Use the firewall role and the selinux role from the cockpit role #76
Conversation
|
[citest] |
This comment was marked as resolved.
This comment was marked as resolved.
README.md
Outdated
| `fedora.linux_system_roles` collection, if `cockpit_manage_firewall` | ||
| and `cockpit_manage_selinux` is set to true, respectively. | ||
| (Please see also `cockpit_manage_firewall` and `cockpit_manage_selinux` | ||
| in [`Role Variables`](#role-variables). |
There was a problem hiding this comment.
Missing ) at the end -- the ) ist for closing the link, but you start the sentence with a (. Or alternatively, drop that; I even think that's better.
README.md
Outdated
| (Please see also `cockpit_manage_firewall` and `cockpit_manage_selinux` | ||
| in [`Role Variables`](#role-variables). | ||
|
|
||
| If the `cockpit` is a role from the `fedora.linux_system_roles` |
There was a problem hiding this comment.
The first "the" sounds weird. "If cockpit is a role..." perhaps.
README.md
Outdated
| @@ -81,17 +96,35 @@ Configure settings in the /etc/cockpit/cockpit.conf file. See [`man cockpit.con | |||
| cockpit_port: 9090 | |||
| Cockpit runs on port 9090 by default. You can change the port with this option. | |||
|
|
|||
| Note that the default SELinux policy does not allow Cockpit to listen to anything else than port 9090, so you need to allow that first, with e.g. | |||
| cockpit_manage_firewall: false | |||
There was a problem hiding this comment.
The bool options above use "yes/no", this should be consistent. Either change them to true/false, or use yes/no here.
There was a problem hiding this comment.
We really should be using true and false everywhere - https://github.com/redhat-cop/automation-good-practices/blob/main/coding_style/README.adoc#yaml-and-jinja2-syntax "Use true and false for boolean values in playbooks."
but yes, it will look strange here if we are not consistent, but we may want to convert everything in the future - note that some of the other roles have already done this - linux-system-roles/ha_cluster#60
There was a problem hiding this comment.
Ok. yes/no for cockpit for now. Let me update README and tests.
I assume the change is not needed in the files in tasks and defaults... Right?
There was a problem hiding this comment.
Ok.
yes/nofor cockpit for now. Let me update README and tests. I assume the change is not needed in the files in tasks and defaults... Right?
Please use yes and no in all of the code you are adding.
README.md
Outdated
| Boolean flag allowing to configure firewall using the firewall role. | ||
| Manage the cockpit firewall service. |
There was a problem hiding this comment.
This sounds a bit redundant and confusing. Perhaps something like
Boolean variable to control the
cockpitfirewalld service with thefirewallrole.
(I'm not sure if you prefer "firewalld" as in the product, or "firewall" as in the concept - IMHO the product is a bit more specific)
| 'setype': 'websm_port_t', | ||
| 'state': 'present', 'local': 'true'}] }}" | ||
| when: | ||
| - cockpit_manage_selinux | bool |
There was a problem hiding this comment.
I'd add an additional condition that cockpit_port is defined (and remove that from line 7), so that this isn't even invoked when the port doesn't get customized (the common case). Avoids traps and is faster.
There was a problem hiding this comment.
hmm - since cockpit_port is part of the public api of the role, it should be defined in defaults/main.yml as null - so check for cockpit_port is not none (null in YAML == none in Jinja)
There was a problem hiding this comment.
hmm - since
cockpit_portis part of the public api of the role, it should be defined indefaults/main.ymlasnull- so check forcockpit_port is not none(nullin YAML ==nonein Jinja)
@richm, @martinpitt, README.md describes cockpit_port as follows.
cockpit_port: 9090
Cockpit runs on port 9090 by default. You can change the port with this option.
This means, it should be defined as 9090 in defaults/main.yml?
We should distinguish the value was set by customers or not.
There was a problem hiding this comment.
hmm - since
cockpit_portis part of the public api of the role, it should be defined indefaults/main.ymlasnull- so check forcockpit_port is not none(nullin YAML ==nonein Jinja)Is it ok for me to make this change in this pr?
Yes, please.
tests/tests_certificate.yml
Outdated
| @@ -23,7 +23,12 @@ | |||
| vars: | |||
| cockpit_packages: minimal | |||
| roles: | |||
| - linux-system-roles.cockpit | |||
| - role: linux-system-roles.cockpit | |||
| public: true | |||
There was a problem hiding this comment.
This public is an unrelated change, and should be a separate commit. Same for the other instances below.
There was a problem hiding this comment.
I haven't checked, but it looks like check_firewall_selinux.yml requires role private variables in order to check the values? If so, then I think public: true is justified
There was a problem hiding this comment.
Right. check_firewall_selinux.yml needs it. And I'm going to drop the unnecessary public: true other than tests_config.yml, tests_packages_full.yml, and tests_port.yml along with check_firewall_selinux.yml.
There was a problem hiding this comment.
@nhosoi : I see -- I didn't realize that it's really the new tasks/* files which require public:. That's fine then.
tests/tests_certificate_runafter.yml
Outdated
| - name: test - ensure cockpit_port is configured for firewall and selinux | ||
| include_tasks: tasks/check_firewall_selinux.yml |
There was a problem hiding this comment.
Please don't add this to all tests -- separation of concerns, this is unnecessary redundancy. The one place where it really matters is tests_port.yml, and perhaps tests_default.yml in addition, but none of the others.
There was a problem hiding this comment.
You are right. In the beginning, I was going to check if the manage variables are false, the port is not configured, which I dropped as it's not very useful. I'm going to delete the unnecessary checks.
tests/tests_default.yml
Outdated
| - name: test - ensure cockpit_port is configured for firewall and selinux | ||
| include_tasks: tasks/check_firewall_selinux.yml |
There was a problem hiding this comment.
Note that the default Fedora and RHEL configuration is fine by itself -- this should not mangle anything in the default case. The tasks file does not do anything harmful, so it's fine to call it here; I just wanted to point it out.
|
hmm - also looks like we need to change the tests so that you can run multiple tests at the same time on the same controller: but this is unrelated to this PR - we had to change some of the other roles to do something similar e.g. linux-system-roles/nbde_client#80 so that each test gets its own temp directory |
Let me split this pr into 1) firewall, 2) selinux, 3) README, and 4) tests. |
|
@nhosoi : a new feature and a test should always be in the same commit, as they belong together. Same for the documentation. The point is not to make commits as small as possible, but only do one thing/feature/bug fix/change per commit (including the corresponding docs, tests, etc.). That makes them easier to understand/review, possible to bisect, and backport. I leave it up to you whether you want to split tests/tasks/check_firewall_selinux.yml; IMHO the functionality belongs together, and I'd even rename it to |
|
[citest] |
Hi! You tagged a wrong GitHub account. I will unsubscribe this chat. Br, @nhosi |
|
[citest] |
|
[citest] |
|
[citest] |
tests/tasks/check_port.yml
Outdated
| package: | ||
| name: | ||
| - libselinux-python3 | ||
| - policycoreutils-python3 |
There was a problem hiding this comment.
looks like semanage on Fedora is provided by policycoreutils-python-utils
nhosoi
force-pushed
the
use_roles
branch
2 times, most recently
from
b9624b8 to
c0989b5
Compare
|
[citest] |
|
ok - looks good - please rebase on top of the latest master branch and we can merge |
in defaults/main.yml as null.
- Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used. - Add the test check task tasks/check_port.yml for verifying the ports status. - Add meta/collection-requirements.yml.
- Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used. - Add a test playbook tests_port2.yml to check port 443 when cockpit_manage_firewall and cockpit_manage_selinux are yes.
Thank you, @richm. Done! |
|
spoke too soon - looks like merge is blocked - @martinpitt needs to review, and clear the requested changes flag. |
[1.4.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role and the selinux role from the cockpit role (linux-system-roles#76) Since cockpit_port is a public api of the cockpit role, define it in defaults/main.yml as null. - Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used. - Add the test check task tasks/check_port.yml for verifying the ports status. - Add meta/collection-requirements.yml. - Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used. - Use the certificate role to create the cert and the key (linux-system-roles#78) - Introduce a variable cockpit_certificates to set the certificate_requests. - Update README so that using the certificate role is recommended. Add a check and README note for not supporting creating a self-signed certificate on RHEL/CentOS-7. ### Bug Fixes - none ### Other Changes - workflows: Add integration-tests for Ubuntu 22.04 (linux-system-roles#68) The current LTS 22.04 is the more interesting target. This detects bugs like [1]. Keep 20.04 running as well for the time being. [1] linux-system-roles/certificate#130 - Clone the certificate role in the temporary dir. (linux-system-roles#77) Signed-off-by: Rich Megginson <[email protected]>
[1.4.0] - 2022-11-01 -------------------- ### New Features - Use the firewall role and the selinux role from the cockpit role (#76) Since cockpit_port is a public api of the cockpit role, define it in defaults/main.yml as null. - Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used. - Add the test check task tasks/check_port.yml for verifying the ports status. - Add meta/collection-requirements.yml. - Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used. - Use the certificate role to create the cert and the key (#78) - Introduce a variable cockpit_certificates to set the certificate_requests. - Update README so that using the certificate role is recommended. Add a check and README note for not supporting creating a self-signed certificate on RHEL/CentOS-7. ### Bug Fixes - none ### Other Changes - workflows: Add integration-tests for Ubuntu 22.04 (#68) The current LTS 22.04 is the more interesting target. This detects bugs like [1]. Keep 20.04 running as well for the time being. [1] linux-system-roles/certificate#130 - Clone the certificate role in the temporary dir. (#77) Signed-off-by: Rich Megginson <[email protected]> Signed-off-by: Rich Megginson <[email protected]>
Introduce cockpit_manage_firewall to use the firewall role to manage the cockpit service. Default to false - means the firewall role is not used.
Introduce cockpit_manage_selinux to use the selinux role to manage the ports in the cockpit service. Assign websm_port_t to the cockpit service ports. Default to false - means the selinux role is not used.
Add the test check task tasks/check_firewall_selinux.yml for verify the ports status.
Add meta/collection-requirements.yml.