Commit 661836a4 by Czémán Arnold

Merge branch 'redhat' into debian

Conflicts:
	README.md
parents 6dfeb416 d2f1016c
# Circle Project - Salt Installer
# CIRCLE Project - Salt Installer
## OS Support
......@@ -6,11 +6,9 @@
* Red Hat Enterprise Linux 7+
* Cent OS 7+
* Scientific Linux 7+
* Oracle Linux 7+ --> work in progress
* Debian Linux family:
* Debian linux 8+
* Ubuntu linux 14.04 LTS
* Ubuntu linux 15.04+ --> work in progress
## Prerequisites
......@@ -40,28 +38,6 @@ sudo apt-get install python-pip vim git
sudo pip install salt==2014.7.1
```
## Configure salt
Open the salt minion configuration
```bash
sudo mkdir -p /etc/salt
sudo vim /etc/salt/minion
```
Add these lines:
```bash
file_client: local
file_roots:
base:
- /home/cloud/salt/salt
pillar_roots:
base:
- /home/cloud/salt/pillar
```
## Get the installer
Clone circle installer git repository into cloud home
......@@ -146,7 +122,7 @@ Other variables
Run the following installation command:
```bash
sudo salt-call state.sls allinone
sudo salt-call state.sls allinone --local --file-root=/home/$USER/salt/salt --pillar-root=/home/$USER/salt/pillar
```
After this finished, you have to get "Failed: 0" message.
If installer fails, please visit the [Troubleshooting](#troubleshooting) paragraph.
......@@ -211,6 +187,7 @@ Finally, we can run the machine. Click on 'deploy' and start it. You can choose,
### Portal won't load
Maybe port 443 is closed. Check and open it.
### Portal won't load on Ubuntu 14.04
```bash
sudo service nginx restart
......
......@@ -14,9 +14,6 @@ server {
alias /home/{{ pillar['user'] }}/circle/circle/static_collected; # your Django project's static files
}
{% endif %}
location /doc {
alias /home/cloud/circle-website/_build/html;
}
location / {
{% if pillar['deployment_type'] == "production" %}
......
module nginx 1.0;
require {
type initrc_tmp_t;
type httpd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow httpd_t initrc_tmp_t:sock_file write;
......@@ -5,12 +5,20 @@ nginx:
- pkg: nginx
- cmd: circlecert
- file: nginxdefault
- file: nginx_home_permission
{% if grains['os_family'] == 'RedHat' %}
- file: nginxconf
- cmd: nginx_no_private_temp
{% endif %}
pkg:
- installed
nginx_home_permission:
file.directory:
- name: /home/{{ pillar['user'] }}
- user: {{ pillar['user'] }}
- dir_mode: 711
circlecert:
cmd.run:
{% if grains['os_family'] == 'RedHat' %}
......@@ -22,17 +30,50 @@ circlecert:
- creates: /etc/ssl/certs/circle.pem
{% if grains['os_family'] == 'RedHat' %}
nginx_selinux:
nginx_selinux_pkgs:
pkg.installed:
- pkgs:
- policycoreutils
- policycoreutils-python
nginx_httpd_can_network_connect:
selinux.boolean:
- name: httpd_can_network_connect
- value: True
- persist: True
- require:
- pkg: nginx_selinux
- pkg: nginx_selinux_pkgs
nginx_httpd_read_user_content:
selinux.boolean:
- name: httpd_read_user_content
- value: True
- persist: True
- require:
- pkg: nginx_selinux_pkgs
/root/nginx.te:
file.managed:
- source: salt://manager/files/nginx.te
- template: jinja
- mode: 644
nginx_semodule:
cmd.run:
- cwd: /root
- user: root
- name: checkmodule -M -m -o nginx.mod nginx.te; semodule_package -o nginx.pp -m nginx.mod; semodule -i nginx.pp
- unless: semodule -l |grep -qs ^nginx
- require:
- file: /root/nginx.te
- pkg: nginx_selinux_pkgs
nginx_no_private_temp:
cmd.run:
- user: root
- name: sed -i "/PrivateTmp/d" /usr/lib/systemd/system/nginx.service
- require:
- pkg: nginx
{% endif %}
nginxdefault:
......
{{ pillar['user'] }} ALL = (ALL) NOPASSWD: /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /sbin/ip link set *
Defaults: cloud !requiretty
Defaults: {{ pillar['user'] }} !requiretty
module vmdriver 1.0;
module vmdriver 1.1;
require {
type virt_var_lib_t;
type svirt_tcg_t;
type svirt_t;
type default_t;
class sock_file { create unlink };
class dir { write remove_name add_name };
class lnk_file read;
}
#============= svirt_tcg_t ==============
allow svirt_tcg_t virt_var_lib_t:dir { write remove_name add_name };
allow svirt_tcg_t virt_var_lib_t:sock_file { create unlink };
#============= svirt_t ==============
allow svirt_t virt_var_lib_t:dir { write add_name };
allow svirt_t virt_var_lib_t:sock_file create;
allow svirt_t default_t:lnk_file read;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment