forked from usegalaxy-eu/infrastructure-playbook
-
Notifications
You must be signed in to change notification settings - Fork 0
/
apollo.yml
47 lines (47 loc) · 1.72 KB
/
apollo.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
---
- hosts: apollo
become: true
vars_files:
- "secret_group_vars/all.yml"
- "secret_group_vars/apollo.yml"
vars:
hostname: apollo.internal.galaxyproject.eu
pre_tasks:
# Apollo / tomcat need several exceptions currently.
# setsebool -P tomcat_can_network_connect_db 1
#
# type=AVC msg=audit(1563522605.167:5385): avc: denied { getattr } for pid=10356 comm="java" path="/data/dnb01/apollo" dev="0:43" ino=6481704053 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=1
#
# type=AVC msg=audit(1563522604.751:5384): avc: denied { connectto } for pid=10356 comm="java" path="/tmp/.java_pid10356" scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:system_r:tomcat_t:s0 tclass=unix_stream_socket permissive=1
#
# Was caused by:
# The boolean daemons_enable_cluster_mode was set incorrectly.
# Description:
# Allow daemons to enable cluster mode
#
# Allow access by executing:
# # setsebool -P daemons_enable_cluster_mode 1
- name: Put SELinux in permissive mode, logging actions that would be blocked.
selinux:
policy: targeted
state: permissive
roles:
- hostname
- usegalaxy-eu.dynmotd
- geerlingguy.repo-epel
- hxr.admin-tools
- influxdata.chrony
- hxr.monitor-email
- linuxhq.yum_cron
- galaxyproject.nginx
- hxr.autofs
# BEGIN custom
- hxr.remap-user
# Now add custom tomcat user with hardcoded ID. The user info is in group_vars/apollo.yml
- hxr.replace-galaxy-user
- devops.tomcat7
- hxr.apollo
# END custom
- dj-wasabi.telegraf
- dev-sec.os-hardening
- dev-sec.ssh-hardening