diff --git a/roles/sap_fapolicy/README.md b/roles/sap_fapolicy/README.md index 2cedfc4..072f709 100644 --- a/roles/sap_fapolicy/README.md +++ b/roles/sap_fapolicy/README.md @@ -1,85 +1,113 @@ + # sap_fapolicy Ansible Role + + +## Description + +The Ansible Role `sap_rhsm` is used to update fapolicy configuration for SAP Systems. + + + + + + +## Prerequisites +Managed nodes: +- Supported Operating System: Red Hat + + +## Execution + + +### Example + +Configuration with `sap_fapolicy_type` set to `generic`. +```yaml +--- +- hosts: all + become: true + tasks: + - name: Configure fapolicy + ansible.builtin.include_role: + name: community.sap_operations.sap_fapolicy + vars: + sap_fapolicy_type: "generic" +``` + +Configuration for all SAP Systems on managed node. +```yaml +--- +- hosts: all + become: true + tasks: + - name: Run sap_facts module to gather SAP facts + community.sap_operations.sap_facts: + param: "all" + register: sap_facts_register + + - name: Fapolicy Update - SAP Users + vars: + sap_fapolicy_sid: "{{ item.Type }}" + sap_fapolicy_type: "{{ item.Type }}" + ansible.builtin.include_role: + name: community.sap_operations.sap_fapolicy + loop: "{{ sap_facts_register.sap_facts }}" +``` + -Ansible role for updating fapolicy entries based on SAP instance numbers + + -- **Generic** - use the `generic` option to update entries directly by providing a list of users -- **SAP NW** - use the `nw` option to update SAP NW entries -- **SAP HANA** - use the `hana` option to update SAP HANA entries + + -## Overview +## License + +Apache 2.0 + -Fapolicy entries will be updated to allow access to the following directories - - "/hana/" - - "/sapmnt/" - - "/usr/sap/" - - "/software/" - - "/var/tmp/" - - "/tmp/" +## Maintainers + +- SAP LinuxLab + -![](/docs/diagrams/sap_fapolicy_workflow.svg) +## Role Variables + +### sap_fapolicy_type +- **Required**
+- _Type:_ `string`
+- _Default:_ `generic`
-### Variables +Select fapolicy type to configure. Options: `generic`, `nw`, `hana`.
-| **Variable** | **Info** | **Default** | **Required** | -| :--- | :--- | :--- | :--- | -| sap_fapolicy_type | 'generic' / 'nw' / 'hana' | 'generic' | yes | -| sap_fapolicy_user | Unix user to include in fapolicy entries | | if 'generic' | -| sap_fapolicy_sid | SAP system SID | | if 'nw' / 'hana' | +### sap_fapolicy_user +- _Type:_ `string`
-### Input and Execution +The user for fapolicy configuration.
+Mandatory when `sap_fapolicy_type` is set to `generic`.
+Automatically set as `sap_fapolicy_sid` + 'adm' if `sap_fapolicy_type` is `nw` or `hana`.
-- Sample execution: +### sap_fapolicy_uid +- _Type:_ `string`
- ```bash - ansible-playbook --connection=local --limit localhost -i "localhost," sap-fapolicy-update.yml" - ``` +The User ID of provided user `sap_fapolicy_user`.
+Automatically set if `sap_fapolicy_user` or `sap_fapolicy_sid` is provided.
-- Sample playbook using `generic` option +### sap_fapolicy_sid +- _Type:_ `string`
- ```yaml - --- - - hosts: all - become: true +The SAP System ID (3 letter String).
+Mandatory when `sap_fapolicy_type` is set to `nw` or `hana`.
- vars: - sap_fapolicy_user_generic_list: - - "root" - - "sapadm" - - "uuidd" - - tasks: - - # Update fapolicy for generic users - - name: Fapolicy Update - generic - vars: - sap_fapolicy_type: "generic" - ansible.builtin.include_role: - name: community.sap_operations.sap_fapolicy - loop: "{{ sap_fapolicy_user_generic_list }}" - loop_control: - loop_var: sap_fapolicy_user - ``` - -- Sample playbook using `sap_facts` module to get all SAP systems in the host - - ```yaml - --- - - hosts: all - become: true - - tasks: - - - name: Run sap_facts module to gather SAP facts - community.sap_operations.sap_facts: - param: "all" - register: sap_facts_register - - # Update fapolicy for SAP users - - name: Fapolicy Update - SAP Users - vars: - sap_fapolicy_sid: "{{ item.Type }}" - sap_fapolicy_type: "{{ item.Type }}" - ansible.builtin.include_role: - name: community.sap_operations.sap_fapolicy - loop: "{{ sap_facts_register.sap_facts }}" - ``` +### sap_fapolicy_directory_list +- _Type:_ `list`
+- _Default:_ `['/hana/', '/sapmnt/', '/usr/sap/', '/software/', '/var/tmp/', '/tmp/']`
+ +The list of directories for fapolicy configuration.
+ +### sap_fapolicy_rules_header +- _Type:_ `string`
+- _Default:_ `# Allow rules for SAP directories`
+ +The header line to add to fapolicy rules.
+ diff --git a/roles/sap_fapolicy/defaults/main.yml b/roles/sap_fapolicy/defaults/main.yml index 9750abd..6296a88 100644 --- a/roles/sap_fapolicy/defaults/main.yml +++ b/roles/sap_fapolicy/defaults/main.yml @@ -1,18 +1,24 @@ -# https://access.redhat.com/discussions/3936201 +# SPDX-License-Identifier: Apache-2.0 +--- +# RHEL 7 KB Note: https://access.redhat.com/discussions/3936201 -sap_fapolicy_sid: -sap_fapolicy_type: "generic" +# Select fapolicy type to configure. Options: 'generic', 'nw', 'hana'. +sap_fapolicy_type: 'generic' -sap_fapolicy_user: -sap_fapolicy_uid: +# The user for fapolicy configuration. +# Mandatory when `sap_fapolicy_type` is set to 'generic'. +# Automatically set as `sap_fapolicy_sid` + 'adm' if `sap_fapolicy_type` is 'nw' or 'hana'. +sap_fapolicy_user: '' -# sap_fapolicy_user_list: -# - "root" -# - "sapadm" -# - "uuidd" +# The User ID of provided user `sap_fapolicy_user`. +# Automatically set if `sap_fapolicy_user` or `sap_fapolicy_sid` is provided. +sap_fapolicy_uid: '' -# sap_fapolicy_uid_list: [] +# The SAP System ID (3 letter String). +# Mandatory when `sap_fapolicy_type` is set to 'nw' or 'hana'. +sap_fapolicy_sid: '' +# The list of directories for fapolicy configuration. sap_fapolicy_directory_list: - "/hana/" - "/sapmnt/" @@ -21,4 +27,5 @@ sap_fapolicy_directory_list: - "/var/tmp/" - "/tmp/" +# The header line to add to fapolicy rules. sap_fapolicy_rules_header: "# Allow rules for SAP directories" diff --git a/roles/sap_fapolicy/tasks/enable_fapolicy.yml b/roles/sap_fapolicy/tasks/enable_fapolicy.yml index c5fa409..e32e8f5 100644 --- a/roles/sap_fapolicy/tasks/enable_fapolicy.yml +++ b/roles/sap_fapolicy/tasks/enable_fapolicy.yml @@ -1,5 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 --- -- name: SAP Faplocy - Service fapolicy state - start & enable +- name: Enable - Start and enable fapolicyd service ansible.builtin.systemd: state: started name: fapolicyd diff --git a/roles/sap_fapolicy/tasks/get_sidadm_user.yml b/roles/sap_fapolicy/tasks/get_sidadm_user.yml deleted file mode 100644 index 1830af2..0000000 --- a/roles/sap_fapolicy/tasks/get_sidadm_user.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# This task requires the variable sap_fapolicy_sid - -- name: Get sidadm user of "{{ sap_fapolicy_sid }}" - ansible.builtin.set_fact: - sidadm_user: "{{ sap_fapolicy_sid | lower }}adm" - register: get_sidadm_user_register - -# Return value -- name: Return value from previous fact - ansible.builtin.set_fact: - sap_fapolicy_user: "{{ sidadm_user.split() }}" -# - name: Merge the sap_fapolicy_user_list with result -# set_fact: -# sap_fapolicy_user_list: "{{ sap_fapolicy_user_list + get_sidadm_user_return }}" diff --git a/roles/sap_fapolicy/tasks/get_user_uid.yml b/roles/sap_fapolicy/tasks/get_user_uid.yml deleted file mode 100644 index a7609bb..0000000 --- a/roles/sap_fapolicy/tasks/get_user_uid.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# This task requires the variable passed_user - -- name: Get UID "{{ passed_user }}" - ansible.builtin.shell: | - id -u {{ passed_user }} - args: - executable: /bin/bash - register: get_user_uid_register - -# Return value -- name: return value from previous fact - ansible.builtin.set_fact: - sap_fapolicy_uid: "{{ get_user_uid_register.stdout.split() }}" -# - name: Merge the sap_fapolicy_uid_list with result -# set_fact: -# sap_fapolicy_uid_list: "{{ sap_fapolicy_uid_list + get_user_uid_return }}" diff --git a/roles/sap_fapolicy/tasks/main.yml b/roles/sap_fapolicy/tasks/main.yml index 3e823a9..1c73146 100644 --- a/roles/sap_fapolicy/tasks/main.yml +++ b/roles/sap_fapolicy/tasks/main.yml @@ -1,39 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 --- -- name: SAP Fapolicy - Gathering Package Facts +- name: Assert that the Operating System of Managed node is Red Hat + ansible.builtin.assert: + that: + - ansible_os_family == "RedHat" + fail_msg: | + Ensure that the role is executed on supported managed node operating system Red Hat. + Detected: {{ ansible_os_family }} + Expected: RedHat + + +- name: Gather Package Facts ansible.builtin.package_facts: manager: auto -- name: SAP Fapolicy - Setup +- name: Block to execute SAP fapolicy configuration + when: + - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" + - '"fapolicyd" in ansible_facts.packages' block: - - name: Get sidadm user of SID - ansible.builtin.include_tasks: get_sidadm_user.yml - when: - - "'generic' not in sap_fapolicy_type" - - sap_fapolicy_user is defined - - # # At this point, we should have all sidadm user + the default users - # - debug: - # msg: - # - "{{ sap_fapolicy_user_list }}" + - name: Assert that the variable 'sap_fapolicy_type' is valid + ansible.builtin.assert: + that: + - sap_fapolicy_type is defined + - sap_fapolicy_type is string + - sap_fapolicy_type | trim | length > 0 + - sap_fapolicy_type in ['generic', 'nw', 'hana'] + fail_msg: | + The variable 'sap_fapolicy_type' is undefined or invalid! + Available options: generic, nw, hana - # Get UIDs of users - # List is stored in sap_fapolicy_uid_list - - name: Get UID of user - vars: - passed_user: "{{ sap_fapolicy_user | lower }}" - ansible.builtin.include_tasks: get_user_uid.yml + - name: Set fapolicy variables + ansible.builtin.include_tasks: + file: "set_vars.yml" - # # At this point, we should have all uids - # - debug: - # msg: - # - "{{ sap_fapolicy_uid_list }}" + - name: Enable SAP fapolicy + ansible.builtin.include_tasks: + file: "enable_fapolicy.yml" - - name: SAP Fapolicy - Enable Fapolicy - ansible.builtin.include_tasks: "enable_fapolicy.yml" - - - name: SAP Fapolicy - Update Fapolicy - ansible.builtin.include_tasks: "update_fapolicy.yml" - - when: - - ansible_virtualization_role != "guest" or ansible_virtualization_type != "docker" - - '"fapolicyd" in ansible_facts.packages' + - name: Update SAP fapolicy + ansible.builtin.include_tasks: + file: "update_fapolicy.yml" diff --git a/roles/sap_fapolicy/tasks/set_vars.yml b/roles/sap_fapolicy/tasks/set_vars.yml new file mode 100644 index 0000000..a5f530d --- /dev/null +++ b/roles/sap_fapolicy/tasks/set_vars.yml @@ -0,0 +1,59 @@ +# SPDX-License-Identifier: Apache-2.0 +--- +- name: Assert that the variable 'sap_fapolicy_user' is valid + ansible.builtin.assert: + that: + - sap_fapolicy_user is defined + - sap_fapolicy_user is string + - sap_fapolicy_user | trim | length == 3 + fail_msg: | + The variable 'sap_fapolicy_user' is undefined or invalid! + This variable is required when 'sap_fapolicy_type' is set to 'generic'. + when: + - sap_fapolicy_type == 'generic' + +- name: Assert that the variable 'sap_fapolicy_sid' is valid 3 letter String + ansible.builtin.assert: + that: + - sap_fapolicy_sid is defined + - sap_fapolicy_sid is string + - sap_fapolicy_sid | trim | length == 3 + fail_msg: | + The variable 'sap_fapolicy_sid' is undefined or invalid! + This variable is required when 'sap_fapolicy_user' is undefined or invalid + and 'sap_fapolicy_type' is set to 'nw' or 'hana'. + when: + - sap_fapolicy_user is not defined + or sap_fapolicy_user is not string + or sap_fapolicy_user | trim | length == 0 + - sap_fapolicy_type in ['nw', 'hana'] + +- name: Set the variable 'sap_fapolicy_user' + ansible.builtin.set_fact: + __sap_fapolicy_user: + "{{ sap_fapolicy_user + if sap_fapolicy_user is defined + and sap_fapolicy_user is string + and sap_fapolicy_user | trim | length > 0 + else (sap_fapolicy_sid | lower ~ 'adm') + }}" + + +- name: Get UID if the 'sap_fapolicy_uid' is not provided + ansible.builtin.command: + cmd: id -u {{ __sap_fapolicy_user }} + register: __sap_fapolicy_uid_register + when: + - sap_fapolicy_uid is not defined + or sap_fapolicy_uid is not string + or sap_fapolicy_uid | trim | length == 0 + +- name: Set the variable with fapolicy UID + ansible.builtin.set_fact: + __sap_fapolicy_uid: + "{{ sap_fapolicy_uid + if sap_fapolicy_uid is defined + and sap_fapolicy_uid is string + and sap_fapolicy_uid | trim | length > 0 + else __sap_fapolicy_uid_register.stdout.split() + }}" diff --git a/roles/sap_fapolicy/tasks/update_fapolicy.yml b/roles/sap_fapolicy/tasks/update_fapolicy.yml index 4c2ff78..4a11fb1 100644 --- a/roles/sap_fapolicy/tasks/update_fapolicy.yml +++ b/roles/sap_fapolicy/tasks/update_fapolicy.yml @@ -1,50 +1,38 @@ +# SPDX-License-Identifier: Apache-2.0 --- -# Update fapolicy rules -- name: Update fapolicy rules - block: - - name: check fapolicy service - ansible.builtin.stat: - path: /run/fapolicyd/fapolicyd.fifo - register: fa_fifo +- name: Get stat of the file 'fapolicyd.fifo' + ansible.builtin.stat: + path: /run/fapolicyd/fapolicyd.fifo + register: __sap_fapolicy_stat_fifo_register - - name: check fapolicy rules file - ansible.builtin.stat: - path: /etc/fapolicyd/fapolicyd.rules - register: fa_rules +- name: Get stat of the file 'fapolicyd.rules' + ansible.builtin.stat: + path: /etc/fapolicyd/fapolicyd.rules + register: __sap_fapolicy_stat_rules_register - # Add header line - - name: Add header line - ansible.builtin.lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "{{ rules_header }}" - insertafter: "# or anything else applications access that is not a computer langauge." # Hardcoded. - when: fa_rules.stat.exists +- name: Add header line to the file 'fapolicyd.rules' + ansible.builtin.lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "{{ sap_fapolicy_rules_header }}" + insertafter: "# or anything else applications access that is not a computer language." # Hardcoded. + when: __sap_fapolicy_stat_rules_register.stat.exists - # Allow permission-any for SAP directories +- name: Add rules to the file 'fapolicyd.rules' for user {{ sap_fapolicy_user }} + ansible.builtin.lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "allow perm=any uid={{ sap_fapolicy_user }} : dir='{{ item }}'" + insertafter: "{{ sap_fapolicy_rules_header }}" + when: __sap_fapolicy_stat_rules_register.stat.exists + loop: "{{ sap_fapolicy_directory_list }}" - - name: Add lines of fapolicy rules for User {{ sap_fapolicy_user }} - UID {{ sap_fapolicy_user }} - ansible.builtin.lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "allow perm=any uid={{ sap_fapolicy_user }} : dir='{{ item }}'" - insertafter: "{{ rules_header }}" - when: fa_rules.stat.exists - register: fapolicy_res - loop: "{{ sap_fapolicy_directory_list }}" +- name: Add trust=1 to the file 'fapolicyd.rules' for user {{ sap_fapolicy_user }} + ansible.builtin.lineinfile: + path: /etc/fapolicyd/fapolicyd.rules + line: "allow perm=any uid={{ sap_fapolicy_user }} trust=1 : all" + insertafter: "{{ sap_fapolicy_rules_header }}" + when: __sap_fapolicy_stat_rules_register.stat.exists - # Allow trust - - name: Add trust=1 for User {{ sap_fapolicy_user }} - UID {{ sap_fapolicy_user }} - ansible.builtin.lineinfile: - path: /etc/fapolicyd/fapolicyd.rules - line: "allow perm=any uid={{ sap_fapolicy_user }} trust=1 : all" - insertafter: "{{ rules_header }}" - when: fa_rules.stat.exists - register: fapolicy_res - - - name: update fapolicy db - ansible.builtin.shell: /usr/sbin/fapolicyd-cli --update - when: fa_fifo.stat.exists - -# - debug: -# msg: -# - "User: {{ item.0 }} UID: {{ item.1 }}" -# loop: "{{ user_list|zip(sap_fapolicy_uid_list)|list }}" +- name: Execute update of fapolicy database + ansible.builtin.shell: + cmd: /usr/sbin/fapolicyd-cli --update + when: __sap_fapolicy_stat_fifo_register.stat.exists diff --git a/roles/sap_rhsm/README.md b/roles/sap_rhsm/README.md index 829b243..f6a46bf 100644 --- a/roles/sap_rhsm/README.md +++ b/roles/sap_rhsm/README.md @@ -1,39 +1,40 @@ + # sap_rhsm Ansible Role + -Ansible role for RHEL registration / refresh +## Description + +The Ansible Role `sap_rhsm` is used to register managed node with Red Hat Operating System. + -## Overview + + -### Variables + +## Prerequisites +Managed nodes: +- Supported Operating System: Red Hat + -| **Variable** | **Info** | **Default** | **Required** | -| :--- | :--- | :--- | :--- | -| sap_rhsm_function | 'register' or 'refresh' | 'register' | yes | -| sap_rhsm_username | RHEL User for access.redhat.com | | yes | -| sap_rhsm_password | Password for access.redhat.com | | yes | -| sap_rhsm_pool_id | Subscription pool id | | yes | -| sap_rhsm_repos | List of repositories to enable | | yes | -| sap_rhsm_packages | List of packages to install | | yes | - -### Input and Execution - -- Sample execution: - - ```bash - ansible-playbook --connection=local --limit localhost -i "localhost," sap-rhsm-register.yml" - ``` - -- Sample playbook - - Register - ```yaml - --- - - hosts: all - become: true +## Execution + + +### Example + +Register operating system. +```yaml +--- +- hosts: all + become: true + tasks: + - name: Register operating system + ansible.builtin.include_role: + name: community.sap_operations.sap_rhsm vars: sap_rhsm_function: "register" sap_rhsm_username: "my_rhel_user" sap_rhsm_password: "my_rhel_password" - sap_rhsm_pools_id: "8x8x8x8x8x88x8x8x8x8x8x8x8x" + sap_rhsm_pool_id: "8x8x8x8x8x88x8x8x8x8x8x8x8x" sap_rhsm_repos: - rhel-8-for-x86_64-baseos-e4s-rpms - rhel-8-for-x86_64-appstream-e4s-rpms @@ -44,25 +45,71 @@ Ansible role for RHEL registration / refresh sap_rhsm_packages: - yum-utils - nfs-utils - roles: - - { role: community.sap_operations.sap_rhsm } - ``` - - Refresh - ```yaml - --- - - hosts: all - become: true +``` + +Refresh operating system. +```yaml +--- +- hosts: all + become: true + tasks: + - name: Register operating system + ansible.builtin.include_role: + name: community.sap_operations.sap_rhsm vars: sap_rhsm_function: "refresh" - roles: - - { role: community.sap_operations.sap_rhsm } - ``` -- Sample result - - ```console - cat /etc/hosts - 10.0.0.1 hana01-lb.poc.cloud hana01-lb - 10.0.0.2 hana02-lb.poc.cloud hana02-lb - 10.0.1.1 s4hana01-ci.poc.cloud s4hana01-ci - 10.0.1.2 s4hana01-app.poc.cloud s4hana01-app - ``` +``` + + + + + + + + +## License + +Apache 2.0 + + +## Maintainers + +- SAP LinuxLab + + +## Role Variables + +### sap_rhsm_function +- **Required**
+- _Type:_ `string`
+ +Select function to execute. Options: 'register', 'refresh'.
+ +### sap_rhsm_username +- _Type:_ `string`
+ +The username for registration.
+Mandatory for execution with `sap_rhsm_function` set to `register`.
+ +### sap_rhsm_password +- _Type:_ `string`
+ +The password for user defined in `sap_rhsm_username`.
+Mandatory for execution with `sap_rhsm_function` set to `register`.
+ +### sap_rhsm_pool_id +- _Type:_ `string`
+ +The pool ID to attach to during registration.
+Mandatory for execution with `sap_rhsm_function` set to `register`.
+ +### sap_rhsm_repos +- _Type:_ `list`
+ +The optional list of repositories to enable.
r> + +### sap_rhsm_packages +- _Type:_ `list`
+ +The optional list of packages to install.
+ diff --git a/roles/sap_rhsm/defaults/main.yml b/roles/sap_rhsm/defaults/main.yml index 6d823e3..c1b1245 100644 --- a/roles/sap_rhsm/defaults/main.yml +++ b/roles/sap_rhsm/defaults/main.yml @@ -1,7 +1,20 @@ -sap_rhsm_function: "register" +# SPDX-License-Identifier: Apache-2.0 +--- +# Select function to execute. Options: 'register', 'refresh'. +sap_rhsm_function: '' -sap_rhsm_username: -sap_rhsm_password: -sap_rhsm_pool_id: +## The variables specific to 'sap_rhsm_function: register' +# The username for registration. +sap_rhsm_username: '' + +# The password for user defined in `sap_rhsm_username`. +sap_rhsm_password: '' + +# The pool ID to attach to during registration. +sap_rhsm_pool_id: '' + +# The optional list of repositories to enable. sap_rhsm_repos: [] + +# The optional list of packages to install. sap_rhsm_packages: [] diff --git a/roles/sap_rhsm/tasks/main.yml b/roles/sap_rhsm/tasks/main.yml index 4f6ca08..fc27f80 100644 --- a/roles/sap_rhsm/tasks/main.yml +++ b/roles/sap_rhsm/tasks/main.yml @@ -1,2 +1,25 @@ -- name: SAP OS Tools - RedHat Subscription Manager - ansible.builtin.include_tasks: "rhsm_{{ sap_rhsm_function }}.yml" +# SPDX-License-Identifier: Apache-2.0 +--- +- name: Assert that the Operating System of Managed node is Red Hat + ansible.builtin.assert: + that: + - ansible_os_family == "RedHat" + fail_msg: | + Ensure that the role is executed on supported managed node operating system Red Hat. + Detected: {{ ansible_os_family }} + Expected: RedHat + +- name: Assert that the variable 'sap_rhsm_function' is valid + ansible.builtin.assert: + that: + - sap_rhsm_function is defined + - sap_rhsm_function is string + - sap_rhsm_function | trim | length > 0 + - sap_rhsm_function in ['register', 'refresh'] + fail_msg: | + The variable 'sap_rhsm_function' is undefined or invalid! + Available options: register, refresh + +- name: Execute Red Hat Subscription Manager function {{ sap_rhsm_function }} + ansible.builtin.include_tasks: + file: "rhsm_{{ sap_rhsm_function }}.yml" diff --git a/roles/sap_rhsm/tasks/rhsm_refresh.yml b/roles/sap_rhsm/tasks/rhsm_refresh.yml index 209d3ff..b7fef3c 100644 --- a/roles/sap_rhsm/tasks/rhsm_refresh.yml +++ b/roles/sap_rhsm/tasks/rhsm_refresh.yml @@ -1,30 +1,32 @@ -- name: SAP OS Tools - RedHat Subscription Manager - Refresh - {{ ansible_distribution }} - {{ ansible_distribution_version }} - block: - - name: Subscription Manager - Refresh - ansible.builtin.command: "subscription-manager refresh" +# SPDX-License-Identifier: Apache-2.0 +--- +- name: Refresh - Refresh Subscription Manager + ansible.builtin.command: + cmd: "subscription-manager refresh" - - name: Subscription Manager - Identity Regenerate - ansible.builtin.command: "subscription-manager identity --regenerate" +- name: Refresh - Regenerate Identity + ansible.builtin.command: + cmd: "subscription-manager identity --regenerate" - - name: Subscription Manager - Lock Release - ansible.builtin.command: "subscription-manager release --set={{ ansible_distribution_version }}" +- name: Refresh - Lock Release + ansible.builtin.command: + cmd: "subscription-manager release --set={{ ansible_distribution_version }}" - - name: Yum clean all - ansible.builtin.command: "yum clean all" +- name: Refresh - Yum clean all + ansible.builtin.command: + cmd: "yum clean all" - - name: Clear dnf cache - ansible.builtin.file: - path: /var/cache/dnf - state: absent +- name: Refresh - Clear dnf cache + ansible.builtin.file: + path: /var/cache/dnf + state: absent - - name: Clear rhsm packages - ansible.builtin.file: - path: /var/lib/rhsm/packages/packages.json - state: absent +- name: Refresh - Clear rhsm packages + ansible.builtin.file: + path: /var/lib/rhsm/packages/packages.json + state: absent - - name: Restart service rhsmcertd - ansible.builtin.service: - name: rhsmcertd - state: restarted - - when: ansible_facts['distribution'] == 'RedHat' +- name: Refresh - estart service rhsmcertd + ansible.builtin.service: + name: rhsmcertd + state: restarted diff --git a/roles/sap_rhsm/tasks/rhsm_register.yml b/roles/sap_rhsm/tasks/rhsm_register.yml index 45dfc4d..f4a50c9 100644 --- a/roles/sap_rhsm/tasks/rhsm_register.yml +++ b/roles/sap_rhsm/tasks/rhsm_register.yml @@ -1,77 +1,104 @@ -- name: SAP OS Tools - RedHat Subscription Manager - Register - {{ ansible_distribution }} - {{ ansible_distribution_version }} - block: - # - name: Subscription Manager - Initial Commands - # command: 'subscription-manager {{ item }}' - # loop: - # - "clean" - # - "remove --all" - # - "register --force --username={{ sap_rhsm_username }} --password='{{ sap_rhsm_password }}'" - # - "identity --regenerate --force --username={{ sap_rhsm_username }} --password='{{ sap_rhsm_password }}'" - # - "auto-attach" - # - "attach --pool='{{ sap_rhsm_pool_id }}'" - # - "release --set={{ ansible_distribution_version }}" - # - "repos --disable='*'" - - - name: Subscription Manager - Clean - ansible.builtin.command: "subscription-manager clean" - - - name: Subscription Manager - Remove - ansible.builtin.command: "subscription-manager remove --all" - - - name: Subscription Manager - Register - ansible.builtin.command: 'subscription-manager register --force --username={{ sap_rhsm_username }} --password="{{ sap_rhsm_password }}"' - - - name: Subscription Manager - Identity Regenerate - ansible.builtin.command: 'subscription-manager identity --regenerate --force --username={{ sap_rhsm_username }} --password="{{ sap_rhsm_password }}"' - - - name: Subscription Manager - Auto Attach - ansible.builtin.command: "subscription-manager auto-attach" - - - name: Subscription Manager - Attach Pool - ansible.builtin.command: 'subscription-manager attach --pool="{{ sap_rhsm_pool_id }}"' - - - name: Subscription Manager - Lock Release - ansible.builtin.command: "subscription-manager release --set={{ ansible_distribution_version }}" - - - name: Subscription Manager - Disable Repos - ansible.builtin.command: 'subscription-manager repos --disable="*"' - - - name: Subscription Manager - Enable Repos - ansible.builtin.command: 'subscription-manager repos --enable="{{ item }}"' - loop: "{{ sap_rhsm_repos }}" - - - name: Yum clean all - ansible.builtin.command: "yum clean all" - - - name: Yum search sap- - ansible.builtin.command: "yum -y search sap-" - - # - name: Yum install yum-utils - # command: 'yum -y install yum-utils' - - # - name: Yum install nfs-utils - # command: 'yum -y install nfs-utils' - - - name: Yum install - ansible.builtin.command: "yum -y install {{ item }}" - loop: "{{ sap_rhsm_packages }}" - - - name: Clear dnf cache - ansible.builtin.file: - path: /var/cache/dnf - state: absent - - - name: Clear rhsm packages - ansible.builtin.file: - path: /var/lib/rhsm/packages/packages.json - state: absent - - - name: Restart service rhsmcertd - ansible.builtin.service: - name: rhsmcertd - state: restarted - - # - name: Register the system to Red Hat Insights - # command: 'insights-client --register' - - when: ansible_facts['distribution'] == 'RedHat' +# SPDX-License-Identifier: Apache-2.0 +--- +- name: Assert that the variable 'sap_rhsm_username' is valid + ansible.builtin.assert: + that: + - sap_rhsm_username is defined + - sap_rhsm_username is string + - sap_rhsm_username | trim | length > 0 + fail_msg: | + The variable 'sap_rhsm_username' is undefined or invalid! + +- name: Assert that the variable 'sap_rhsm_password' is valid + ansible.builtin.assert: + that: + - sap_rhsm_password is defined + - sap_rhsm_password is string + - sap_rhsm_password | trim | length > 0 + fail_msg: | + The variable 'sap_rhsm_password' is undefined or invalid! + +- name: Assert that the variable 'sap_rhsm_pool_id' is valid + ansible.builtin.assert: + that: + - sap_rhsm_pool_id is defined + - sap_rhsm_pool_id is string + - sap_rhsm_pool_id | trim | length > 0 + fail_msg: | + The variable 'sap_rhsm_pool_id' is undefined or invalid! + + +- name: Register - Clean Subscription Manager + ansible.builtin.command: + cmd: "subscription-manager clean" + +- name: Register - Remove Subscription Manager + ansible.builtin.command: + cmd: "subscription-manager remove --all" + +- name: Register - Register Subscription Manager + ansible.builtin.command: + cmd: 'subscription-manager register --force --username={{ sap_rhsm_username }} --password="{{ sap_rhsm_password }}"' + no_log: true + +- name: Register - Regenerate Identity + ansible.builtin.command: + cmd: 'subscription-manager identity --regenerate --force --username={{ sap_rhsm_username }} --password="{{ sap_rhsm_password }}"' + no_log: true + +- name: Register - Auto Attach + ansible.builtin.command: + cmd: "subscription-manager auto-attach" + +- name: Register - Attach Pool + ansible.builtin.command: + cmd: 'subscription-manager attach --pool="{{ sap_rhsm_pool_id }}"' + +- name: Register - Lock Release + ansible.builtin.command: + cmd: "subscription-manager release --set={{ ansible_distribution_version }}" + +- name: Register - Disable Repos + ansible.builtin.command: + cmd: 'subscription-manager repos --disable="*"' + +- name: Register - Enable Repos + ansible.builtin.command: + cmd: 'subscription-manager repos --enable="{{ item }}"' + loop: "{{ sap_rhsm_repos }}" + when: + - sap_rhsm_repos is defined + - sap_rhsm_repos is mapping + - sap_rhsm_repos | length > 0 + +- name: Register - Yum clean all + ansible.builtin.command: + cmd: "yum clean all" + +- name: Register - Yum search 'sap-' + ansible.builtin.command: + cmd: "yum -y search sap-" + +- name: Register - Yum install + ansible.builtin.command: + cmd: "yum -y install {{ item }}" + loop: "{{ sap_rhsm_packages }}" + when: + - sap_rhsm_packages is defined + - sap_rhsm_packages is mapping + - sap_rhsm_packages | length > 0 + +- name: Register - Clear dnf cache + ansible.builtin.file: + path: /var/cache/dnf + state: absent + +- name: Register - Clear rhsm packages + ansible.builtin.file: + path: /var/lib/rhsm/packages/packages.json + state: absent + +- name: Register - Restart service rhsmcertd + ansible.builtin.service: + name: rhsmcertd + state: restarted