Commit 661836a4 by Czémán Arnold

Merge branch 'redhat' into debian

Conflicts:
	README.md
parents 6dfeb416 d2f1016c
# Circle Project - Salt Installer # CIRCLE Project - Salt Installer
## OS Support ## OS Support
...@@ -6,11 +6,9 @@ ...@@ -6,11 +6,9 @@
* Red Hat Enterprise Linux 7+ * Red Hat Enterprise Linux 7+
* Cent OS 7+ * Cent OS 7+
* Scientific Linux 7+ * Scientific Linux 7+
* Oracle Linux 7+ --> work in progress
* Debian Linux family: * Debian Linux family:
* Debian linux 8+ * Debian linux 8+
* Ubuntu linux 14.04 LTS * Ubuntu linux 14.04 LTS
* Ubuntu linux 15.04+ --> work in progress
## Prerequisites ## Prerequisites
...@@ -40,28 +38,6 @@ sudo apt-get install python-pip vim git ...@@ -40,28 +38,6 @@ sudo apt-get install python-pip vim git
sudo pip install salt==2014.7.1 sudo pip install salt==2014.7.1
``` ```
## Configure salt
Open the salt minion configuration
```bash
sudo mkdir -p /etc/salt
sudo vim /etc/salt/minion
```
Add these lines:
```bash
file_client: local
file_roots:
base:
- /home/cloud/salt/salt
pillar_roots:
base:
- /home/cloud/salt/pillar
```
## Get the installer ## Get the installer
Clone circle installer git repository into cloud home Clone circle installer git repository into cloud home
...@@ -146,7 +122,7 @@ Other variables ...@@ -146,7 +122,7 @@ Other variables
Run the following installation command: Run the following installation command:
```bash ```bash
sudo salt-call state.sls allinone sudo salt-call state.sls allinone --local --file-root=/home/$USER/salt/salt --pillar-root=/home/$USER/salt/pillar
``` ```
After this finished, you have to get "Failed: 0" message. After this finished, you have to get "Failed: 0" message.
If installer fails, please visit the [Troubleshooting](#troubleshooting) paragraph. If installer fails, please visit the [Troubleshooting](#troubleshooting) paragraph.
...@@ -211,6 +187,7 @@ Finally, we can run the machine. Click on 'deploy' and start it. You can choose, ...@@ -211,6 +187,7 @@ Finally, we can run the machine. Click on 'deploy' and start it. You can choose,
### Portal won't load ### Portal won't load
Maybe port 443 is closed. Check and open it. Maybe port 443 is closed. Check and open it.
### Portal won't load on Ubuntu 14.04 ### Portal won't load on Ubuntu 14.04
```bash ```bash
sudo service nginx restart sudo service nginx restart
......
...@@ -14,9 +14,6 @@ server { ...@@ -14,9 +14,6 @@ server {
alias /home/{{ pillar['user'] }}/circle/circle/static_collected; # your Django project's static files alias /home/{{ pillar['user'] }}/circle/circle/static_collected; # your Django project's static files
} }
{% endif %} {% endif %}
location /doc {
alias /home/cloud/circle-website/_build/html;
}
location / { location / {
{% if pillar['deployment_type'] == "production" %} {% if pillar['deployment_type'] == "production" %}
......
module nginx 1.0;
require {
type initrc_tmp_t;
type httpd_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow httpd_t initrc_tmp_t:sock_file write;
...@@ -5,12 +5,20 @@ nginx: ...@@ -5,12 +5,20 @@ nginx:
- pkg: nginx - pkg: nginx
- cmd: circlecert - cmd: circlecert
- file: nginxdefault - file: nginxdefault
- file: nginx_home_permission
{% if grains['os_family'] == 'RedHat' %} {% if grains['os_family'] == 'RedHat' %}
- file: nginxconf - file: nginxconf
- cmd: nginx_no_private_temp
{% endif %} {% endif %}
pkg: pkg:
- installed - installed
nginx_home_permission:
file.directory:
- name: /home/{{ pillar['user'] }}
- user: {{ pillar['user'] }}
- dir_mode: 711
circlecert: circlecert:
cmd.run: cmd.run:
{% if grains['os_family'] == 'RedHat' %} {% if grains['os_family'] == 'RedHat' %}
...@@ -22,17 +30,50 @@ circlecert: ...@@ -22,17 +30,50 @@ circlecert:
- creates: /etc/ssl/certs/circle.pem - creates: /etc/ssl/certs/circle.pem
{% if grains['os_family'] == 'RedHat' %} {% if grains['os_family'] == 'RedHat' %}
nginx_selinux: nginx_selinux_pkgs:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
- policycoreutils - policycoreutils
- policycoreutils-python - policycoreutils-python
nginx_httpd_can_network_connect:
selinux.boolean: selinux.boolean:
- name: httpd_can_network_connect - name: httpd_can_network_connect
- value: True - value: True
- persist: True - persist: True
- require: - require:
- pkg: nginx_selinux - pkg: nginx_selinux_pkgs
nginx_httpd_read_user_content:
selinux.boolean:
- name: httpd_read_user_content
- value: True
- persist: True
- require:
- pkg: nginx_selinux_pkgs
/root/nginx.te:
file.managed:
- source: salt://manager/files/nginx.te
- template: jinja
- mode: 644
nginx_semodule:
cmd.run:
- cwd: /root
- user: root
- name: checkmodule -M -m -o nginx.mod nginx.te; semodule_package -o nginx.pp -m nginx.mod; semodule -i nginx.pp
- unless: semodule -l |grep -qs ^nginx
- require:
- file: /root/nginx.te
- pkg: nginx_selinux_pkgs
nginx_no_private_temp:
cmd.run:
- user: root
- name: sed -i "/PrivateTmp/d" /usr/lib/systemd/system/nginx.service
- require:
- pkg: nginx
{% endif %} {% endif %}
nginxdefault: nginxdefault:
......
{{ pillar['user'] }} ALL = (ALL) NOPASSWD: /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /sbin/ip link set * {{ pillar['user'] }} ALL = (ALL) NOPASSWD: /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl, /sbin/ip link set *
Defaults: cloud !requiretty Defaults: {{ pillar['user'] }} !requiretty
module vmdriver 1.0; module vmdriver 1.1;
require { require {
type virt_var_lib_t; type virt_var_lib_t;
type svirt_tcg_t; type svirt_tcg_t;
type svirt_t;
type default_t;
class sock_file { create unlink }; class sock_file { create unlink };
class dir { write remove_name add_name }; class dir { write remove_name add_name };
class lnk_file read;
} }
#============= svirt_tcg_t ============== #============= svirt_tcg_t ==============
allow svirt_tcg_t virt_var_lib_t:dir { write remove_name add_name }; allow svirt_tcg_t virt_var_lib_t:dir { write remove_name add_name };
allow svirt_tcg_t virt_var_lib_t:sock_file { create unlink }; allow svirt_tcg_t virt_var_lib_t:sock_file { create unlink };
#============= svirt_t ==============
allow svirt_t virt_var_lib_t:dir { write add_name };
allow svirt_t virt_var_lib_t:sock_file create;
allow svirt_t default_t:lnk_file read;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment