From d25f4d15bf34504d362356a1fce9d94af5bf5591 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harri=20J=C3=A4=C3=A4linoja?= Date: Thu, 22 Sep 2016 15:42:11 +0300 Subject: [PATCH 1/4] add packages needed for selinux setup --- ansible/roles/omero-web-runtime/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ansible/roles/omero-web-runtime/tasks/main.yml b/ansible/roles/omero-web-runtime/tasks/main.yml index 3ba16e672..fbd888c11 100644 --- a/ansible/roles/omero-web-runtime/tasks/main.yml +++ b/ansible/roles/omero-web-runtime/tasks/main.yml @@ -48,8 +48,12 @@ - name: omero | install selinux utilities become: yes yum: - name: libselinux-python + name: "{{ item }}" state: present + with_items: + - libselinux-python + - libsemanage-python + - policycoreutils-python when: omero_selinux_setup - name: omero web | selinux booleans @@ -71,4 +75,4 @@ proto: tcp setype: http_port_t state: present - when: omero_selinux_setup \ No newline at end of file + when: omero_selinux_setup From 4e92796806dc70f719e21362a3ee018ff9abb891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harri=20J=C3=A4=C3=A4linoja?= Date: Tue, 27 Sep 2016 13:46:23 +0300 Subject: [PATCH 2/4] add handler to update config --- ansible/roles/omero-server/handlers/main.yml | 5 +++++ ansible/roles/omero-server/tasks/main.yml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/ansible/roles/omero-server/handlers/main.yml b/ansible/roles/omero-server/handlers/main.yml index d94912d1f..0a2d8ec65 100644 --- a/ansible/roles/omero-server/handlers/main.yml +++ b/ansible/roles/omero-server/handlers/main.yml @@ -6,3 +6,8 @@ service: name: nginx state: restarted + +- name: update config + become: yes + become_user: omero + shell: "{{ omero_serverdir }}/{{ omero_server_symlink }}/bin/omero load < {{ omero_basedir }}/config/omero-base.config" diff --git a/ansible/roles/omero-server/tasks/main.yml b/ansible/roles/omero-server/tasks/main.yml index 458969b5f..0c296e387 100644 --- a/ansible/roles/omero-server/tasks/main.yml +++ b/ansible/roles/omero-server/tasks/main.yml @@ -72,6 +72,7 @@ dest: "{{ omero_basedir }}/config/omero-base.config" force: yes src: omero-base.config.j2 + notify: update config - name: omero | empty additional configuration file become: yes @@ -88,6 +89,7 @@ force: yes src: "{{ omero_prestart_file }}" when: omero_prestart_file | default(None) != None + notify: update config - name: omero | set omego options set_fact: From 7f780c3d7ad8cc5cda0867a575f59261a42fa550 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harri=20J=C3=A4=C3=A4linoja?= Date: Fri, 30 Sep 2016 17:07:34 +0300 Subject: [PATCH 3/4] Add handlers to reset config and restart OMERO. --- ansible/roles/omero-server/handlers/main.yml | 16 +++++++++++++++- ansible/roles/omero-server/tasks/main.yml | 16 ++++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/ansible/roles/omero-server/handlers/main.yml b/ansible/roles/omero-server/handlers/main.yml index 0a2d8ec65..cd51996b6 100644 --- a/ansible/roles/omero-server/handlers/main.yml +++ b/ansible/roles/omero-server/handlers/main.yml @@ -1,13 +1,27 @@ --- -# Handler for nginx +# Handler for nginx - name: restart nginx become: yes service: name: nginx state: restarted +- name: reset config + become: yes + become_user: omero + shell: "{{ omero_serverdir }}/{{ omero_server_symlink }}/bin/omero load < config/reset.config" + args: + chdir: "{{ omero_basedir }}" + - name: update config become: yes become_user: omero shell: "{{ omero_serverdir }}/{{ omero_server_symlink }}/bin/omero load < {{ omero_basedir }}/config/omero-base.config" + +# Handler for OMERO +- name: restart OMERO + become: yes + service: + name: omero + state: restarted diff --git a/ansible/roles/omero-server/tasks/main.yml b/ansible/roles/omero-server/tasks/main.yml index 0c296e387..cf780c7ed 100644 --- a/ansible/roles/omero-server/tasks/main.yml +++ b/ansible/roles/omero-server/tasks/main.yml @@ -66,13 +66,22 @@ msg: "OMERO.server found but unable to get version, you may have a corrupt installation" when: omero_server_symlink_st.stat.exists and omero_server_version is undefined +- name: omero | create configuration reset file + become: yes + shell: "touch config/omero-empty.config; cat config/omero-*|grep config|cut -d' ' -f 1,2,3 > config/reset.config" + args: + chdir: "{{ omero_basedir }}" + - name: omero | create common configuration file become: yes template: dest: "{{ omero_basedir }}/config/omero-base.config" force: yes src: omero-base.config.j2 - notify: update config + notify: + - reset config + - update config + - restart OMERO - name: omero | empty additional configuration file become: yes @@ -89,7 +98,10 @@ force: yes src: "{{ omero_prestart_file }}" when: omero_prestart_file | default(None) != None - notify: update config + notify: + - reset config + - update config + - restart OMERO - name: omero | set omego options set_fact: From 0bda40405c2990d21bac492b48161725c9a7327e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harri=20J=C3=A4=C3=A4linoja?= Date: Fri, 30 Sep 2016 17:25:23 +0300 Subject: [PATCH 4/4] add trust store setup --- ansible/roles/omero-server/defaults/main.yml | 7 +++++ ansible/roles/omero-server/tasks/main.yml | 3 ++ .../omero-server/tasks/omero-trust-store.yml | 28 +++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 ansible/roles/omero-server/tasks/omero-trust-store.yml diff --git a/ansible/roles/omero-server/defaults/main.yml b/ansible/roles/omero-server/defaults/main.yml index 062bc9d18..9806b9722 100644 --- a/ansible/roles/omero-server/defaults/main.yml +++ b/ansible/roles/omero-server/defaults/main.yml @@ -80,3 +80,10 @@ omero_systemd_setup: False # EXPERIMENTAL, may break your system # Quoted to prevent autoconversion to bool omero_systemd_restart: "no" + +# Setup trust store +omero_trust_store_setup: False +omero_trust_store: "{{ omero_basedir }}/trust_store.jks" +omero_trust_store_passwd: omero +#omero_trust_store_certificates: +# - { url: 'https://www.digicert.com/CACerts/DigiCertAssuredIDRootCA.crt', name: 'DigiCertAssuredIDRootCA.crt'} diff --git a/ansible/roles/omero-server/tasks/main.yml b/ansible/roles/omero-server/tasks/main.yml index cf780c7ed..d448fadbe 100644 --- a/ansible/roles/omero-server/tasks/main.yml +++ b/ansible/roles/omero-server/tasks/main.yml @@ -206,3 +206,6 @@ - include: omero-systemd.yml when: omero_systemd_setup + +- include: omero-trust-store.yml + when: omero_trust_store_setup diff --git a/ansible/roles/omero-server/tasks/omero-trust-store.yml b/ansible/roles/omero-server/tasks/omero-trust-store.yml new file mode 100644 index 000000000..782b913b9 --- /dev/null +++ b/ansible/roles/omero-server/tasks/omero-trust-store.yml @@ -0,0 +1,28 @@ +--- +# Configure trust store for OMERO. This might be needed for LDAPS connection. + +# The trust store file is built from scratch every time, to make sure it +# has the exact set of CA certificates configured. For the configuration change +# to take effect, OMERO must be restarted. To avoid unnecessary restarts, once +# you have a working setup, set "omero_trust_store_setup: False". + +- name: remove existing trust store + file: path={{ omero_trust_store }} state=absent + +- name: create directory for certificates + file: path={{ omero_basedir }}/cacerts state=directory owner={{ omero_system_user }} + +- name: download certificates + sudo_user: "{{ omero_system_user }}" + get_url: url={{ item.url }} dest={{ omero_basedir }}/cacerts/{{ item.name }} + with_items: + - "{{ omero_trust_store_certificates }}" + +- name: import certificates in a trust store file + sudo_user: "{{ omero_system_user }}" + command: keytool -importcert -noprompt -keystore {{ omero_trust_store }} -storepass {{ omero_trust_store_passwd }} -storetype JKS -providername SUN -file {{ item.name }} -alias {{ item.name }} + args: + chdir: "{{ omero_basedir }}/cacerts" + with_items: + - "{{ omero_trust_store_certificates }}" + notify: restart OMERO