Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sap_hana_install: Fix issue 756 #757

Merged
merged 3 commits into from
Jun 19, 2024
Merged

sap_hana_install: Fix issue 756 #757

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fe1d73a
sap_hana_install: Solve issue #756
berndfinger Jun 17, 2024
19f72b5
sap_hana_install: Move fapolicyd tags to block level
berndfinger Jun 18, 2024
35a07fe
sap_hana_install: Remove leftover tag from task
berndfinger Jun 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 50 additions & 63 deletions roles/sap_hana_install/tasks/post_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@
when:
- sap_hana_install_use_fapolicyd
- '"fapolicyd" in ansible_facts.packages'
tags: sap_hana_install_use_fapolicyd
block:

- name: SAP HANA Post Install, fapolicyd - Ensure Ansible marker for 'integrity' is present in fapolicyd config file
Expand All @@ -216,7 +217,6 @@
regexp: '# "integrity" managed by Ansible'
insertbefore: '^integrity\s*=.*'
line: '# "integrity" managed by Ansible'
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Ensure integrity level '{{ sap_hana_install_fapolicyd_integrity }}' is configured"
ansible.builtin.lineinfile:
Expand All @@ -226,12 +226,10 @@
line: 'integrity = {{ sap_hana_install_fapolicyd_integrity }}'
backup: true
register: __sap_hana_install_fapolicyd_conf_updated
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Validate the new version of the fapolicyd config file
ansible.builtin.command: fapolicyd-cli --check-config
changed_when: false
tags: sap_hana_install_use_fapolicyd

rescue:

Expand All @@ -243,81 +241,70 @@
owner: root
group: fapolicyd
mode: '0644'
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Notify about failed validation
ansible.builtin.fail:
msg: >-
"The update of the fapolicyd config file failed, likely because an unsupported value has been used for
the parameter 'sap_hana_install_fapolicyd_integrity'. The previous version has been successfully restored."
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Process template for creating rule file '{{ sap_hana_install_fapolicyd_rule_file }}'
ansible.builtin.template:
src: fapolicyd-rules.j2
dest: "/etc/fapolicyd/rules.d/{{ sap_hana_install_fapolicyd_rule_file }}.rules"
owner: root
group: fapolicyd
mode: '0644'

- name: SAP HANA Post Install, fapolicyd - Create rule and trust files, enable fapolicyd
when:
- sap_hana_install_use_fapolicyd
- '"fapolicyd" in ansible_facts.packages'
tags: sap_hana_install_use_fapolicyd
block:

- name: SAP HANA Post Install, fapolicyd - Process template for creating rule file '{{ sap_hana_install_fapolicyd_rule_file }}'
ansible.builtin.template:
src: fapolicyd-rules.j2
dest: "/etc/fapolicyd/rules.d/{{ sap_hana_install_fapolicyd_rule_file }}.rules"
owner: root
group: fapolicyd
mode: '0644'

# Reason for noqa: The return code of the command is always 0 no matter if there was a change or not
- name: SAP HANA Post Install, fapolicyd - Merge rule files # noqa no-changed-when
ansible.builtin.command: fagenrules --load
register: sap_hana_install_register_fagenrules_load
- name: SAP HANA Post Install, fapolicyd - Merge rule files # noqa no-changed-when
ansible.builtin.command: fagenrules --load
register: sap_hana_install_register_fagenrules_load

- name: SAP HANA hdblcm installation check - Display the output of the command 'fagenrules --load'
ansible.builtin.debug:
msg: "{{ sap_hana_install_register_fagenrules_load.stdout_lines }}"
- name: SAP HANA Post Install, fapolicyd - Display the output of the command 'fagenrules --load'
ansible.builtin.debug:
msg: "{{ sap_hana_install_register_fagenrules_load.stdout_lines }}"

# We want to add files which have the execute mode bit set AND which are reported as executables
# by fapolicyd-cli -t, one for each directory of sap_hana_install_fapolicyd_trusted_directories.
# The fapolicy trust file name will be created from the directory names by replacing '/' by '_' and
# omitting the first '_'.
- name: SAP HANA Post Install, fapolicyd - Put all executable files from 'sap_hana_install_fapolicyd_trusted_directories' into fapolicyd trust files
ansible.builtin.shell: |
set -o pipefail &&
find {{ __sap_hana_install_item }} -type f -executable -exec fapolicyd-cli -t {} \; -print |
awk '/\/x-/{a=1; b=NR}
{
if(a==1 && b==(NR-1)){
system("fapolicyd-cli --file add "$0" --trust-file \
{{ __sap_hana_install_item | regex_replace('//*', '_') | regex_replace("^_", "") }}"); a=0; b=0
}
}'
loop: "{{ sap_hana_install_fapolicyd_trusted_directories }}"
loop_control:
loop_var: __sap_hana_install_item
label: >-
"{{ __sap_hana_install_item }} ->
/etc/fapolicyd/trust.d/{{ __sap_hana_install_item |
regex_replace('//*', '_') |
regex_replace('^_', '') }}"
changed_when: true
when:
- sap_hana_install_use_fapolicyd
- '"fapolicyd" in ansible_facts.packages'
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Enable fapolicyd
ansible.builtin.service:
name: fapolicyd
enabled: true
state: started
when:
- sap_hana_install_use_fapolicyd
- '"fapolicyd" in ansible_facts.packages'
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Post Install, fapolicyd - Restart fapolicyd
ansible.builtin.service:
name: fapolicyd
enabled: true
state: restarted
when:
- sap_hana_install_use_fapolicyd
- '"fapolicyd" in ansible_facts.packages'
tags: sap_hana_install_use_fapolicyd
- name: SAP HANA Post Install, fapolicyd - Put all executable files from 'sap_hana_install_fapolicyd_trusted_directories' into fapolicyd trust files
ansible.builtin.shell: |
set -o pipefail &&
find {{ __sap_hana_install_item }} -type f -executable -exec fapolicyd-cli -t {} \; -print |
awk '/\/x-/{a=1; b=NR}
{
if(a==1 && b==(NR-1)){
system("fapolicyd-cli --file add "$0" --trust-file \
{{ __sap_hana_install_item | regex_replace('//*', '_') | regex_replace("^_", "") }}"); a=0; b=0
}
}'
loop: "{{ sap_hana_install_fapolicyd_trusted_directories }}"
loop_control:
loop_var: __sap_hana_install_item
label: >-
"{{ __sap_hana_install_item }} ->
/etc/fapolicyd/trust.d/{{ __sap_hana_install_item |
regex_replace('//*', '_') |
regex_replace('^_', '') }}"
changed_when: true

- name: SAP HANA Post Install, fapolicyd - Enable fapolicyd
ansible.builtin.service:
name: fapolicyd
enabled: true
state: started

- name: SAP HANA Post Install, fapolicyd - Restart fapolicyd
ansible.builtin.service:
name: fapolicyd
enabled: true
state: restarted
4 changes: 2 additions & 2 deletions roles/sap_hana_install/tasks/pre_install.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@
# Otherwise, the installation of SAP HANA will fail
################

- name: SAP HANA Pre Install - Gather package facts
- name: SAP HANA Pre Install, fapolicyd - Gather package facts
ansible.builtin.package_facts:
tags: sap_hana_install_use_fapolicyd

- name: SAP HANA Pre Install - Disable fapolicyd
- name: SAP HANA Pre Install, fapolicyd - Disable fapolicyd
ansible.builtin.service:
name: fapolicyd
enabled: false
Expand Down
Loading