From e515e1d6d3902c495f96201dbddfb906827fe27e Mon Sep 17 00:00:00 2001 From: HVSharma12 Date: Tue, 16 Jul 2024 21:10:24 +0530 Subject: [PATCH] ci: add support for transactional update --- README.md | 8 +++++++ defaults/main.yml | 1 + tasks/ensure_selinux_packages.yml | 38 +++++++++++++++++++++++++++++++ vars/main.yml | 1 + 4 files changed, 48 insertions(+) diff --git a/README.md b/README.md index 4e0ed56..10ca512 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,14 @@ supported policydb module version on target systems, i.e. on the oldest system. **Note:** Managing modules is idempotent only on Fedora, and EL 8.6 and later. You can manage modules on older releases, but it will not be idempotent. +### selinux_transactional_update_reboot_ok + +This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if selinux_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked. + +```yaml +selinux_transactional_update_reboot_ok: true +``` + ## Ansible Facts ### selinux_reboot_required diff --git a/defaults/main.yml b/defaults/main.yml index 6cc4a5e..32c6883 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- selinux_state: null selinux_policy: null +selinux_transactional_update_reboot_ok: null # Set up empty lists for SELinux changes. selinux_booleans: [] diff --git a/tasks/ensure_selinux_packages.yml b/tasks/ensure_selinux_packages.yml index 059ba9f..20a90f7 100644 --- a/tasks/ensure_selinux_packages.yml +++ b/tasks/ensure_selinux_packages.yml @@ -11,6 +11,18 @@ set_fact: __selinux_is_ostree: "{{ __ostree_booted_stat.stat.exists }}" +- name: Determine if system is transactional update and set flag + when: not __selinux_is_transactional is defined + block: + - name: Check if transactional-update exists in /sbin + stat: + path: /sbin/transactional-update + register: __transactional_update_stat + + - name: Set flag if transactional-update exists + set_fact: + __selinux_is_transactional: "{{ __transactional_update_stat.stat.exists }}" + - name: Install SELinux python2 tools package: name: @@ -44,6 +56,7 @@ when: - ansible_python_version is version('3', '>=') - ansible_os_family == "Suse" + register: selinux_python3_tools_result - name: Install SELinux tool semanage package: @@ -53,8 +66,33 @@ use: "{{ (__selinux_is_ostree | d(false)) | ternary('ansible.posix.rhel_rpm_ostree', omit) }}" when: ansible_distribution == "Fedora" or + ansible_distribution == "SL-Micro" or (ansible_distribution_major_version | int > 7 and ansible_distribution in ["CentOS", "RedHat", "Rocky"]) + register: selinux_semanage_result + +- name: Handle reboot for transactional update systems + when: + - __selinux_is_transactional | d(false) + - selinux_python3_tools_result is changed or + selinux_semanage_result is changed + block: + - name: Notify user that reboot is needed to apply changes + debug: + msg: > + Reboot required to apply changes due to transactional updates. + + - name: Reboot transactional update systems + reboot: + msg: Rebooting the system to apply transactional update changes. + when: selinux_transactional_update_reboot_ok | bool + + - name: Fail if reboot is needed and not set + fail: + msg: > + Reboot is required but not allowed. Please set 'selinux_transactional_update_reboot_ok' to proceed. + when: + - selinux_transactional_update_reboot_ok is none - name: Refresh facts setup: diff --git a/vars/main.yml b/vars/main.yml index 161da61..815295a 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -18,5 +18,6 @@ __selinux_required_facts_subsets: "{{ ['!all', '!min'] + __selinux_required_facts }}" restorecon_threads: "{{ '-T 0' if ansible_distribution == 'Fedora' or + ansible_distribution == 'SL-Micro' or (ansible_distribution_major_version | int > 8 and ansible_distribution in ['CentOS', 'RedHat', 'Rocky']) else '' }}"