add selinux mongodb port

jalogisch commented 6 years ago

tested the above on RHEL 6.9 and CentOS 7 - on both SELinux runs on default.

Ansible might complain about a missing package ( yum install policycoreutils-python ) but I did not include automatic install of that - as even elastic did not have that for the selinux parts.

ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.6.6 (r266:84292, Aug  9 2016, 06:11:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-17)

mariussturm commented 6 years ago

Tested with CentOS 7 and these SELinux settings:

[root@ubuntu vagrant]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

and still got the same error:

TASK [Graylog2.graylog-ansible-role : Package dependencies should be installed] ****************************************
ok: [127.0.0.1] => (item=[u'libselinux-python'])

TASK [Graylog2.graylog-ansible-role : MongoDB should be installed] *****************************************************
changed: [127.0.0.1]

TASK [Graylog2.graylog-ansible-role : MongoDB should be configured] ****************************************************
changed: [127.0.0.1]

TASK [Graylog2.graylog-ansible-role : set SELinux MongoDB Port access allowed] *****************************************
changed: [127.0.0.1]

RUNNING HANDLER [jdauphant.nginx : restart nginx] **********************************************************************
ok: [127.0.0.1] => {
    "msg": "checking config first"
}

RUNNING HANDLER [jdauphant.nginx : reload nginx] ***********************************************************************
ok: [127.0.0.1] => {
    "msg": "checking config first"
}

RUNNING HANDLER [jdauphant.nginx : check nginx configuration] **********************************************************
[DEPRECATION WARNING]: always_run is deprecated. Use check_mode = no instead..
This feature will be removed in version 
2.4. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [127.0.0.1]

RUNNING HANDLER [jdauphant.nginx : restart nginx - after config check] *************************************************
changed: [127.0.0.1]

RUNNING HANDLER [jdauphant.nginx : reload nginx - after config check] **************************************************
changed: [127.0.0.1]

RUNNING HANDLER [Graylog2.graylog-ansible-role : restart mongod] *******************************************************
fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to start service mongod: Job for mongod.service failed because a timeout was exceeded. See \"systemctl status mongod.service\" and \"journalctl -xe\" for details.\n"}
    to retry, use: --limit @/tmp/ansible/playbook.retry

PLAY RECAP *************************************************************************************************************
127.0.0.1                  : ok=67   changed=35   unreachable=0    failed=1

mariussturm commented 6 years ago

I have created this PR: https://github.com/Graylog2/graylog-ansible-role/pull/87 With these changes MongoDB was installed successfully on CentOS7 with

SELINUX=enforcing
SELINUXTYPE=targeted

Regression tested with Ubuntu 16.04 and Debian 8

Couls someone please test the changes so that we can merge them?

mariussturm commented 6 years ago

Closing in favour of https://github.com/Graylog2/graylog-ansible-role/pull/87#issuecomment-378901786

Graylog2 / graylog-ansible-role

add selinux mongodb port #85