Merge branch 'twans_fix' into 'development'

Generic improvements to ensure correct hostnames, selinux state and external_fqdn

See merge request clustervision/trinityx-combined!304

Author: di3go-sona

site/roles/trinity/bind/tasks/main.yml

@@ -24,7 +24,7 @@
     sefcontext:
       target: "{{ bind_db_path }}/dynamic(/.*)?"
       setype: named_cache_t
-  when: enable_selinux|default(True)
+  when: ansible_selinux.status == "enabled"
 
 - name: Ensure {{ bind_db_path }} exists
   file:

site/roles/trinity/init/files/resolve.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+if [ ! "$(which host)" ]; then
+	dnf -y install bind-utils 1>&2
+fi
+
+if [ ! "$(which host)" ]; then
+	echo "Cannot find host and cannot install it" 1>&2
+	exit 1
+fi
+
+HOST=$1
+DNS=$2
+
+RES=$(host -v $HOST|grep -A1 'ANSWER SECTION'|grep PTR|awk '{ print $5 }'|sed -e 's/\.$//')
+
+if [ ! "$RES" ]; then
+	RES=$(host $HOST|grep 'domain name pointer'|awk '{ print $5 }'|sed -e 's/\.$//')
+fi
+
+if [ ! "$RES" ] && [ "$DNS" ]; then
+	RES=$(host -v $HOST $DNS|grep -A1 'ANSWER SECTION'|grep PTR|awk '{ print $5 }'|sed -e 's/\.$//')
+
+	if [ ! "$RES" ]; then
+		RES=$(host $HOST $DNS|grep 'domain name pointer'|awk '{ print $5 }'|sed -e 's/\.$//')
+	fi
+fi
+
+if [ "$RES" ]; then
+	echo $RES
+	exit
+fi
+
+echo "could not resolve $HOST" 1>&2
+# yes it should be non-zero exit, but ansible console output will be cluttered
+exit
+

site/roles/trinity/init/tasks/main.yml

@@ -149,14 +149,6 @@
 
   - debug:
       msg: "Primary: {{ primary }}, on_controller: {{ on_controller }}, in_cloud: {{ in_cloud }}"
-
-  - name: Setting trix_external_fqdn
-    set_fact:
-      trix_external_fqdn: '{{ ansible_fqdn }}'
-    when: (trix_external_fqdn is not defined) or trix_external_fqdn==""
-
-  - debug:
-      msg: "trix_external_fqdn: {{ trix_external_fqdn }}"
   tags: always
 
 
@@ -335,6 +327,7 @@
   tags: always
   when: ansible_connection not in 'chroot' and on_controller
 
+
 - block:
   - block:
     - name: Trying to figure out external interface
@@ -377,6 +370,53 @@
   tags: always
   when: ansible_connection not in 'chroot' and on_controller
 
+
+- block:
+  - name: Copy resolv.sh script to /tmp
+    copy:
+      src: 'resolve.sh'
+      dest: '/tmp/resolve.sh'
+      mode: 0755
+
+  - name: Resolving trix_external_fqdn
+    command: "/tmp/resolve.sh {{ trix_ctrl_external_ip }} {{ trix_dns_forwarders | default([]) | first }}"
+    register: trix_resolved_host_fqdn
+    ignore_errors: true
+    when: trix_ctrl_external_ip is defined
+
+  - name: Setting trix_external_fqdn
+    set_fact:
+      trix_external_fqdn: "{{ trix_resolved_host_fqdn.stdout }}"
+    when:
+      - (trix_external_fqdn is not defined) or trix_external_fqdn==""
+      - trix_resolved_host_fqdn is defined
+
+  - block:
+    - fail: 
+        msg: 'trix_external_fqdn is not configured and it could not be resolved. I can continue but OpenOndemand might not work properly'
+      ignore_errors: true
+
+    - name: Wait 10s before continuing with a default
+      wait_for:
+        timeout: 10
+
+    - name: Setting trix_external_fqdn
+      set_fact:
+        trix_external_fqdn: '{{ ansible_fqdn }}'
+      ignore_errors: true
+      when: (trix_external_fqdn is not defined) or trix_external_fqdn==""
+  tags: always
+  when: 
+    - ansible_connection not in 'chroot' and on_controller
+    - (trix_external_fqdn is not defined) or trix_external_fqdn==""
+
+- debug:
+    msg: "trix_external_fqdn: {{ trix_external_fqdn }}"
+  when: 
+    - ansible_connection not in 'chroot' and on_controller
+    - trix_external_fqdn is defined
+
+
 - block:
   - name: Resolve admin group
     getent:
@@ -401,26 +441,28 @@
     num_ctrl: "{{ all_ctrl_ip | length }}"
   tags: always
 
-- name: Fetch selinux state
-  shell: getenforce || echo 'Disabled'
-  register: init_selinux_state
-  ignore_errors: true
+- block:
+  - name: Fetch selinux state
+    shell: getenforce || echo 'Disabled'
+    register: init_selinux_state
+    ignore_errors: true
 
-- name: Verify if selinux matches with preferred state
-  fail:
-    msg: "Selinux enabled, but the system needs a reboot first to take effect. Please re-run after reboot"
-  when:
-    - enable_selinux|default(True)
-    - init_selinux_state.stdout is defined
-    - init_selinux_state.stdout == 'Disabled'
+  - name: Verify if selinux matches with preferred state
+    fail:
+      msg: "Selinux enabled, but the system needs a reboot first to take effect. Please re-run after reboot"
+    when:
+      - enable_selinux|default(True)
+      - init_selinux_state.stdout is defined
+      - init_selinux_state.stdout == 'Disabled'
 
-- name: Verify if selinux matches with preferred state
-  fail:
-    msg: "Selinux disabled, but the system needs a reboot first to take effect. Please re-run after reboot"
-  when:
-    - not enable_selinux|default(True)
-    - init_selinux_state.stdout is defined
-    - init_selinux_state.stdout == 'Enforcing'
+  - name: Verify if selinux matches with preferred state
+    fail:
+      msg: "Selinux disabled, but the system needs a reboot first to take effect. Please re-run after reboot"
+    when:
+      - not enable_selinux|default(True)
+      - init_selinux_state.stdout is defined
+      - init_selinux_state.stdout == 'Enforcing'
+  when: ansible_connection not in 'chroot' and on_controller
 
 - name: Toggle selinux state
   selinux:

site/roles/trinity/luna2/tasks/main.yml

@@ -397,7 +397,7 @@
   sefcontext:
     target: "/etc/named.luna.zones"
     setype: named_zone_t
-  when: enable_selinux|default(True)
+  when: ansible_selinux.status == "enabled"
 
 - name: Check File exists or not
   stat:

site/roles/trinity/mariadb/tasks/main.yml

@@ -27,7 +27,7 @@
     setype: mysqld_db_t
     seuser: system_u
     state: present
-  when: enable_selinux|default(True)
+  when: ansible_selinux.status == "enabled"
 
 - name: Ensure {{ mariadb_db_path }} exists
   file:

site/roles/trinity/openldap/tasks/main.yml

@@ -87,7 +87,7 @@
     sefcontext:
       target: "{{ openldap_server_conf_path }}(/.*)?"
       setype: slapd_db_t
-  when: enable_selinux|default(True)
+  when: ansible_selinux.status == "enabled"
 
 - name: Hash OpenLDAP root password
   command: slappasswd -h {SSHA} -s {{ openldap_root_pwd }}

site/roles/trinity/prometheus-alertmanager/tasks/main.yml

@@ -31,7 +31,7 @@
       become: true
       tags:
         - prometheus-alertmanager-selinux
-  when: enable_selinux|default(True)
+  when: ansible_selinux.status == "enabled"
   tags:
     - prometheus-alertmanager-selinux
 

site/roles/trinity/prometheus-ha-exporter/tasks/configure.yml

@@ -16,7 +16,7 @@
     state: present
   when:
     - ansible_version.full is version_compare('2.4', '>=')
-    - enable_selinux|default(True)
+    - ansible_selinux.status == "enabled"
 
 - name: Create prometheus_ha_exporter_sd_file if not exists
   file:

site/roles/trinity/prometheus-infiniband-exporter/tasks/configure.yml

@@ -16,7 +16,7 @@
     state: present
   when:
     - ansible_version.full is version_compare('2.4', '>=')
-    - enable_selinux|default(True)
+    - ansible_selinux.status == "enabled"
 
 - name: Create prometheus_infiniband_exporter_sd_file if not exists
   file:

site/roles/trinity/prometheus-ipmi-exporter/tasks/configure.yml

@@ -16,7 +16,7 @@
     state: present
   when:
     - ansible_version.full is version_compare('2.4', '>=')
-    - enable_selinux|default(True)
+    - ansible_selinux.status == "enabled"
 
 - name: Create prometheus_ipmi_exporter_sd_file if not exists
   file: