From b31eb6541c3fa757a6c4d747e7bc4e64190a31f4 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 28 Nov 2020 09:58:16 -0500 Subject: [PATCH 1/4] WIP: AppArmor works with IIAB on Debian 10/11, so is this now also true on Ubuntu? --- roles/1-prep/tasks/main.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index bb499df5c..4cf2ba2cd 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -97,13 +97,14 @@ # https://packages.debian.org/buster/apparmor # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10 # pre-releases, during @floydianslips' March 2019 testing anyway! SEE #1387 -- name: Disable AppArmor -- override OS default (ubuntu) - systemd: - name: apparmor - enabled: False - state: stopped - when: is_ubuntu - ignore_errors: True + +#- name: Disable AppArmor -- override OS default (ubuntu) +# systemd: +# name: apparmor +# enabled: False +# state: stopped +# when: is_ubuntu +# ignore_errors: True #- name: Disable SELinux on next boot (OS's other than debuntu) # selinux: From c849249ca4cc75389e506955bebbed6f63e27f56 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 28 Nov 2020 15:18:19 -0500 Subject: [PATCH 2/4] 1-prep/tasks/main.yml sections: less doomscrolling, more readability --- roles/1-prep/tasks/main.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 4cf2ba2cd..9953016bd 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -7,6 +7,7 @@ include_tasks: roles/network/tasks/dnsmasq.yml #when: dnsmasq_install # Flag might be used in future? + - name: Install uuid-runtime package (debuntu) package: name: @@ -37,13 +38,6 @@ set_fact: uuid: "{{ stored_uuid.stdout_lines[0] }}" -#- name: Does directory /ro exist? (indicating OS is Ubermix) -# stat: -# path: /ro -# register: ro_dir - -#- debug: -# var: ro_dir - name: Does 'ubermix' exist in /etc/lsb-release? shell: grep -i ubermix /etc/lsb-release # Pipe to cat to avoid red errors? @@ -52,9 +46,6 @@ #ignore_errors: True #check_mode: no -#- debug: -# var: grep_ubermix - - name: If so, install /etc/tmpfiles.d/iiab.conf to create /var/log subdirs on each boot, so {Apache, MongoDB, Munin} run on Ubermix copy: src: roles/1-prep/files/iiab.conf @@ -64,7 +55,6 @@ # mode: '0644' force: yes when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist - #when: ro_dir.stat.exists # 2020-03-19: for KA Lite, but moved from roles/kalite/tasks/install.yml # This effectively does nothing at all on Ubuntu & Raspbian, where libgeos-* @@ -75,6 +65,7 @@ shell: apt -y remove "libgeos-*" when: grep_ubermix.rc == 0 # 1 if absent in file, 2 if file doesn't exist + # Required by OpenVPN below. Also run by roles/4-server-options/tasks/main.yml - name: SSHD include_role: @@ -91,6 +82,7 @@ name: openvpn when: openvpn_install + # Debian 10 "Buster" is apparently enabling AppArmor in 2019: # https://wiki.debian.org/AppArmor/Progress # https://wiki.debian.org/AppArmor/HowToUse @@ -116,6 +108,7 @@ # command: setenforce Permissive # when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed + ## DISCOVER PLATFORMS ###### # Put conditional actions for hardware platforms here - include_tasks: raspberry_pi.yml @@ -133,6 +126,7 @@ timeout: "{{ download_timeout }}" when: internet_available and usb_NUC6.stdout|int > 0 + # this script can be sourced to get IIAB location - name: Recording STAGE 1 HAS COMPLETED ============================ template: From 43e5672bc0e32f81021bf8f88e3ae0f2eadcdcd7 Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 28 Nov 2020 22:38:41 -0500 Subject: [PATCH 3/4] 1-prep/tasks/main.yml: Mention PR #2654 (AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu?) --- roles/1-prep/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index 9953016bd..d24b49764 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -90,6 +90,7 @@ # Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10 # pre-releases, during @floydianslips' March 2019 testing anyway! SEE #1387 +# PR #2654 - AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu? #- name: Disable AppArmor -- override OS default (ubuntu) # systemd: # name: apparmor From 652da0fbbd47d22c671127e498c8e1d3951d6e0f Mon Sep 17 00:00:00 2001 From: A Holt Date: Sat, 28 Nov 2020 23:18:35 -0500 Subject: [PATCH 4/4] 1-prep/tasks/main.yml: final code/comment cleanup for PR #2654 merge --- roles/1-prep/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/1-prep/tasks/main.yml b/roles/1-prep/tasks/main.yml index d24b49764..273aedc94 100644 --- a/roles/1-prep/tasks/main.yml +++ b/roles/1-prep/tasks/main.yml @@ -99,6 +99,7 @@ # when: is_ubuntu # ignore_errors: True +# PR #2648 - Can be restored in future if truly nec, w ansible.posix collection #- name: Disable SELinux on next boot (OS's other than debuntu) # selinux: # state: disabled @@ -112,6 +113,7 @@ ## DISCOVER PLATFORMS ###### # Put conditional actions for hardware platforms here + - include_tasks: raspberry_pi.yml when: first_run and rpi_model != "none" @@ -128,7 +130,7 @@ when: internet_available and usb_NUC6.stdout|int > 0 -# this script can be sourced to get IIAB location +# This script can be sourced to get IIAB path/location - name: Recording STAGE 1 HAS COMPLETED ============================ template: src: roles/1-prep/templates/iiab.env.j2