Merge pull request #2654 from holta/apparmor-wip

WIP: AppArmor works with IIAB on Debian 10/11, so is this now also true on Ubuntu?
2025-03-09 15:40:17 +00:00 · 2020-11-28 23:21:02 -05:00 · 2020-11-28 23:21:02 -05:00 · a661674f23
commit a661674f23
parent c7e223d9c0 652da0fbbd
1 changed files with 17 additions and 19 deletions
--- a/roles/1-prep/tasks/main.yml
+++ b/roles/1-prep/tasks/main.yml
@ -7,6 +7,7 @@
  include_tasks: roles/network/tasks/dnsmasq.yml
  #when: dnsmasq_install    # Flag might be used in future?

+
 - name: Install uuid-runtime package (debuntu)
  package:
    name: 
@ -37,13 +38,6 @@
  set_fact:
    uuid: "{{ stored_uuid.stdout_lines[0] }}"

-#- name: Does directory /ro exist? (indicating OS is Ubermix)
-#  stat:
-#    path: /ro
-#  register: ro_dir
-
-#- debug:
-#    var: ro_dir

 - name: Does 'ubermix' exist in /etc/lsb-release?
  shell: grep -i ubermix /etc/lsb-release    # Pipe to cat to avoid red errors?
@ -52,9 +46,6 @@
  #ignore_errors: True
  #check_mode: no

-#- debug:
-#    var: grep_ubermix
-
 - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix
  copy:
    src: roles/1-prep/files/iiab.conf
@ -64,7 +55,6 @@
    # mode: '0644'
    force: yes
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist
-  #when: ro_dir.stat.exists

 # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml
 # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-*
@ -75,6 +65,7 @@
  shell: apt -y remove "libgeos-*"
  when: grep_ubermix.rc == 0    # 1 if absent in file, 2 if file doesn't exist

+
 # Required by OpenVPN below.  Also run by roles/4-server-options/tasks/main.yml
 - name: SSHD
  include_role:
@ -91,20 +82,24 @@
    name: openvpn
  when: openvpn_install

+
 # Debian 10 "Buster" is apparently enabling AppArmor in 2019:
 # https://wiki.debian.org/AppArmor/Progress
 # https://wiki.debian.org/AppArmor/HowToUse
 # https://packages.debian.org/buster/apparmor
 # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
 # pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387
- name: Disable AppArmor -- override OS default (ubuntu)
-  systemd:
-    name: apparmor
-    enabled: False
-    state: stopped
-  when: is_ubuntu
-  ignore_errors: True

+# PR #2654 - AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu?
+#- name: Disable AppArmor -- override OS default (ubuntu)
+#  systemd:
+#    name: apparmor
+#    enabled: False
+#    state: stopped
+#  when: is_ubuntu
+#  ignore_errors: True
+
+# PR #2648 - Can be restored in future if truly nec, w ansible.posix collection
 #- name: Disable SELinux on next boot (OS's other than debuntu)
 #  selinux:
 #    state: disabled
@ -115,8 +110,10 @@
 #  command: setenforce Permissive
 #  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed

+
 ##  DISCOVER PLATFORMS ######
 # Put conditional actions for hardware platforms here
+
 - include_tasks: raspberry_pi.yml
  when: first_run and rpi_model != "none"

@ -132,7 +129,8 @@
    timeout: "{{ download_timeout }}"
  when: internet_available and usb_NUC6.stdout|int > 0

-# this script can be sourced to get IIAB location
+
+# This script can be sourced to get IIAB path/location
 - name: Recording STAGE 1 HAS COMPLETED ============================
  template:
    src: roles/1-prep/templates/iiab.env.j2