From 35c026e77a7eb67f83ae22743cb68a8a604c5d5f Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 12:24:50 +0100 Subject: [PATCH 01/14] Add audit-storage and systemd-service roles --- .github/workflows/community.yml | 1 + .github/workflows/enteprise.yml | 1 + roles/audit_storage/README.md | 38 ++++++ roles/audit_storage/defaults/main.yml | 32 +++++ roles/audit_storage/handlers/main.yml | 2 + roles/audit_storage/meta/main.yml | 33 +++++ .../molecule/default/converge.yml | 7 ++ .../molecule/default/host_vars/instance.yml | 1 + .../molecule/default/molecule.yml | 32 +++++ .../audit_storage/molecule/default/verify.yml | 14 +++ roles/audit_storage/tasks/main.yml | 45 +++++++ roles/audit_storage/vars/main.yml | 3 + roles/systemd_service/README.md | 118 ++++++++++++++++++ roles/systemd_service/defaults/main.yml | 15 +++ roles/systemd_service/handlers/main.yml | 11 ++ roles/systemd_service/meta/argument_specs.yml | 54 ++++++++ roles/systemd_service/meta/main.yml | 15 +++ .../molecule/default/converge.yml | 15 +++ .../molecule/default/molecule.yml | 15 +++ .../molecule/default/verify.yml | 26 ++++ roles/systemd_service/tasks/main.yml | 16 +++ .../templates/systemd-service.j2 | 31 +++++ roles/systemd_service/vars/main.yml | 2 + 23 files changed, 527 insertions(+) create mode 100644 roles/audit_storage/README.md create mode 100644 roles/audit_storage/defaults/main.yml create mode 100644 roles/audit_storage/handlers/main.yml create mode 100644 roles/audit_storage/meta/main.yml create mode 100644 roles/audit_storage/molecule/default/converge.yml create mode 100644 roles/audit_storage/molecule/default/host_vars/instance.yml create mode 100644 roles/audit_storage/molecule/default/molecule.yml create mode 100644 roles/audit_storage/molecule/default/verify.yml create mode 100644 roles/audit_storage/tasks/main.yml create mode 100644 roles/audit_storage/vars/main.yml create mode 100644 roles/systemd_service/README.md create mode 100644 roles/systemd_service/defaults/main.yml create mode 100644 roles/systemd_service/handlers/main.yml create mode 100644 roles/systemd_service/meta/argument_specs.yml create mode 100644 roles/systemd_service/meta/main.yml create mode 100644 roles/systemd_service/molecule/default/converge.yml create mode 100644 roles/systemd_service/molecule/default/molecule.yml create mode 100644 roles/systemd_service/molecule/default/verify.yml create mode 100644 roles/systemd_service/tasks/main.yml create mode 100644 roles/systemd_service/templates/systemd-service.j2 create mode 100644 roles/systemd_service/vars/main.yml diff --git a/.github/workflows/community.yml b/.github/workflows/community.yml index 56f20d8d4..712ff650b 100644 --- a/.github/workflows/community.yml +++ b/.github/workflows/community.yml @@ -44,6 +44,7 @@ jobs: - name: search - name: tomcat - name: transformers + - name: systemd_service env: PY_COLORS: 1 PYTHONUNBUFFERED: 1 diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index fcbe92c3e..7f55aebbb 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -64,6 +64,7 @@ jobs: - name: sfs - name: sync - name: trouter + - name: audit_storage steps: - name: Share var with further reusable workflows id: jobvars diff --git a/roles/audit_storage/README.md b/roles/audit_storage/README.md new file mode 100644 index 000000000..225dd44b9 --- /dev/null +++ b/roles/audit_storage/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/audit_storage/defaults/main.yml b/roles/audit_storage/defaults/main.yml new file mode 100644 index 000000000..cf31a51bf --- /dev/null +++ b/roles/audit_storage/defaults/main.yml @@ -0,0 +1,32 @@ +--- +# defaults file for audit_storage +audit_storage_version: "1.0.0" +audit_storage_zip_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip +audit_storage_zip_sha1_url: https://nexus.alfresco.com/nexus/repository/enterprise-releases/org/alfresco/alfresco-audit-storage-distribution/{{ audit_storage_version }}/alfresco-audit-storage-distribution-{{ audit_storage_version }}.zip.sha1 + +audit_storage_artifact_name: alfresco-audit-storage-app + +audit_storage_username: alfresco +audit_storage_group_name: alfresco + +audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000 +audit_storage_broker_username: admin +audit_storage_broker_password: admin +audit_storage_opensearch_url: http://localhost:9200 +audit_storage_opensearch_username: '' +audit_storage_opensearch_password: '' + +audit_storage_default_environment: + SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}" + SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}" + SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}" + AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_URI: "{{ audit_storage_opensearch_url }}" + AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_USERNAME: "{{ audit_storage_opensearch_username }}" + AUDIT_ENTRYSTORAGE_OPENSEARCH_CONNECTOR_PASSWORD: "{{ audit_storage_opensearch_password }}" + AUDIT_EVENTINGESTION_URI: activemq:topic:alfresco.repo.event2 +audit_storage_environment: {} + +audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java + +audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}" +audit_storage_config_dir: "/etc/alfresco/audit-storage" diff --git a/roles/audit_storage/handlers/main.yml b/roles/audit_storage/handlers/main.yml new file mode 100644 index 000000000..5557d5647 --- /dev/null +++ b/roles/audit_storage/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for audit_storage diff --git a/roles/audit_storage/meta/main.yml b/roles/audit_storage/meta/main.yml new file mode 100644 index 000000000..718c32e7b --- /dev/null +++ b/roles/audit_storage/meta/main.yml @@ -0,0 +1,33 @@ +galaxy_info: + author: Alfresco Ops Readiness + description: This role installs and configures the audit storage for Alfresco + company: Hyland Software + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + license: Apache-2.0 + + min_ansible_version: "2.12" + + platforms: + - name: Ubuntu + versions: + - bionic + - focal + - name: EL + versions: + - "8" + - "9" + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: + - role: java diff --git a/roles/audit_storage/molecule/default/converge.yml b/roles/audit_storage/molecule/default/converge.yml new file mode 100644 index 000000000..e451f3d5d --- /dev/null +++ b/roles/audit_storage/molecule/default/converge.yml @@ -0,0 +1,7 @@ +--- +- name: Converge + hosts: all + roles: + - role: activemq + - role: elasticsearch + - role: audit_storage diff --git a/roles/audit_storage/molecule/default/host_vars/instance.yml b/roles/audit_storage/molecule/default/host_vars/instance.yml new file mode 100644 index 000000000..146ddd8e0 --- /dev/null +++ b/roles/audit_storage/molecule/default/host_vars/instance.yml @@ -0,0 +1 @@ +ansible_user: ansible diff --git a/roles/audit_storage/molecule/default/molecule.yml b/roles/audit_storage/molecule/default/molecule.yml new file mode 100644 index 000000000..9c966be41 --- /dev/null +++ b/roles/audit_storage/molecule/default/molecule.yml @@ -0,0 +1,32 @@ +--- +dependency: + name: galaxy +driver: + name: docker +platforms: + - name: instance + image: $MOLECULE_ROLE_IMAGE + dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2 + command: "/lib/systemd/systemd" + privileged: true + tmpfs: + - /run + - /run/lock + - /tmp + volume_mounts: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" + groups: + - audit_storage + - activemq + - elasticsearch +provisioner: + name: ansible + ansible_args: + - -e + - "@../../../../tests/molecule/secrets.yml" + inventory: + links: + group_vars: ../../../../group_vars + host_vars: host_vars +verifier: + name: ansible diff --git a/roles/audit_storage/molecule/default/verify.yml b/roles/audit_storage/molecule/default/verify.yml new file mode 100644 index 000000000..8cd7f029e --- /dev/null +++ b/roles/audit_storage/molecule/default/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: instance + gather_facts: false + tasks: + - name: Populate service facts + ansible.builtin.service_facts: + + - name: Check that service is up and running + ansible.builtin.assert: + that: + - ansible_facts.services['alfresco-audit-storage.service'] is defined + - ansible_facts.services['alfresco-audit-storage.service'].state == 'running' + quiet: true diff --git a/roles/audit_storage/tasks/main.yml b/roles/audit_storage/tasks/main.yml new file mode 100644 index 000000000..321b82c21 --- /dev/null +++ b/roles/audit_storage/tasks/main.yml @@ -0,0 +1,45 @@ +--- +# tasks file for audit_storage +- name: Download audit storage distribution {{ audit_storage_version }} + ansible.builtin.get_url: + url: "{{ audit_storage_zip_url }}" + dest: "{{ download_location }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.zip" + checksum: sha1:{{ lookup('url', audit_storage_zip_sha1_url, username=nexus_user, password=nexus_password) }} # pragma: allowlist secret + mode: "0644" + url_username: "{{ nexus_user }}" + url_password: "{{ nexus_password }}" + +- name: Install Audit Storage + become: true + block: + - name: Create directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ audit_storage_username }}" + group: "{{ audit_storage_group_name }}" + mode: "0755" + loop: + - "{{ audit_storage_binaries_dir }}" + - "{{ audit_storage_config_dir }}" + + - name: Extract distribution zip in binaries + ansible.builtin.unarchive: + src: "{{ download_location }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.zip" + dest: "{{ audit_storage_binaries_dir }}" + remote_src: true + creates: "{{ audit_storage_binaries_dir }}/README.md" + owner: "{{ audit_storage_username }}" + group: "{{ audit_storage_group_name }}" + + - name: Install service + ansible.builtin.include_role: + name: systemd_service + vars: + systemd_service_unit_name: "alfresco-audit-storage" + systemd_service_unit_description: "Alfresco Audit Storage" + systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}" + systemd_service_user: "{{ audit_storage_username }}" + systemd_service_environment: >- + {{ audit_storage_default_environment | + combine(audit_storage_environment) }} diff --git a/roles/audit_storage/vars/main.yml b/roles/audit_storage/vars/main.yml new file mode 100644 index 000000000..0e28f196c --- /dev/null +++ b/roles/audit_storage/vars/main.yml @@ -0,0 +1,3 @@ +--- +# vars file for audit_storage +audit_storage_artifact_path: "{{ audit_storage_binaries_dir }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.jar" diff --git a/roles/systemd_service/README.md b/roles/systemd_service/README.md new file mode 100644 index 000000000..02cf5f87a --- /dev/null +++ b/roles/systemd_service/README.md @@ -0,0 +1,118 @@ +# systemd_service + +Install and configure systemd services + +## Table of content + +* [systemd\_service](#systemd_service) + * [Table of content](#table-of-content) + * [Requirements](#requirements) + * [Default Variables](#default-variables) + * [systemd\_service\_additional\_options](#systemd_service_additional_options) + * [systemd\_service\_enabled](#systemd_service_enabled) + * [systemd\_service\_environment](#systemd_service_environment) + * [systemd\_service\_exec\_start](#systemd_service_exec_start) + * [systemd\_service\_exec\_stop](#systemd_service_exec_stop) + * [systemd\_service\_state](#systemd_service_state) + * [systemd\_service\_type](#systemd_service_type) + * [systemd\_service\_unit\_after](#systemd_service_unit_after) + * [systemd\_service\_unit\_description](#systemd_service_unit_description) + * [systemd\_service\_unit\_name](#systemd_service_unit_name) + * [systemd\_service\_user](#systemd_service_user) + * [systemd\_service\_working\_directory](#systemd_service_working_directory) + * [Dependencies](#dependencies) + * [License](#license) + * [Author](#author) + +--- + +## Requirements + +* Minimum Ansible version: `2.1` + +## Default Variables + +### systemd_service_additional_options + +```YAML +systemd_service_additional_options: {} +``` + +### systemd_service_enabled + +```YAML +systemd_service_enabled: true +``` + +### systemd_service_environment + +```YAML +systemd_service_environment: {} +``` + +### systemd_service_exec_start + +```YAML +systemd_service_exec_start: '' +``` + +### systemd_service_exec_stop + +```YAML +systemd_service_exec_stop: kill -15 $MAINPID +``` + +### systemd_service_state + +```YAML +systemd_service_state: started +``` + +### systemd_service_type + +```YAML +systemd_service_type: simple +``` + +### systemd_service_unit_after + +```YAML +systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target + nss-lookup.target +``` + +### systemd_service_unit_description + +```YAML +systemd_service_unit_description: '' +``` + +### systemd_service_unit_name + +```YAML +systemd_service_unit_name: '' +``` + +### systemd_service_user + +```YAML +systemd_service_user: '' +``` + +### systemd_service_working_directory + +```YAML +systemd_service_working_directory: /tmp +``` + +## Dependencies + +None. + +## License + +Apache-2.0 + +## Author + +Alfresco Ops Readiness diff --git a/roles/systemd_service/defaults/main.yml b/roles/systemd_service/defaults/main.yml new file mode 100644 index 000000000..8ac453bf8 --- /dev/null +++ b/roles/systemd_service/defaults/main.yml @@ -0,0 +1,15 @@ +--- +# defaults file for systemd-service +systemd_service_unit_name: '' +systemd_service_unit_description: '' +systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target + +systemd_service_type: simple +systemd_service_user: '' +systemd_service_environment: {} +systemd_service_exec_start: '' +systemd_service_exec_stop: kill -15 $MAINPID +systemd_service_working_directory: /tmp +systemd_service_additional_options: {} +systemd_service_state: started +systemd_service_enabled: true diff --git a/roles/systemd_service/handlers/main.yml b/roles/systemd_service/handlers/main.yml new file mode 100644 index 000000000..5cb38574b --- /dev/null +++ b/roles/systemd_service/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# handlers file for systemd-service +- name: Reload systemd + ansible.builtin.systemd: + daemon_reload: true + +- name: Restart {{ systemd_service_unit_name }} + ansible.builtin.systemd: + name: "{{ systemd_service_unit_name }}" + state: restarted + when: systemd_service_state == 'started' diff --git a/roles/systemd_service/meta/argument_specs.yml b/roles/systemd_service/meta/argument_specs.yml new file mode 100644 index 000000000..473e6f568 --- /dev/null +++ b/roles/systemd_service/meta/argument_specs.yml @@ -0,0 +1,54 @@ +--- +argument_specs: + main: + short_description: Install a systemd service unit + description: | + This role installs a systemd service unit and starts it. + options: + systemd_service_unit_name: + type: str + description: Name of the systemd service unit + required: true + systemd_service_unit_description: + type: str + description: Description of the systemd service unit + required: true + systemd_service_unit_after: + type: str + description: List of systemd targets to start after (space separated) + systemd_service_type: + type: str + description: Type of the systemd service unit + default: simple + systemd_service_user: + type: str + description: User to run the systemd service as + required: true + systemd_service_environment: + type: dict + description: Environment variables to set for the systemd service unit + default: {} + systemd_service_exec_start: + type: str + description: Command to start the systemd service unit + required: true + systemd_service_exec_stop: + type: str + description: Command to stop the systemd service unit + default: kill -15 $MAINPID + systemd_service_working_directory: + type: str + description: Working directory for the systemd service unit + default: /tmp + systemd_service_additional_options: + type: dict + description: Additional options to set for the systemd service unit + default: {} + systemd_service_state: + type: str + description: Default state of the systemd service unit + default: started + systemd_service_enabled: + type: bool + description: Whether the systemd service unit should be enabled (started on boot) + default: true diff --git a/roles/systemd_service/meta/main.yml b/roles/systemd_service/meta/main.yml new file mode 100644 index 000000000..6469276df --- /dev/null +++ b/roles/systemd_service/meta/main.yml @@ -0,0 +1,15 @@ +galaxy_info: + author: Alfresco Ops Readiness + description: Install and configure systemd services + company: Hyland + + license: Apache-2.0 + + min_ansible_version: '2.1' + + galaxy_tags: + - systemd + - service + - configuration + +dependencies: [] diff --git a/roles/systemd_service/molecule/default/converge.yml b/roles/systemd_service/molecule/default/converge.yml new file mode 100644 index 000000000..ccc6447a6 --- /dev/null +++ b/roles/systemd_service/molecule/default/converge.yml @@ -0,0 +1,15 @@ +--- +- name: Converge + hosts: all + gather_facts: false + tasks: + - name: Include role + ansible.builtin.include_role: + name: systemd_service + vars: + systemd_service_unit_name: my-test-service + systemd_service_unit_description: My very cool service + systemd_service_exec_start: /bin/sleep infinity + systemd_service_environment: + MY_ENV_VAR: my_value + ANOTHER_ENV_VAR: another_value diff --git a/roles/systemd_service/molecule/default/molecule.yml b/roles/systemd_service/molecule/default/molecule.yml new file mode 100644 index 000000000..99d43051d --- /dev/null +++ b/roles/systemd_service/molecule/default/molecule.yml @@ -0,0 +1,15 @@ +--- +driver: + name: docker +platforms: + - name: instance + dockerfile: ../../../../../tests/Dockerfile-noprivs.j2 + image: rockylinux:9 + command: "/lib/systemd/systemd" + privileged: true + tmpfs: + - /run + - /run/lock + - /tmp + volume: + - "/sys/fs/cgroup:/sys/fs/cgroup:ro" diff --git a/roles/systemd_service/molecule/default/verify.yml b/roles/systemd_service/molecule/default/verify.yml new file mode 100644 index 000000000..01dca08fc --- /dev/null +++ b/roles/systemd_service/molecule/default/verify.yml @@ -0,0 +1,26 @@ +--- +- name: Verify + hosts: all + gather_facts: false + tasks: + - name: Check service is running + ansible.builtin.systemd: + name: my-test-service + state: started + + - name: Check service is enabled + ansible.builtin.systemd: + name: my-test-service + enabled: true + + - name: Check logs for warnings and errors + ansible.builtin.command: journalctl -u my-test-service -p 5 + register: journalctl_output + changed_when: false + + - name: Assert logs are clean + ansible.builtin.assert: + that: + - journalctl_output.stdout_lines[0] == '-- No entries --' + fail_msg: "Service logs contain warnings or errors: {{ journalctl_output.stdout }}" + quiet: true diff --git a/roles/systemd_service/tasks/main.yml b/roles/systemd_service/tasks/main.yml new file mode 100644 index 000000000..b2f3811ad --- /dev/null +++ b/roles/systemd_service/tasks/main.yml @@ -0,0 +1,16 @@ +--- +# tasks file for systemd-service +- name: Create systemd service + ansible.builtin.template: + src: systemd-service.j2 + dest: /etc/systemd/system/{{ systemd_service_unit_name }}.service + mode: "0644" + notify: + - Reload systemd + - Restart {{ systemd_service_unit_name }} + +- name: Start service + ansible.builtin.systemd: + name: "{{ systemd_service_unit_name }}" + state: "{{ systemd_service_state }}" + enabled: "{{ systemd_service_enabled }}" diff --git a/roles/systemd_service/templates/systemd-service.j2 b/roles/systemd_service/templates/systemd-service.j2 new file mode 100644 index 000000000..659a5506c --- /dev/null +++ b/roles/systemd_service/templates/systemd-service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description={{ systemd_service_unit_description }} +After={{ systemd_service_unit_after }} + +[Service] +Type={{ systemd_service_type }} +{% if systemd_service_type == 'oneshot' %} +RemainAfterExit=yes +{% endif %} + +User={{ systemd_service_user }} + +{% for key, value in systemd_service_environment.items() %} +Environment="{{ key }}={{ value | replace('%', '%%') }}" +{% endfor %} + +ExecStart={{ systemd_service_exec_start }} +ExecStop={{ systemd_service_exec_stop }} + +Restart=on-failure +RestartSec=60 +SuccessExitStatus=143 + +WorkingDirectory={{ systemd_service_working_directory }} + +{% for key, value in systemd_service_additional_options.items() %} +{{ key }}={{ value }} +{% endfor %} + +[Install] +WantedBy=multi-user.target diff --git a/roles/systemd_service/vars/main.yml b/roles/systemd_service/vars/main.yml new file mode 100644 index 000000000..4523ba097 --- /dev/null +++ b/roles/systemd_service/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for systemd-service From 515bffce78869b8ff4c759f37c3b7fa8dc40ee59 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 12:45:45 +0100 Subject: [PATCH 02/14] hook in acs playbook --- group_vars/all.yml | 8 ++++++ inventory_ha.yml | 4 +++ inventory_local.yml | 4 +++ inventory_ssh.yml | 5 ++++ molecule/docker_enterprise/molecule.yml | 1 + playbooks/acs.yml | 34 +++++++++++++++++++++++++ 6 files changed, 56 insertions(+) diff --git a/group_vars/all.yml b/group_vars/all.yml index 15f993d1e..61b294282 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -46,6 +46,10 @@ api_explorer: artifact_name: api-explorer repository: "{{ nexus_repository.releases }}" version: 23.3.0 +audit_storage: + artifact_name: alfresco-audit-storage-distribution + repository: "{{ nexus_repository.enterprise_releases }}" + version: 1.0.0 search_enterprise: artifact_name: alfresco-elasticsearch-connector-distribution repository: "{{ nexus_repository.enterprise_releases }}" @@ -122,6 +126,10 @@ downloads: {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip adw_zip_sha1_checksum_url: >- {{ adw.repository }}/{{ adw.artifact_name }}/{{ adw.version }}/{{ adw.artifact_name }}-{{ adw.version }}.zip.sha1 + audit_storage_zip_url: >- + {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip + audit_storage_zip_sha1_checksum_url: >- + {{ audit_storage.repository }}/{{ audit_storage.artifact_name }}/{{ audit_storage.version }}/{{ audit_storage.artifact_name }}-{{ audit_storage.version }}.zip.sha1 search_enterprise_zip_url: >- {{ search_enterprise.repository }}/{{ search_enterprise.artifact_name }}/{{ search_enterprise.version }}/{{ search_enterprise.artifact_name }}-{{ search_enterprise.version }}.zip search_enterprise_zip_sha1_url: >- diff --git a/inventory_ha.yml b/inventory_ha.yml index 2527bd58a..bdc336bad 100644 --- a/inventory_ha.yml +++ b/inventory_ha.yml @@ -67,6 +67,10 @@ all: hosts: sync.infra.local: + audit_storage: + hosts: + audit.infra.local: + other_repo_clients: hosts: diff --git a/inventory_local.yml b/inventory_local.yml index e23e4cb28..56b7b3a8c 100644 --- a/inventory_local.yml +++ b/inventory_local.yml @@ -53,6 +53,10 @@ all: children: repository: + audit_storage: + children: + repository: + other_repo_clients: hosts: diff --git a/inventory_ssh.yml b/inventory_ssh.yml index 6e5c754a1..96e1bb9f2 100644 --- a/inventory_ssh.yml +++ b/inventory_ssh.yml @@ -72,6 +72,11 @@ all: syncservice_1: ansible_host: targetIP + audit_storage: + hosts: + audit_storage_1: + ansible_host: targetIP + other_repo_clients: hosts: diff --git a/molecule/docker_enterprise/molecule.yml b/molecule/docker_enterprise/molecule.yml index 72e1ff31c..e02e3e0e6 100644 --- a/molecule/docker_enterprise/molecule.yml +++ b/molecule/docker_enterprise/molecule.yml @@ -27,6 +27,7 @@ platforms: - acc - adw - nginx + - audit_storage published_ports: - 0.0.0.0:443:443/tcp diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 9ecfc26e0..2406a729e 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -479,3 +479,37 @@ mode: "0755" tags: - sync + +- name: Audit Storage Role + hosts: audit_storage + gather_facts: false + roles: + - role: "../roles/audit_storage" + when: acs.edition == "Enterprise" + audit_storage_version: "{{ audit_storage.version }}" + audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}" + audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_url }}" + audit_storage_username: "{{ username }}" + audit_storage_group_name: "{{ group_name }}" + audit_storage_broker_url: "failover:({{ activemq_transport }}://{{ activemq_host }}:{{ ports_cfg.activemq[activemq_protocol] }})" + audit_storage_broker_username: "{{ activemq_username }}" + audit_storage_broker_password: "{{ activemq_password }}" + audit_storage_opensearch_url: "{{ elasticsearch_protocol }}://{{ elasticsearch_host }}:{{ ports_cfg.elasticsearch.http }}" + audit_storage_opensearch_username: "{{ elasticsearch_username }}" + audit_storage_opensearch_password: "{{ elasticsearch_password }}" + post_tasks: + - name: Update installation status file with Audit Storage + when: acs.edition == "Enterprise" + become: true + vars: + audit_storage_components: + audit_storage: "{{ audit_storage }}" + ansible.builtin.blockinfile: + block: "{{ audit_storage_components | to_nice_yaml(indent=2) }}" + create: true + path: "{{ ansible_installation_status_file }}" + marker_begin: AUDIT_STORAGE_BEGIN + marker_end: AUDIT_STORAGE_END + mode: "0755" + tags: + - audit_storage From 52613199fd017e19c6bd72191510dc21a00cbc6f Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 13:10:03 +0100 Subject: [PATCH 03/14] fixup systemd_service molecule --- roles/systemd_service/molecule/default/molecule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/systemd_service/molecule/default/molecule.yml b/roles/systemd_service/molecule/default/molecule.yml index 99d43051d..861d895ad 100644 --- a/roles/systemd_service/molecule/default/molecule.yml +++ b/roles/systemd_service/molecule/default/molecule.yml @@ -3,7 +3,7 @@ driver: name: docker platforms: - name: instance - dockerfile: ../../../../../tests/Dockerfile-noprivs.j2 + dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2 image: rockylinux:9 command: "/lib/systemd/systemd" privileged: true From cb962d31bdc79e06d2c0ce11c56ea22197eebc51 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 14:39:31 +0100 Subject: [PATCH 04/14] stub docker enterprise verify --- molecule/docker_enterprise/verify.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 molecule/docker_enterprise/verify.yml diff --git a/molecule/docker_enterprise/verify.yml b/molecule/docker_enterprise/verify.yml new file mode 100644 index 000000000..b17dc0e02 --- /dev/null +++ b/molecule/docker_enterprise/verify.yml @@ -0,0 +1,14 @@ +--- +- name: Verify + hosts: all + gather_facts: true + tasks: + - name: Populate services facts + ansible.builtin.service_facts: + + - name: Check services up + ansible.builtin.assert: + quiet: true + that: + - ansible_facts.services['nginx.service'].state == "running" + - ansible_facts.services['alfresco-audit-storage.service'].state == "running" From 186d6a7134c2ed68b9bbb0c70e6174fd676351d0 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 14:51:33 +0100 Subject: [PATCH 05/14] fixup checksum url --- playbooks/acs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 2406a729e..977cfa6d1 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -488,7 +488,7 @@ when: acs.edition == "Enterprise" audit_storage_version: "{{ audit_storage.version }}" audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}" - audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_url }}" + audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_checksum_url }}" audit_storage_username: "{{ username }}" audit_storage_group_name: "{{ group_name }}" audit_storage_broker_url: "failover:({{ activemq_transport }}://{{ activemq_host }}:{{ ports_cfg.activemq[activemq_protocol] }})" From de5e01a0231a10c2443fe2b35822941c03f9d49c Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Tue, 26 Nov 2024 15:46:28 +0100 Subject: [PATCH 06/14] Get rid of separate role which is unusable with the current structure --- .github/workflows/community.yml | 1 - roles/audit_storage/defaults/main.yml | 13 ++ roles/audit_storage/handlers/main.yml | 11 ++ roles/audit_storage/tasks/main.yml | 25 ++-- .../templates/systemd-service.j2 | 31 +++++ roles/audit_storage/vars/main.yml | 3 + roles/systemd_service/README.md | 118 ------------------ roles/systemd_service/defaults/main.yml | 15 --- roles/systemd_service/handlers/main.yml | 11 -- roles/systemd_service/meta/argument_specs.yml | 54 -------- roles/systemd_service/meta/main.yml | 15 --- .../molecule/default/converge.yml | 15 --- .../molecule/default/molecule.yml | 15 --- .../molecule/default/verify.yml | 26 ---- roles/systemd_service/tasks/main.yml | 16 --- .../templates/systemd-service.j2 | 31 ----- roles/systemd_service/vars/main.yml | 2 - 17 files changed, 72 insertions(+), 330 deletions(-) create mode 100644 roles/audit_storage/templates/systemd-service.j2 delete mode 100644 roles/systemd_service/README.md delete mode 100644 roles/systemd_service/defaults/main.yml delete mode 100644 roles/systemd_service/handlers/main.yml delete mode 100644 roles/systemd_service/meta/argument_specs.yml delete mode 100644 roles/systemd_service/meta/main.yml delete mode 100644 roles/systemd_service/molecule/default/converge.yml delete mode 100644 roles/systemd_service/molecule/default/molecule.yml delete mode 100644 roles/systemd_service/molecule/default/verify.yml delete mode 100644 roles/systemd_service/tasks/main.yml delete mode 100644 roles/systemd_service/templates/systemd-service.j2 delete mode 100644 roles/systemd_service/vars/main.yml diff --git a/.github/workflows/community.yml b/.github/workflows/community.yml index 712ff650b..56f20d8d4 100644 --- a/.github/workflows/community.yml +++ b/.github/workflows/community.yml @@ -44,7 +44,6 @@ jobs: - name: search - name: tomcat - name: transformers - - name: systemd_service env: PY_COLORS: 1 PYTHONUNBUFFERED: 1 diff --git a/roles/audit_storage/defaults/main.yml b/roles/audit_storage/defaults/main.yml index cf31a51bf..61ac4420e 100644 --- a/roles/audit_storage/defaults/main.yml +++ b/roles/audit_storage/defaults/main.yml @@ -30,3 +30,16 @@ audit_storage_java_bin_path: /opt/openjdk-17.0.11/bin/java audit_storage_binaries_dir: "/opt/alfresco/audit-storage-{{ audit_storage_version }}" audit_storage_config_dir: "/etc/alfresco/audit-storage" + +audit_storage_systemd_service_unit_name: "alfresco-audit-storage" +audit_storage_systemd_service_unit_description: "Alfresco Audit Storage" +audit_storage_systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}" +audit_storage_systemd_service_user: "{{ audit_storage_username }}" + +audit_storage_systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target +audit_storage_systemd_service_type: simple +audit_storage_systemd_service_exec_stop: kill -15 $MAINPID +audit_storage_systemd_service_working_directory: /tmp +audit_storage_systemd_service_additional_options: {} +audit_storage_systemd_service_state: started +audit_storage_systemd_service_enabled: true diff --git a/roles/audit_storage/handlers/main.yml b/roles/audit_storage/handlers/main.yml index 5557d5647..0f6ade16e 100644 --- a/roles/audit_storage/handlers/main.yml +++ b/roles/audit_storage/handlers/main.yml @@ -1,2 +1,13 @@ --- # handlers file for audit_storage +- name: Reload systemd + become: true + ansible.builtin.systemd: + daemon_reload: true + +- name: Restart {{ audit_storage_systemd_service_unit_name }} + become: true + ansible.builtin.systemd: + name: "{{ audit_storage_systemd_service_unit_name }}" + state: restarted + when: audit_storage_systemd_service_state == 'started' diff --git a/roles/audit_storage/tasks/main.yml b/roles/audit_storage/tasks/main.yml index 321b82c21..8180ff75e 100644 --- a/roles/audit_storage/tasks/main.yml +++ b/roles/audit_storage/tasks/main.yml @@ -32,14 +32,17 @@ owner: "{{ audit_storage_username }}" group: "{{ audit_storage_group_name }}" - - name: Install service - ansible.builtin.include_role: - name: systemd_service - vars: - systemd_service_unit_name: "alfresco-audit-storage" - systemd_service_unit_description: "Alfresco Audit Storage" - systemd_service_exec_start: "{{ audit_storage_java_bin_path }} -jar {{ audit_storage_artifact_path }}" - systemd_service_user: "{{ audit_storage_username }}" - systemd_service_environment: >- - {{ audit_storage_default_environment | - combine(audit_storage_environment) }} + - name: Create systemd service + ansible.builtin.template: + src: systemd-service.j2 + dest: /etc/systemd/system/{{ audit_storage_systemd_service_unit_name }}.service + mode: "0644" + notify: + - Reload systemd + - Restart {{ audit_storage_systemd_service_unit_name }} + + - name: Start service + ansible.builtin.systemd: + name: "{{ audit_storage_systemd_service_unit_name }}" + state: "{{ audit_storage_systemd_service_state }}" + enabled: "{{ audit_storage_systemd_service_enabled }}" diff --git a/roles/audit_storage/templates/systemd-service.j2 b/roles/audit_storage/templates/systemd-service.j2 new file mode 100644 index 000000000..aac9c760e --- /dev/null +++ b/roles/audit_storage/templates/systemd-service.j2 @@ -0,0 +1,31 @@ +[Unit] +Description={{ audit_storage_systemd_service_unit_description }} +After={{ audit_storage_systemd_service_unit_after }} + +[Service] +Type={{ audit_storage_systemd_service_type }} +{% if audit_storage_systemd_service_type == 'oneshot' %} +RemainAfterExit=yes +{% endif %} + +User={{ audit_storage_systemd_service_user }} + +{% for key, value in audit_storage_systemd_service_environment.items() %} +Environment="{{ key }}={{ value | replace('%', '%%') }}" +{% endfor %} + +ExecStart={{ audit_storage_systemd_service_exec_start }} +ExecStop={{ audit_storage_systemd_service_exec_stop }} + +Restart=on-failure +RestartSec=60 +SuccessExitStatus=143 + +WorkingDirectory={{ audit_storage_systemd_service_working_directory }} + +{% for key, value in audit_storage_systemd_service_additional_options.items() %} +{{ key }}={{ value }} +{% endfor %} + +[Install] +WantedBy=multi-user.target diff --git a/roles/audit_storage/vars/main.yml b/roles/audit_storage/vars/main.yml index 0e28f196c..9786eab47 100644 --- a/roles/audit_storage/vars/main.yml +++ b/roles/audit_storage/vars/main.yml @@ -1,3 +1,6 @@ --- # vars file for audit_storage audit_storage_artifact_path: "{{ audit_storage_binaries_dir }}/{{ audit_storage_artifact_name }}-{{ audit_storage_version }}.jar" +audit_storage_systemd_service_environment: >- + {{ audit_storage_default_environment | + combine(audit_storage_environment) }} diff --git a/roles/systemd_service/README.md b/roles/systemd_service/README.md deleted file mode 100644 index 02cf5f87a..000000000 --- a/roles/systemd_service/README.md +++ /dev/null @@ -1,118 +0,0 @@ -# systemd_service - -Install and configure systemd services - -## Table of content - -* [systemd\_service](#systemd_service) - * [Table of content](#table-of-content) - * [Requirements](#requirements) - * [Default Variables](#default-variables) - * [systemd\_service\_additional\_options](#systemd_service_additional_options) - * [systemd\_service\_enabled](#systemd_service_enabled) - * [systemd\_service\_environment](#systemd_service_environment) - * [systemd\_service\_exec\_start](#systemd_service_exec_start) - * [systemd\_service\_exec\_stop](#systemd_service_exec_stop) - * [systemd\_service\_state](#systemd_service_state) - * [systemd\_service\_type](#systemd_service_type) - * [systemd\_service\_unit\_after](#systemd_service_unit_after) - * [systemd\_service\_unit\_description](#systemd_service_unit_description) - * [systemd\_service\_unit\_name](#systemd_service_unit_name) - * [systemd\_service\_user](#systemd_service_user) - * [systemd\_service\_working\_directory](#systemd_service_working_directory) - * [Dependencies](#dependencies) - * [License](#license) - * [Author](#author) - ---- - -## Requirements - -* Minimum Ansible version: `2.1` - -## Default Variables - -### systemd_service_additional_options - -```YAML -systemd_service_additional_options: {} -``` - -### systemd_service_enabled - -```YAML -systemd_service_enabled: true -``` - -### systemd_service_environment - -```YAML -systemd_service_environment: {} -``` - -### systemd_service_exec_start - -```YAML -systemd_service_exec_start: '' -``` - -### systemd_service_exec_stop - -```YAML -systemd_service_exec_stop: kill -15 $MAINPID -``` - -### systemd_service_state - -```YAML -systemd_service_state: started -``` - -### systemd_service_type - -```YAML -systemd_service_type: simple -``` - -### systemd_service_unit_after - -```YAML -systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target - nss-lookup.target -``` - -### systemd_service_unit_description - -```YAML -systemd_service_unit_description: '' -``` - -### systemd_service_unit_name - -```YAML -systemd_service_unit_name: '' -``` - -### systemd_service_user - -```YAML -systemd_service_user: '' -``` - -### systemd_service_working_directory - -```YAML -systemd_service_working_directory: /tmp -``` - -## Dependencies - -None. - -## License - -Apache-2.0 - -## Author - -Alfresco Ops Readiness diff --git a/roles/systemd_service/defaults/main.yml b/roles/systemd_service/defaults/main.yml deleted file mode 100644 index 8ac453bf8..000000000 --- a/roles/systemd_service/defaults/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# defaults file for systemd-service -systemd_service_unit_name: '' -systemd_service_unit_description: '' -systemd_service_unit_after: syslog.target network.target local-fs.target remote-fs.target nss-lookup.target - -systemd_service_type: simple -systemd_service_user: '' -systemd_service_environment: {} -systemd_service_exec_start: '' -systemd_service_exec_stop: kill -15 $MAINPID -systemd_service_working_directory: /tmp -systemd_service_additional_options: {} -systemd_service_state: started -systemd_service_enabled: true diff --git a/roles/systemd_service/handlers/main.yml b/roles/systemd_service/handlers/main.yml deleted file mode 100644 index 5cb38574b..000000000 --- a/roles/systemd_service/handlers/main.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -# handlers file for systemd-service -- name: Reload systemd - ansible.builtin.systemd: - daemon_reload: true - -- name: Restart {{ systemd_service_unit_name }} - ansible.builtin.systemd: - name: "{{ systemd_service_unit_name }}" - state: restarted - when: systemd_service_state == 'started' diff --git a/roles/systemd_service/meta/argument_specs.yml b/roles/systemd_service/meta/argument_specs.yml deleted file mode 100644 index 473e6f568..000000000 --- a/roles/systemd_service/meta/argument_specs.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -argument_specs: - main: - short_description: Install a systemd service unit - description: | - This role installs a systemd service unit and starts it. - options: - systemd_service_unit_name: - type: str - description: Name of the systemd service unit - required: true - systemd_service_unit_description: - type: str - description: Description of the systemd service unit - required: true - systemd_service_unit_after: - type: str - description: List of systemd targets to start after (space separated) - systemd_service_type: - type: str - description: Type of the systemd service unit - default: simple - systemd_service_user: - type: str - description: User to run the systemd service as - required: true - systemd_service_environment: - type: dict - description: Environment variables to set for the systemd service unit - default: {} - systemd_service_exec_start: - type: str - description: Command to start the systemd service unit - required: true - systemd_service_exec_stop: - type: str - description: Command to stop the systemd service unit - default: kill -15 $MAINPID - systemd_service_working_directory: - type: str - description: Working directory for the systemd service unit - default: /tmp - systemd_service_additional_options: - type: dict - description: Additional options to set for the systemd service unit - default: {} - systemd_service_state: - type: str - description: Default state of the systemd service unit - default: started - systemd_service_enabled: - type: bool - description: Whether the systemd service unit should be enabled (started on boot) - default: true diff --git a/roles/systemd_service/meta/main.yml b/roles/systemd_service/meta/main.yml deleted file mode 100644 index 6469276df..000000000 --- a/roles/systemd_service/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ -galaxy_info: - author: Alfresco Ops Readiness - description: Install and configure systemd services - company: Hyland - - license: Apache-2.0 - - min_ansible_version: '2.1' - - galaxy_tags: - - systemd - - service - - configuration - -dependencies: [] diff --git a/roles/systemd_service/molecule/default/converge.yml b/roles/systemd_service/molecule/default/converge.yml deleted file mode 100644 index ccc6447a6..000000000 --- a/roles/systemd_service/molecule/default/converge.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: Converge - hosts: all - gather_facts: false - tasks: - - name: Include role - ansible.builtin.include_role: - name: systemd_service - vars: - systemd_service_unit_name: my-test-service - systemd_service_unit_description: My very cool service - systemd_service_exec_start: /bin/sleep infinity - systemd_service_environment: - MY_ENV_VAR: my_value - ANOTHER_ENV_VAR: another_value diff --git a/roles/systemd_service/molecule/default/molecule.yml b/roles/systemd_service/molecule/default/molecule.yml deleted file mode 100644 index 861d895ad..000000000 --- a/roles/systemd_service/molecule/default/molecule.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -driver: - name: docker -platforms: - - name: instance - dockerfile: ../../../../tests/molecule/Dockerfile-noprivs.j2 - image: rockylinux:9 - command: "/lib/systemd/systemd" - privileged: true - tmpfs: - - /run - - /run/lock - - /tmp - volume: - - "/sys/fs/cgroup:/sys/fs/cgroup:ro" diff --git a/roles/systemd_service/molecule/default/verify.yml b/roles/systemd_service/molecule/default/verify.yml deleted file mode 100644 index 01dca08fc..000000000 --- a/roles/systemd_service/molecule/default/verify.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: false - tasks: - - name: Check service is running - ansible.builtin.systemd: - name: my-test-service - state: started - - - name: Check service is enabled - ansible.builtin.systemd: - name: my-test-service - enabled: true - - - name: Check logs for warnings and errors - ansible.builtin.command: journalctl -u my-test-service -p 5 - register: journalctl_output - changed_when: false - - - name: Assert logs are clean - ansible.builtin.assert: - that: - - journalctl_output.stdout_lines[0] == '-- No entries --' - fail_msg: "Service logs contain warnings or errors: {{ journalctl_output.stdout }}" - quiet: true diff --git a/roles/systemd_service/tasks/main.yml b/roles/systemd_service/tasks/main.yml deleted file mode 100644 index b2f3811ad..000000000 --- a/roles/systemd_service/tasks/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# tasks file for systemd-service -- name: Create systemd service - ansible.builtin.template: - src: systemd-service.j2 - dest: /etc/systemd/system/{{ systemd_service_unit_name }}.service - mode: "0644" - notify: - - Reload systemd - - Restart {{ systemd_service_unit_name }} - -- name: Start service - ansible.builtin.systemd: - name: "{{ systemd_service_unit_name }}" - state: "{{ systemd_service_state }}" - enabled: "{{ systemd_service_enabled }}" diff --git a/roles/systemd_service/templates/systemd-service.j2 b/roles/systemd_service/templates/systemd-service.j2 deleted file mode 100644 index 659a5506c..000000000 --- a/roles/systemd_service/templates/systemd-service.j2 +++ /dev/null @@ -1,31 +0,0 @@ -[Unit] -Description={{ systemd_service_unit_description }} -After={{ systemd_service_unit_after }} - -[Service] -Type={{ systemd_service_type }} -{% if systemd_service_type == 'oneshot' %} -RemainAfterExit=yes -{% endif %} - -User={{ systemd_service_user }} - -{% for key, value in systemd_service_environment.items() %} -Environment="{{ key }}={{ value | replace('%', '%%') }}" -{% endfor %} - -ExecStart={{ systemd_service_exec_start }} -ExecStop={{ systemd_service_exec_stop }} - -Restart=on-failure -RestartSec=60 -SuccessExitStatus=143 - -WorkingDirectory={{ systemd_service_working_directory }} - -{% for key, value in systemd_service_additional_options.items() %} -{{ key }}={{ value }} -{% endfor %} - -[Install] -WantedBy=multi-user.target diff --git a/roles/systemd_service/vars/main.yml b/roles/systemd_service/vars/main.yml deleted file mode 100644 index 4523ba097..000000000 --- a/roles/systemd_service/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for systemd-service From fd59dbebbaa642cf8fe010131128e169d99a898b Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Thu, 28 Nov 2024 10:01:27 +0100 Subject: [PATCH 07/14] add acs version validation for audit-storage --- playbooks/acs.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/playbooks/acs.yml b/playbooks/acs.yml index 977cfa6d1..79fd2968e 100644 --- a/playbooks/acs.yml +++ b/playbooks/acs.yml @@ -483,9 +483,16 @@ - name: Audit Storage Role hosts: audit_storage gather_facts: false + vars: + acs_version_requirement: "{{ acs.version is version('23.4', 'ge') }}" + pre_tasks: + - name: Assert that the required version is met + ansible.builtin.fail: + msg: "Audit Storage requires ACS 23.4 or later" + when: not acs_version_requirement roles: - role: "../roles/audit_storage" - when: acs.edition == "Enterprise" + when: acs.edition == "Enterprise" and acs_version_requirement audit_storage_version: "{{ audit_storage.version }}" audit_storage_zip_url: "{{ downloads.audit_storage_zip_url }}" audit_storage_zip_sha1_url: "{{ downloads.audit_storage_zip_sha1_checksum_url }}" @@ -499,7 +506,7 @@ audit_storage_opensearch_password: "{{ elasticsearch_password }}" post_tasks: - name: Update installation status file with Audit Storage - when: acs.edition == "Enterprise" + when: acs.edition == "Enterprise" and acs_version_requirement become: true vars: audit_storage_components: From 87aebd5983e5e2be0855a2795e78a4d6201dea13 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Nov 2024 12:40:10 +0100 Subject: [PATCH 08/14] deprecate enterprise-extended --- .github/workflows/enteprise.yml | 6 +++ .github/workflows/enterprise-extended.yml | 51 ----------------------- README.md | 3 +- 3 files changed, 7 insertions(+), 53 deletions(-) delete mode 100644 .github/workflows/enterprise-extended.yml diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index 801380960..e44af78d7 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -155,6 +155,12 @@ jobs: fail-fast: false matrix: molecule_scenario: + - name: default + vars: vars-ubuntu20-72.yml + desc: EC2 ACS 7.2 (Ubuntu 20.04) + - name: default + vars: vars-ubuntu20-73.yml + desc: EC2 ACS 7.3 (Ubuntu 20.04) - name: default vars: vars-rocky8.yml desc: EC2 ACS 7.4 (Rocky Linux 8.9) diff --git a/.github/workflows/enterprise-extended.yml b/.github/workflows/enterprise-extended.yml deleted file mode 100644 index d15e61db5..000000000 --- a/.github/workflows/enterprise-extended.yml +++ /dev/null @@ -1,51 +0,0 @@ -name: "enterprise-extended" - -on: - workflow_dispatch: - -env: - DTAS_VERSION: v1.5.4 - BUILD_NUMBER: ${{ github.run_id }} - PY_COLORS: 1 - PYTHONUNBUFFERED: 1 - -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} - cancel-in-progress: false - -jobs: - ec2-extended: - name: ${{ matrix.molecule_scenario.desc }} - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - molecule_scenario: - - name: default - vars: vars-ubuntu20-72.yml - desc: EC2 ACS 7.2 (Ubuntu 20.04) - - name: default - vars: vars-ubuntu20-73.yml - desc: EC2 ACS 7.3 (Ubuntu 20.04) - env: - AWS_REGION: eu-west-1 - MOLECULE_IT_AWS_VPC_SUBNET_ID: subnet-6bdd4223 - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - # avoid auth conflict when cloning DTAS during verify step - persist-credentials: false - - - name: Run extended tests - uses: ./.github/actions/molecule_integration_ec2 - timeout-minutes: 185 - with: - matrix_name: ${{ matrix.molecule_scenario.name }} - matrix_vars: ${{ matrix.molecule_scenario.vars }} - matrix_desc: ${{ matrix.molecule_scenario.desc }} - nexus_username: ${{ secrets.NEXUS_USERNAME }} - nexus_password: ${{ secrets.NEXUS_PASSWORD }} - aws_access_key_id: ${{ secrets.aws_access_key_id }} - aws_secret_access_key: ${{ secrets.aws_secret_access_key }} - pat: ${{ secrets.BOT_GITHUB_TOKEN }} diff --git a/README.md b/README.md index 93270eb61..f3d952642 100644 --- a/README.md +++ b/README.md @@ -194,8 +194,7 @@ Follow this quick checklist: * review currently open dependabot/renovate and merge them * copy the versions inside the group_vars/all.yml to a new XX.N-extra-vars.yml (in case of a new ACS major version) -* run [updatecli workflow](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/updatecli.yml) -* run [enterprise-extended](https://github.com/Alfresco/alfresco-ansible-deployment/actions/workflows/enterprise-extended.yml) and make sure it is green +* bump versions constraints in scripts/updatecli/updatecli_acs*.yml (workflow will take care of the rest) * ensure that the [versions table in the main readme](docs/overview.md#versioning) has been updated * ensure that docker images and AMI id for the root molecule tests are reflecting any minor OS release (e.g. [default suite](../molecule/default/)) From 72cc49b28ecf3580a031584ec7bf98d35f3c311d Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Nov 2024 14:10:05 +0100 Subject: [PATCH 09/14] set free server port for audit-storage --- roles/audit_storage/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/audit_storage/defaults/main.yml b/roles/audit_storage/defaults/main.yml index 61ac4420e..e38386be0 100644 --- a/roles/audit_storage/defaults/main.yml +++ b/roles/audit_storage/defaults/main.yml @@ -9,6 +9,8 @@ audit_storage_artifact_name: alfresco-audit-storage-app audit_storage_username: alfresco audit_storage_group_name: alfresco +audit_storage_server_port: 8083 + audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000 audit_storage_broker_username: admin audit_storage_broker_password: admin @@ -17,6 +19,7 @@ audit_storage_opensearch_username: '' audit_storage_opensearch_password: '' audit_storage_default_environment: + SERVER_PORT: "{{ audit_storage_server_port }}" SPRING_ACTIVEMQ_BROKERURL: "{{ audit_storage_broker_url }}" SPRING_ACTIVEMQ_USER: "{{ audit_storage_broker_username }}" SPRING_ACTIVEMQ_PASSWORD: "{{ audit_storage_broker_password }}" From 4df8a0a569c9ddc6458893f18c1f24d1f25c5697 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Nov 2024 14:11:01 +0100 Subject: [PATCH 10/14] add dtas audit test --- .envrc | 2 +- .github/workflows/enteprise.yml | 2 +- molecule/docker_enterprise/molecule.yml | 2 ++ molecule/docker_enterprise/verify.yml | 14 -------------- molecule/elasticsearch/molecule.yml | 3 ++- tests/test-config.json | 4 ++++ 6 files changed, 10 insertions(+), 17 deletions(-) delete mode 100644 molecule/docker_enterprise/verify.yml diff --git a/.envrc b/.envrc index 86b658b02..7565d7c30 100644 --- a/.envrc +++ b/.envrc @@ -4,7 +4,7 @@ export AWS_REGION=eu-west-1 export MOLECULE_IT_AWS_VPC_SUBNET_ID=subnet-6bdd4223 export BRANCH_NAME=local export BUILD_NUMBER=1 -export DTAS_VERSION=v1.5.3 +export DTAS_VERSION=v1.6.0 export MOLECULE_IT_ID=$(echo "$LOGNAME" | sha256sum | cut -c1-6) ANSIBLE_VAULT_PASSWORD_FILE=$(expand_path ./.vault_pass.txt) export ANSIBLE_VAULT_PASSWORD_FILE diff --git a/.github/workflows/enteprise.yml b/.github/workflows/enteprise.yml index e44af78d7..60f6b4199 100644 --- a/.github/workflows/enteprise.yml +++ b/.github/workflows/enteprise.yml @@ -19,7 +19,7 @@ on: workflow_dispatch: env: - DTAS_VERSION: v1.5.5 + DTAS_VERSION: v1.6.0 BUILD_NUMBER: ${{ github.run_id }} PY_COLORS: 1 PYTHONUNBUFFERED: 1 diff --git a/molecule/docker_enterprise/molecule.yml b/molecule/docker_enterprise/molecule.yml index e02e3e0e6..480ef5310 100644 --- a/molecule/docker_enterprise/molecule.yml +++ b/molecule/docker_enterprise/molecule.yml @@ -30,6 +30,8 @@ platforms: - audit_storage published_ports: - 0.0.0.0:443:443/tcp + - 0.0.0.0:8083:8083/tcp + - 0.0.0.0:9200:9200/tcp provisioner: name: ansible diff --git a/molecule/docker_enterprise/verify.yml b/molecule/docker_enterprise/verify.yml deleted file mode 100644 index b17dc0e02..000000000 --- a/molecule/docker_enterprise/verify.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Verify - hosts: all - gather_facts: true - tasks: - - name: Populate services facts - ansible.builtin.service_facts: - - - name: Check services up - ansible.builtin.assert: - quiet: true - that: - - ansible_facts.services['nginx.service'].state == "running" - - ansible_facts.services['alfresco-audit-storage.service'].state == "running" diff --git a/molecule/elasticsearch/molecule.yml b/molecule/elasticsearch/molecule.yml index 71a1e74fc..25a230c69 100644 --- a/molecule/elasticsearch/molecule.yml +++ b/molecule/elasticsearch/molecule.yml @@ -29,6 +29,7 @@ platforms: - sfs - syncservice - transformers + - audit_storage - trusted_resource_consumers provisioner: name: ansible @@ -47,6 +48,6 @@ provisioner: playbooks: prepare: ../default/prepare.yml converge: ../../playbooks/acs.yml - verify: ../multimachine/verify.yml + verify: ../default/verify.yml verifier: name: ansible diff --git a/tests/test-config.json b/tests/test-config.json index 785c32ce2..3bd79b1b1 100644 --- a/tests/test-config.json +++ b/tests/test-config.json @@ -33,6 +33,10 @@ }, "adw": { "version": "5.2.0" + }, + "aas": { + "audit_host": "http://localhost:8083", + "elasticsearch_host": "http://localhost:9200" } } } From 719374e8f399d775d2c7f10398072feedd2b2696 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Nov 2024 16:48:47 +0100 Subject: [PATCH 11/14] have a separate dtas config for docker enterprise suite --- molecule/docker_enterprise/molecule.yml | 2 ++ tests/test-config-aas.json | 42 +++++++++++++++++++++++++ tests/test-config.json | 4 --- 3 files changed, 44 insertions(+), 4 deletions(-) create mode 100644 tests/test-config-aas.json diff --git a/molecule/docker_enterprise/molecule.yml b/molecule/docker_enterprise/molecule.yml index 480ef5310..88bb4edb2 100644 --- a/molecule/docker_enterprise/molecule.yml +++ b/molecule/docker_enterprise/molecule.yml @@ -38,6 +38,8 @@ provisioner: config_options: defaults: pipelining: true + env: + MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json ansible_args: - -e - "@../../tests/test-ssl.yml" diff --git a/tests/test-config-aas.json b/tests/test-config-aas.json new file mode 100644 index 000000000..3bd79b1b1 --- /dev/null +++ b/tests/test-config-aas.json @@ -0,0 +1,42 @@ +{ + "config": { + "host": "TEST_URL", + "username": "admin", + "password": "admin", + "search_retry_interval_seconds": "30" + }, + "assertions": { + "acs": { + "edition": "Enterprise", + "version": "23.4.0", + "identity": false, + "modules": [ + { + "id": "org.alfresco.integrations.google.docs", + "version": "4.1.0", + "installed": true + }, + { + "id": "alfresco-aos-module", + "version": "3.2.0", + "installed": true + }, + { + "id": "org_alfresco_device_sync_repo", + "version": "5.1.0", + "installed": true + } + ] + }, + "acc": { + "version": "9.2.0" + }, + "adw": { + "version": "5.2.0" + }, + "aas": { + "audit_host": "http://localhost:8083", + "elasticsearch_host": "http://localhost:9200" + } + } + } diff --git a/tests/test-config.json b/tests/test-config.json index 3bd79b1b1..785c32ce2 100644 --- a/tests/test-config.json +++ b/tests/test-config.json @@ -33,10 +33,6 @@ }, "adw": { "version": "5.2.0" - }, - "aas": { - "audit_host": "http://localhost:8083", - "elasticsearch_host": "http://localhost:9200" } } } From 8cc4f8e879dc3f567a10f7eb9bda12e178ad7987 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Fri, 29 Nov 2024 17:43:22 +0100 Subject: [PATCH 12/14] fixup dtas --- molecule/docker_enterprise/molecule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/molecule/docker_enterprise/molecule.yml b/molecule/docker_enterprise/molecule.yml index 88bb4edb2..518b423bc 100644 --- a/molecule/docker_enterprise/molecule.yml +++ b/molecule/docker_enterprise/molecule.yml @@ -38,8 +38,6 @@ provisioner: config_options: defaults: pipelining: true - env: - MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json ansible_args: - -e - "@../../tests/test-ssl.yml" @@ -52,3 +50,5 @@ provisioner: verify: ../default/verify.yml verifier: name: ansible + env: + MOLECULE_IT_TEST_CONFIG: tests/test-config-aas.json From a03690f68830989c3c547a29b64b65f53b6b0f69 Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Dec 2024 11:18:59 +0100 Subject: [PATCH 13/14] Revert search services due to java 11 incompat --- 7.2.N-extra-vars.yml | 2 +- 7.3.N-extra-vars.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/7.2.N-extra-vars.yml b/7.2.N-extra-vars.yml index c67da439e..b8d8b7fa1 100644 --- a/7.2.N-extra-vars.yml +++ b/7.2.N-extra-vars.yml @@ -27,7 +27,7 @@ search_enterprise: search: artifact_name: alfresco-search-services repository: "{{ nexus_repository.releases }}" - version: 2.0.13 + version: 2.0.12 # ACS-9048 transform: artifact_name: alfresco-transform-core-aio repository: "{{ nexus_repository.releases }}" diff --git a/7.3.N-extra-vars.yml b/7.3.N-extra-vars.yml index ddd1b6140..6b2ab0f9a 100644 --- a/7.3.N-extra-vars.yml +++ b/7.3.N-extra-vars.yml @@ -27,7 +27,7 @@ search_enterprise: search: artifact_name: alfresco-search-services repository: "{{ nexus_repository.releases }}" - version: 2.0.13 + version: 2.0.12 # ACS-9048 transform: artifact_name: alfresco-transform-core-aio repository: "{{ nexus_repository.releases }}" From de887727d2b309959e66da1d228e05642d3b268c Mon Sep 17 00:00:00 2001 From: Giovanni Toraldo Date: Mon, 2 Dec 2024 17:42:26 +0100 Subject: [PATCH 14/14] fix review --- roles/audit_storage/README.md | 38 --------------------------- roles/audit_storage/defaults/main.yml | 4 +-- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 roles/audit_storage/README.md diff --git a/roles/audit_storage/README.md b/roles/audit_storage/README.md deleted file mode 100644 index 225dd44b9..000000000 --- a/roles/audit_storage/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/audit_storage/defaults/main.yml b/roles/audit_storage/defaults/main.yml index e38386be0..c6846b632 100644 --- a/roles/audit_storage/defaults/main.yml +++ b/roles/audit_storage/defaults/main.yml @@ -12,8 +12,8 @@ audit_storage_group_name: alfresco audit_storage_server_port: 8083 audit_storage_broker_url: failover:(nio://localhost:61616)?timeout=3000 -audit_storage_broker_username: admin -audit_storage_broker_password: admin +audit_storage_broker_username: '' +audit_storage_broker_password: '' audit_storage_opensearch_url: http://localhost:9200 audit_storage_opensearch_username: '' audit_storage_opensearch_password: ''