 @@
---
# OpenVpn basic configuration
+# FIXME lots of changes, please review carefully:
+#
- name: Install needed package
package:
state: present
@@ -9,7 +11,7 @@
tags:
- openvpn
- packages
- when: ansible_distribution_major_version|int < 8
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: Install needed package (dnf)
package:
@@ -21,7 +23,7 @@
- packages
when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
-- name: Install certificate and key (rhel6 and fedora24 and older)
+- name: Install certificate and key (rhel6)
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/ca.crt
owner=root group=root mode=0600
@@ -29,12 +31,21 @@
- install
- openvpn
#notify:
- #- restart openvpn (Fedora)
- #- restart openvpn (RHEL7)
#- restart openvpn (RHEL6)
- when: ansible_distribution_major_version|int < 25
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
-- name: Install certificate and key (rhel7 or fedora) for client
+- name: Install certificate and key (rhel7+) for client
+ copy: src={{ private }}/files/vpn/pki/ca.crt
+ dest=/etc/openvpn/client/ca.crt
+ owner=root group=root mode=0600
+ tags:
+ - install
+ - openvpn
+ #notify:
+ #- restart openvpn (RHEL7+)
+ when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined
+
+- name: Install certificate and key (Fedora) for client
copy: src={{ private }}/files/vpn/pki/ca.crt
dest=/etc/openvpn/client/ca.crt
owner=root group=root mode=0600
@@ -43,9 +54,29 @@
- openvpn
#notify:
#- restart openvpn (Fedora)
- #- restart openvpn (RHEL7)
- #- restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24 ) and ansible_cmdline.ostree is not defined
+ when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined
+
+- name: Install certificate and key (fedora) for server
+ copy: src={{ private }}/files/vpn/pki/ca.crt
+ dest=/etc/openvpn/server/ca.crt
+ owner=root group=root mode=0600
+ tags:
+ - install
+ - openvpn
+ #notify:
+ #- restart openvpn (Fedora)
+ when: ( ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' ) and ansible_cmdline.ostree is not defined
+
+- name: Install certificate and key (rhel7+) for server
+ copy: src={{ private }}/files/vpn/pki/ca.crt
+ dest=/etc/openvpn/server/ca.crt
+ owner=root group=root mode=0600
+ tags:
+ - install
+ - openvpn
+ #notify:
+ #- restart openvpn (RHEL7+)
+ when: ( ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat' ) and ansible_cmdline.ostree is not defined
- name: Install certificate and key (rhel7 or fedora) for server
copy: src={{ private }}/files/vpn/pki/ca.crt
diff --git a/roles/openvpn/client/tasks/main.yml b/roles/openvpn/client/tasks/main.yml
index 56f3cf6d0..9fef474e3 100644
--- a/roles/openvpn/client/tasks/main.yml
+++ b/roles/openvpn/client/tasks/main.yml
@@ -9,7 +9,7 @@
tags:
- packages
- openvpn
- when: ansible_distribution_major_version|int < 8
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: Install needed packages
package:
@@ -19,7 +19,17 @@
tags:
- packages
- openvpn
- when: ansible_distribution_major_version|int > 7 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
+
+- name: Install needed packages
+ package:
+ state: present
+ name:
+ - openvpn
+ tags:
+ - packages
+ - openvpn
+ when: ansible_distribution_major_version|int > 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
- name: Install main config file (rhel7 and fedora)
template: src=client.conf
@@ -30,9 +40,8 @@
- openvpn
# notify:
# - restart openvpn (Fedora)
-# - restart openvpn (RHEL7)
-# - restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
+# - restart openvpn (RHEL6+)
+ when: (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel7 and fedora)
copy: src={{ item.file }}
@@ -51,8 +60,7 @@
# notify:
# - restart openvpn (Fedora)
# - restart openvpn (RHEL7)
-# - restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int != 6 and ansible_distribution_major_version|int != 24) and ansible_cmdline.ostree is not defined
+ when: (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat') or (ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora') and ansible_cmdline.ostree is not defined
- name: Install configuration files (rhel6)
copy: src={{ item.file }}
@@ -72,35 +80,26 @@
- install
- openvpn
# notify:
-# - restart openvpn (Fedora)
-# - restart openvpn (RHEL7)
# - restart openvpn (RHEL6)
- when: ( ansible_distribution_major_version|int == 6 or ansible_distribution_major_version|int == 24) and ansible_cmdline.ostree is not defined
+ when: (ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat') and ansible_cmdline.ostree is not defined
- name: enable openvpn service for rhel 6
service: name=openvpn state=started enabled=true
- when: ansible_distribution_major_version|int == 6
- tags:
- - service
- - openvpn
-
-- name: enable openvpn service for fedora 24
- service: name=openvpn@openvpn state=started enabled=true
- when: ansible_distribution_major_version|int == 24
+ when: ansible_distribution_major_version|int == 6 and ansible_distribution is 'RedHat'
tags:
- service
- openvpn
- name: Make sure old openvpn is not running in rhel 7
service: name=openvpn@openvpn state=stopped enabled=false
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
tags:
- service
- openvpn
-- name: Make sure openvpn is running in rhel 7
+- name: Make sure openvpn is running in rhel 7+
service: name=openvpn-client@openvpn state=started enabled=true
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat'
tags:
- service
- openvpn
@@ -115,7 +114,7 @@
- name: Create directories for post-vpn service configs
file: path="/etc/systemd/system/{{item}}.service.d" state=directory
with_items: "{{postvpnservices}}"
- when: is_fedora is defined or ansible_distribution_major_version|int == 7
+ when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat')
tags:
- service
- openvpn
@@ -123,7 +122,7 @@
- name: Deploy postvpn.conf for post-vpn services
copy: src=postvpn.conf dest="/etc/systemd/system/{{item}}.service.d/postvpn.conf"
with_items: "{{postvpnservices}}"
- when: is_fedora is defined or ansible_distribution_major_version|int == 7
+ when: is_fedora is defined or (ansible_distribution_major_version|int >= 7 and ansible_distribution is 'RedHat')
tags:
- service
- openvpn
diff --git a/roles/packages3/web/tasks/main.yml b/roles/packages3/web/tasks/main.yml
index 2bcc8fac6..23a28e1d3 100644
--- a/roles/packages3/web/tasks/main.yml
+++ b/roles/packages3/web/tasks/main.yml
@@ -1,4 +1,6 @@
---
+# FIXME: Are these hosts really running RHEL or do we need to check for CentOS ?
+#
# Configuration for the fedora-packages webapp
- name: install needed packages
package: name={{ item }} state=present
@@ -91,7 +93,7 @@
tags:
- packages
- packages/web
- when: ansible_distribution_major_version|int < 7
+ when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat'
# Here's the indexer stuff
- name: Create cache structure
@@ -134,7 +136,7 @@
- packages
- packages/web
- hotfix
- when: ansible_distribution_major_version|int < 7
+ when: ansible_distribution_major_version|int < 7 and ansible_distribution is 'RedHat'
# Lastly, here's some selinux stuff.
- name: set some selinux booleans
@@ -163,4 +165,4 @@
- packages
- packages/web
- selinux
- when: ansible_distribution_major_version|int > 6
+ when: ansible_distribution_major_version|int > 6 and (ansible_distribution is 'RedHat' or ansible_distribution is 'Fedora')
diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml
index 7db600518..e1e380eab 100644
--- a/roles/postgresql_server/tasks/main.yml
+++ b/roles/postgresql_server/tasks/main.yml
@@ -11,7 +11,7 @@
- postgresql-plpython
- python-psycopg2
- pxz
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
tags:
- packages
- postgresql
@@ -25,7 +25,21 @@
- postgresql-plpython
- python-psycopg2
- pxz
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+ tags:
+ - packages
+ - postgresql
+
+- name: install postgresql server packages (dnf)
+ package:
+ state: present
+ name:
+ - postgresql-server
+ - postgresql-contrib
+ - postgresql-plpython
+ - python-psycopg2
+ - pxz
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
tags:
- packages
- postgresql
diff --git a/roles/postgresql_server_bdr/tasks/main.yml b/roles/postgresql_server_bdr/tasks/main.yml
index 908099a4d..242017262 100644
--- a/roles/postgresql_server_bdr/tasks/main.yml
+++ b/roles/postgresql_server_bdr/tasks/main.yml
@@ -11,6 +11,7 @@
- packages
- postgresql-bdr
+# No Fedora packages available for F25+
- name: install postgresql server packages (yum)
package: name={{ item }} state=present
with_items:
@@ -20,7 +21,7 @@
- postgresql-bdr94-bdr
- postgresql-bdr94-plpython
- python-psycopg2
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
tags:
- packages
- postgresql-bdr
diff --git a/roles/rkhunter/tasks/main.yml b/roles/rkhunter/tasks/main.yml
index 83788c338..a56958c5e 100644
--- a/roles/rkhunter/tasks/main.yml
+++ b/roles/rkhunter/tasks/main.yml
@@ -1,13 +1,4 @@
---
-- name: install rkhunter (yum)
- package: name=rkhunter state=present
- notify:
- - run rkhunter
- tags:
- - rkhunter
- - packages
- when: ansible_distribution_major_version|int < 22
-
- name: install rkhunter (dnf)
package: name=rkhunter state=present
notify:
@@ -15,7 +6,7 @@
tags:
- rkhunter
- packages
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
- name: rkhunter.conf
diff --git a/roles/rkhunter/templates/rkhunter.conf.j2 b/roles/rkhunter/templates/rkhunter.conf.j2
index b79a21b01..c2f08d858 100644
--- a/roles/rkhunter/templates/rkhunter.conf.j2
+++ b/roles/rkhunter/templates/rkhunter.conf.j2
@@ -165,13 +165,8 @@ ALLOW_SSH_ROOT_USER=without-password
# configuration file, then a value of '2' may be set here in order to
# suppress a warning message. This option has a default value of '0'.
#
-{% if ansible_distribution == 'Fedora' and ansible_distribution_major_version|int < 22 %}
-# Fedora 21 doesn't set protocol in ssh config
-ALLOW_SSH_PROT_V1=2
-{% else %}
# For RHEL and Fedora 22+ we set proto to v2 only
ALLOW_SSH_PROT_V1=0
-{% endif %}
#
# This setting tells rkhunter the directory containing the SSH configuration
diff --git a/roles/rsyncd/tasks/main.yml b/roles/rsyncd/tasks/main.yml
index 327bf274d..7133f88b2 100644
--- a/roles/rsyncd/tasks/main.yml
+++ b/roles/rsyncd/tasks/main.yml
@@ -3,7 +3,7 @@
# This role sets up rsyncd on a server
#
-- name: install rnecessary packages
+- name: install necessary packages
package:
state: present
name:
@@ -13,9 +13,9 @@
tags:
- packages
- rsyncd
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
-- name: install rnecessary packages
+- name: install necessary packages
package:
state: present
name:
@@ -25,7 +25,19 @@
tags:
- packages
- rsyncd
- when: ansible_distribution_major_version|int > 21
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
+
+- name: install necessary packages
+ package:
+ state: present
+ name:
+ - rsync
+ - xinetd
+ - libsemanage-python
+ tags:
+ - packages
+ - rsyncd
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
- name: rsyncd.conf file
copy: src={{ item }} dest=/etc/rsyncd.conf mode=0644
diff --git a/roles/sigul/server/tasks/main.yml b/roles/sigul/server/tasks/main.yml
index 59f075602..e5f9e0450 100644
--- a/roles/sigul/server/tasks/main.yml
+++ b/roles/sigul/server/tasks/main.yml
@@ -30,15 +30,23 @@
package: state=present name={{ item }}
with_items:
- gnupg1
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
tags:
- packages
-- name: install fedora only packages
+- name: install gnupg packages
package: state=present name={{ item }}
with_items:
- gnupg
- when: ansible_distribution_major_version|int > 23
+ when: ansible_distribution_major_version|int >= 8 and ansible_distribution is 'RedHat'
+ tags:
+ - packages
+
+- name: install gnupg packages
+ package: state=present name={{ item }}
+ with_items:
+ - gnupg
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
tags:
- packages
@@ -50,7 +58,7 @@
- name: Setup gpg link on rhel7
file: state=link src=/usr/bin/gpg1 dest=/usr/bin/gpg
- when: ansible_distribution_major_version|int == 7
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
- name: add polkit rules to allow sigul user to access the smartcard/yubikey
copy: src=00-sigul.rules dest=/etc/polkit-1/rules.d/00-sigul.rules
diff --git a/roles/taskotron/grokmirror/tasks/main.yml b/roles/taskotron/grokmirror/tasks/main.yml
index 4112181ef..6b65a945b 100644
--- a/roles/taskotron/grokmirror/tasks/main.yml
+++ b/roles/taskotron/grokmirror/tasks/main.yml
@@ -5,14 +5,21 @@
name:
- git
- python-grokmirror
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure grokmirror packages are installed (dnf)
dnf: name={{ item }} state=present
with_items:
- git
- python-grokmirror
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure grokmirror packages are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - git
+ - python-grokmirror
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: create grokmirror user
user: name={{ grokmirror_user }}
diff --git a/roles/taskotron/resultsdb-backend/tasks/main.yml b/roles/taskotron/resultsdb-backend/tasks/main.yml
index 0b8b144c5..08d509154 100644
--- a/roles/taskotron/resultsdb-backend/tasks/main.yml
+++ b/roles/taskotron/resultsdb-backend/tasks/main.yml
@@ -10,7 +10,7 @@
- mod_wsgi
- python-psycopg2
- libsemanage-python
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure packages required for resultsdb are installed (dnf)
dnf: name={{ item }} state=present
@@ -19,7 +19,16 @@
- python3-mod_wsgi
- python3-psycopg2
- python2-libsemanage
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure packages required for resultsdb are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - resultsdb
+ - python3-mod_wsgi
+ - python3-psycopg2
+ - python2-libsemanage
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: ensure database is created
delegate_to: "{{ resultsdb_db_host_machine }}"
diff --git a/roles/taskotron/resultsdb-frontend/tasks/main.yml b/roles/taskotron/resultsdb-frontend/tasks/main.yml
index 1bd0801d1..d603620f5 100644
--- a/roles/taskotron/resultsdb-frontend/tasks/main.yml
+++ b/roles/taskotron/resultsdb-frontend/tasks/main.yml
@@ -8,14 +8,21 @@
name:
- resultsdb_frontend
- mod_wsgi
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure packages required for resultsdb_frontend are installed (dnf)
dnf: name={{ item }} state=present
with_items:
- resultsdb_frontend
- python3-mod_wsgi
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure packages required for resultsdb_frontend are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - resultsdb_frontend
+ - python3-mod_wsgi
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: ensure selinux lets httpd talk to the network
seboolean: name=httpd_can_network_connect persistent=yes state=yes
diff --git a/roles/taskotron/ssl-taskotron/tasks/main.yml b/roles/taskotron/ssl-taskotron/tasks/main.yml
index 91ff4f5d9..c9c25e5a2 100644
--- a/roles/taskotron/ssl-taskotron/tasks/main.yml
+++ b/roles/taskotron/ssl-taskotron/tasks/main.yml
@@ -4,13 +4,19 @@
state: present
name:
- mod_ssl
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure ssl related packages are installed (dnf)
dnf: name={{ item }} state=present
with_items:
- mod_ssl
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure ssl related packages are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - mod_ssl
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
#- name: copy ssl key
# copy: src={{ private }}/files/taskotron/certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key dest=/etc/pki/tls/private/{{ inventory_hostname }}.key
diff --git a/roles/taskotron/taskotron-frontend/tasks/main.yml b/roles/taskotron/taskotron-frontend/tasks/main.yml
index 89dac238b..edd4dda5f 100644
--- a/roles/taskotron/taskotron-frontend/tasks/main.yml
+++ b/roles/taskotron/taskotron-frontend/tasks/main.yml
@@ -4,13 +4,19 @@
state: present
name:
- httpd
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure packages required for taskotron-frontend are installed (dnf)
dnf: name={{ item }} state=present
with_items:
- httpd
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure packages required for taskotron-frontend are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - httpd
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: create dirs for static files
file: path=/var/www/html/{{ item }} state=directory owner=apache group=apache mode=1755
diff --git a/roles/taskotron/taskotron-master/tasks/main.yml b/roles/taskotron/taskotron-master/tasks/main.yml
index 5694cdd17..04bd4b945 100644
--- a/roles/taskotron/taskotron-master/tasks/main.yml
+++ b/roles/taskotron/taskotron-master/tasks/main.yml
@@ -6,7 +6,13 @@
dnf: name={{ item }} state=present
with_items:
- tmpwatch
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure packages required for buildmaster are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - tmpwatch
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: create artifacts directory
file: path={{ item }} state=directory owner=buildmaster group=buildmaster mode=0775 setype=httpd_sys_content_t
diff --git a/roles/taskotron/taskotron-proxy/tasks/main.yml b/roles/taskotron/taskotron-proxy/tasks/main.yml
index 58059d462..12cd7dddb 100644
--- a/roles/taskotron/taskotron-proxy/tasks/main.yml
+++ b/roles/taskotron/taskotron-proxy/tasks/main.yml
@@ -11,13 +11,19 @@
state: present
name:
- libsemanage-python
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int <= 7 and ansible_distribution is 'RedHat'
- name: ensure packages required for proxying are installed (dnf)
dnf: name={{ item }} state=present
with_items:
- libsemanage-python
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
+
+- name: ensure packages required for proxying are installed (dnf)
+ dnf: name={{ item }} state=present
+ with_items:
+ - libsemanage-python
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
- name: allow httpd tcp connections with selinux
seboolean: name=httpd_can_network_connect state=true persistent=yes
diff --git a/roles/varnish/tasks/main.yml b/roles/varnish/tasks/main.yml
index e3310ab2e..f1bd50de8 100644
--- a/roles/varnish/tasks/main.yml
+++ b/roles/varnish/tasks/main.yml
@@ -22,15 +22,8 @@
- restart varnish
tags:
- varnish
- when: ansible_distribution_major_version|int == 7
-
-- name: install varnish /etc/sysconfig/varnish file (fedora 25-28)
- template: src=varnish.f25.j2 dest=/etc/varnish/varnish.params owner=root group=root
- notify:
- - restart varnish
- tags:
- - varnish
- when: ansible_distribution_major_version|int >= 25 and ansible_distribution_major_version|int < 29
+ when: ansible_distribution_major_version|int == 7 and ansible_distribution is 'RedHat'
+#FIXME: RHEL8+ ?
- name: install varnish /etc/systemd/system/varnish.service file (fedora 29+)
template: src=varnish.f29.j2 dest=/etc/systemd/system/varnish.service owner=root group=root
@@ -39,7 +32,7 @@
- restart varnish
tags:
- varnish
- when: ansible_distribution_major_version|int >= 29
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora'
- name: install /etc/varnish/default.vcl (proxies)
template: src={{ varnish_group }}.vcl.j2 dest=/etc/varnish/default.vcl owner=root group=root
diff --git a/tasks/2fa_client.yml b/tasks/2fa_client.yml
index f86649da4..af35fc3dd 100644
--- a/tasks/2fa_client.yml
+++ b/tasks/2fa_client.yml
@@ -3,13 +3,19 @@
package: name=pam_url state=present
tags:
- packages
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
- name: install pam_url
dnf: name=pam_url state=present
tags:
- packages
- when: ansible_distribution_major_version|int > 21
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat'
+
+- name: install pam_url
+ dnf: name=pam_url state=present
+ tags:
+ - packages
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'RedHat'
- name: /etc/pki/tls/private/totpcgi.pem
copy: src="{{ private }}/files/2fa-certs/keys/{{ inventory_hostname }}.pem" dest=/etc/pki/tls/private/totpcgi.pem mode=0400
diff --git a/tasks/cloud_setup_basic.yml b/tasks/cloud_setup_basic.yml
index 4e57b3dc5..c70b0be37 100644
--- a/tasks/cloud_setup_basic.yml
+++ b/tasks/cloud_setup_basic.yml
@@ -6,7 +6,7 @@
- ntp
- libsemanage-python
- libselinux-python
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
tags:
- packages
@@ -15,7 +15,16 @@
with_items:
- ntpdate
- libselinux-python
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
+ tags:
+ - packages
+
+- name: Install desired extra packages (dnf)
+ dnf: state=present pkg={{ item }}
+ with_items:
+ - ntpdate
+ - libselinux-python
+ when: ansible_distribution_major_version|int >=29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
tags:
- packages
@@ -57,14 +66,21 @@
- name: update all
command: yum -y update creates=/etc/sysconfig/global-update-applied
register: updated
- when: ansible_distribution_major_version|int < 22
+ when: ansible_distribution_major_version|int < 8 and ansible_distribution is 'RedHat'
+ tags:
+ - packages
+
+- name: update all
+ command: dnf -y update creates=/etc/sysconfig/global-update-applied
+ register: updated
+ when: ansible_distribution_major_version|int > 7 and ansible_distribution is 'RedHat' and ansible_cmdline.ostree is not defined
tags:
- packages
- name: update all
command: dnf -y update creates=/etc/sysconfig/global-update-applied
register: updated
- when: ansible_distribution_major_version|int > 21 and ansible_cmdline.ostree is not defined
+ when: ansible_distribution_major_version|int >= 29 and ansible_distribution is 'Fedora' and ansible_cmdline.ostree is not defined
tags:
- packages
diff --git a/tasks/yumrepos.yml b/tasks/yumrepos.yml
index ae6360a95..150fc29a1 100644
--- a/tasks/yumrepos.yml
+++ b/tasks/yumrepos.yml
@@ -88,16 +88,8 @@
- yumrepos
- name: add aarch64 server rpms repo
- copy: src="{{ files }}/common/rhel-7-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-7-aarch64-server-rpms.repo"
- when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 7
- tags:
- - config
- - packages
- - yumrepos
-
-- name: add aarch64 server rpms repo
- copy: src="{{ files }}/common/rhel-8-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-8-aarch64-server-rpms.repo"
- when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version == 8
+ copy: src="{{ files }}/common/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo" dest="/etc/yum.repos.d/rhel-{{ ansible_distribution_major_version }}-aarch64-server-rpms.repo"
+ when: (ansible_distribution == 'RedHat' or ansible_distribution == 'CentOS') and inventory_hostname.startswith('aarch64-c') and ansible_distribution_major_version >= 7
tags:
- config
- packages
--
2.21.0
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
