bugfix: support CentOS

.kitchen.yml

@@ -16,6 +16,7 @@ provisioner:
   ansible_verbose: true
   ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
   requirements_path: requirements.yml
+  requirements_collection_path: requirements.yml
   http_proxy: <%= ENV['ANSIBLE_PROXY'] %>
   idempotency_test: true
   additional_copy_path:
@@ -42,6 +43,11 @@ platforms:
       box: trombik/ansible-ubuntu-20.04-amd64
       box_check_update: false
 
+  - name: centos-7.8-x86_64
+    driver:
+      box: trombik/ansible-centos-7.8-x86_64
+      box_check_update: false
+
 suites:
   - name: default
     provisioner:

README.md

@@ -17,7 +17,7 @@ deprecated.
 See [Issue 835](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/835)
 for the upgrade plan.
 
-## For Debian users
+## For Debian-variants and CentOS  users
 
 The role installs `opensearch` from the official tar archive. This
 is a huge hack until when Amazon or distributions release packages.
@@ -46,10 +46,6 @@ control `ansible` tasks.
 The role installs a `systemd` unit file for `opensearch`. The author is not an
 expert of `systemd` in any way.
 
-## Red Hat users
-
-The role does not work on the platform yet.
-
 # Requirements
 
 By default, the role uses `trombik.x509_certificate` to manage X509
@@ -204,12 +200,13 @@ curl -vv --user admin:admin \
 | `__opensearch_log_dir` | `/var/log/opensearch` |
 | `__opensearch_db_dir` | `/var/lib/opensearch` |
 | `__opensearch_package` | `opensearch` |
-| `__opensearch_conf_dir` | `/etc/opensearch` |
+| `__opensearch_conf_dir` | `/usr/local/opensearch/config` |
+| `__opensearch_root_dir` | `/usr/local/opensearch` |
 | `__opensearch_scripts_dir` | `""` |
-| `__opensearch_plugins_dir` | `/usr/share/opensearch/plugins` |
-| `__opensearch_plugin_command` | `/usr/share/opensearch/bin/opensearch-plugin` |
+| `__opensearch_plugins_dir` | `/usr/local/opensearch/plugins` |
+| `__opensearch_plugin_command` | `/usr/local/opensearch/bin/opensearch-plugin` |
 | `__opensearch_service` | `opensearch` |
-| `__opensearch_java_home` | `""` |
+| `__opensearch_java_home` | `/usr/local/opensearch/jdk` |
 
 ## FreeBSD
 
@@ -236,12 +233,13 @@ curl -vv --user admin:admin \
 | `__opensearch_log_dir` | `/var/log/opensearch` |
 | `__opensearch_db_dir` | `/var/lib/opensearch` |
 | `__opensearch_package` | `opensearch` |
-| `__opensearch_conf_dir` | `/etc/opensearch` |
+| `__opensearch_conf_dir` | `/usr/local/opensearch/config` |
+| `__opensearch_root_dir` | `/usr/local/opensearch` |
 | `__opensearch_scripts_dir` | `""` |
-| `__opensearch_plugins_dir` | `/usr/share/opensearch/plugins` |
-| `__opensearch_plugin_command` | `/usr/share/opensearch/bin/opensearch-plugin` |
+| `__opensearch_plugins_dir` | `/usr/local/opensearch/plugins` |
+| `__opensearch_plugin_command` | `/usr/local/opensearch/bin/opensearch-plugin` |
 | `__opensearch_service` | `opensearch` |
-| `__opensearch_java_home` | `""` |
+| `__opensearch_java_home` | `/usr/local/opensearch/jdk` |
 
 # Dependencies
 
@@ -252,13 +250,19 @@ curl -vv --user admin:admin \
 ```yaml
 ---
 - hosts: localhost
+  pre_tasks:
+    - name: Allow HTTP port
+      ansible.builtin.iptables:
+        chain: INPUT
+        destination_port: 80
+        protocol: tcp
+        jump: ACCEPT
+      when: ansible_os_family == 'RedHat'
   roles:
     - role: trombik.freebsd_pkg_repo
       when: ansible_os_family == "FreeBSD"
-    - role: trombik.redhat_repo
-      when: ansible_os_family == "RedHat"
     - role: trombik.java
-      # XXX the bundled jdk is used on Ubuntu
+      # XXX the bundled jdk is used on Ubuntu and CentOS
       when: ansible_os_family == "FreeBSD"
     - role: trombik.sysctl
     - ansible-role-opensearch
@@ -275,17 +279,6 @@ curl -vv --user admin:admin \
         mirror_type: none
         priority: 100
         state: present
-    redhat_repo:
-      opensearch7:
-        baseurl: https://artifacts.elastic.co/packages/oss-7.x/yum
-        gpgkey: https://artifacts.elastic.co/GPG-KEY-opensearch
-        gpgcheck: yes
-        enabled: yes
-      opensearch:
-        baseurl: https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/
-        gpgkey: https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opensearch
-        enabled: yes
-        gpgcheck: yes
     os_opensearch_extra_packages:
       FreeBSD: []
       Debian:
@@ -338,6 +331,9 @@ curl -vv --user admin:admin \
       Debian: |
         # /usr/bin/getconf CLK_TCK`
         -Dclk.tck=100
+      RedHat: |
+        # /usr/bin/getconf CLK_TCK`
+        -Dclk.tck=100
 
     os_opensearch_http_auth:
       FreeBSD:
@@ -351,6 +347,10 @@ curl -vv --user admin:admin \
         # XXX the version of ansible on Ubuntu is 2.9.6. as such, ca_path
         # cannot be used.
         validate_certs: no
+      RedHat:
+        client_cert: "{{ role_path }}/files/test/certs/admin.pem"
+        client_key: "{{ role_path }}/files/test/certs/admin-key.pem"
+        validate_certs: no
     opensearch_http_auth: "{{ os_opensearch_http_auth[ansible_os_family] }}"
     opensearch_jvm_options: "{{ lookup('file', 'test/jvm_options') + os_opensearch_jvm_options[ansible_os_family] }}"
     opensearch_config:
@@ -548,6 +548,16 @@ curl -vv --user admin:admin \
     # _____________________________________________haproxy
     project_backend_host: 127.0.0.1
     project_backend_port: 5601
+    os_haproxy_selinux_seport:
+      FreeBSD: {}
+      Debian: {}
+      RedHat:
+        ports:
+          - 80
+          - 5601
+        proto: tcp
+        setype: http_port_t
+    haproxy_selinux_seport: "{{ os_haproxy_selinux_seport[ansible_os_family] }}"
     haproxy_config: |
       global
         daemon
@@ -581,6 +591,14 @@ curl -vv --user admin:admin \
         uid 604
         gid 604
         pidfile /var/run/haproxy.pid
+      {% elif ansible_os_family == 'RedHat' %}
+      log         127.0.0.1 local2
+      chroot      /var/lib/haproxy
+      pidfile     /var/run/haproxy.pid
+      maxconn     4000
+      user        haproxy
+      group       haproxy
+      daemon
       {% endif %}
 
       defaults
@@ -621,6 +639,8 @@ curl -vv --user admin:admin \
         #CONFIG="/etc/haproxy/haproxy.cfg"
         #EXTRAOPTS="-de -m 16"
       OpenBSD: ""
+      RedHat: |
+        OPTIONS=""
     haproxy_flags: "{{ os_haproxy_flags[ansible_os_family] }}"
 ```
 

meta/main.yml

@@ -13,5 +13,8 @@ galaxy_info:
     - name: Ubuntu
       versions:
         - focal
+    - name: EL
+      versions:
+        - 7
   galaxy_tags:
     - opensearch

requirements.yml

@@ -1,9 +1,11 @@
 ---
-- name: trombik.sysctl
-- name: trombik.java
-- name: trombik.freebsd_pkg_repo
-- name: trombik.apt_repo
-- name: trombik.redhat_repo
-- name: trombik.x509_certificate
-- name: trombik.opensearch_dashboards
-- name: trombik.haproxy
+roles:
+  - name: trombik.sysctl
+  - name: trombik.java
+  - name: trombik.freebsd_pkg_repo
+  - name: trombik.x509_certificate
+  - name: trombik.opensearch_dashboards
+  - name: trombik.haproxy
+collections:
+  - name: community.general
+  - name: ansible.posix

tasks/install-RedHat.yml

@@ -5,13 +5,17 @@
     name: "{{ opensearch_extra_packages }}"
     state: present
 
-- name: Install opensearch_package
-  yum:
-    name: "{{ opensearch_package }}"
+- name: Install gpg
+  ansible.builtin.yum:
+    name: gpg
     state: present
 
+- name: "Include install-src.yml"
+  include: "install-src.yml"
+
 - name: Create /etc/sysconfig/opensearch
-  template:
+  # XXX not effective yet
+  ansible.builtin.template:
     src: RedHat.sysconfig.j2
     dest: /etc/sysconfig/opensearch
     owner: root

tasks/install-src.yml

@@ -38,7 +38,8 @@
 - name: Create opensearch_src_pgp_key_fingerprint_file
   # XXX do not use FQCN here for older ansible version on Ubuntu
   shell:
-    cmd: "gpg --show-keys --with-colons {{ opensearch_src_pgp_key_file | quote }} > {{ opensearch_src_pgp_key_fingerprint_file | quote  }}"
+    # XXX gpg on CentoS is old
+    cmd: "gpg {% if ansible_os_family == 'Debian' %}--show-keys{% else %}--with-fingerprint{% endif %} --with-colons {{ opensearch_src_pgp_key_file | quote }} > {{ opensearch_src_pgp_key_fingerprint_file | quote  }}"
     creates: "{{ opensearch_src_pgp_key_fingerprint_file }}"
   environment:
     HOME: "/root"

tests/serverspec/default.yml

@@ -1,12 +1,18 @@
 ---
 - hosts: localhost
+  pre_tasks:
+    - name: Allow HTTP port
+      ansible.builtin.iptables:
+        chain: INPUT
+        destination_port: 80
+        protocol: tcp
+        jump: ACCEPT
+      when: ansible_os_family == 'RedHat'
   roles:
     - role: trombik.freebsd_pkg_repo
       when: ansible_os_family == "FreeBSD"
-    - role: trombik.redhat_repo
-      when: ansible_os_family == "RedHat"
     - role: trombik.java
-      # XXX the bundled jdk is used on Ubuntu
+      # XXX the bundled jdk is used on Ubuntu and CentOS
       when: ansible_os_family == "FreeBSD"
     - role: trombik.sysctl
     - ansible-role-opensearch
@@ -23,17 +29,6 @@
         mirror_type: none
         priority: 100
         state: present
-    redhat_repo:
-      opensearch7:
-        baseurl: https://artifacts.elastic.co/packages/oss-7.x/yum
-        gpgkey: https://artifacts.elastic.co/GPG-KEY-opensearch
-        gpgcheck: yes
-        enabled: yes
-      opensearch:
-        baseurl: https://d3g5vo6xdbdb9a.cloudfront.net/yum/noarch/
-        gpgkey: https://d3g5vo6xdbdb9a.cloudfront.net/GPG-KEY-opensearch
-        enabled: yes
-        gpgcheck: yes
     os_opensearch_extra_packages:
       FreeBSD: []
       Debian:
@@ -86,6 +81,9 @@
       Debian: |
         # /usr/bin/getconf CLK_TCK`
         -Dclk.tck=100
+      RedHat: |
+        # /usr/bin/getconf CLK_TCK`
+        -Dclk.tck=100
 
     os_opensearch_http_auth:
       FreeBSD:
@@ -99,6 +97,10 @@
         # XXX the version of ansible on Ubuntu is 2.9.6. as such, ca_path
         # cannot be used.
         validate_certs: no
+      RedHat:
+        client_cert: "{{ role_path }}/files/test/certs/admin.pem"
+        client_key: "{{ role_path }}/files/test/certs/admin-key.pem"
+        validate_certs: no
     opensearch_http_auth: "{{ os_opensearch_http_auth[ansible_os_family] }}"
     opensearch_jvm_options: "{{ lookup('file', 'test/jvm_options') + os_opensearch_jvm_options[ansible_os_family] }}"
     opensearch_config:
@@ -296,6 +298,16 @@
     # _____________________________________________haproxy
     project_backend_host: 127.0.0.1
     project_backend_port: 5601
+    os_haproxy_selinux_seport:
+      FreeBSD: {}
+      Debian: {}
+      RedHat:
+        ports:
+          - 80
+          - 5601
+        proto: tcp
+        setype: http_port_t
+    haproxy_selinux_seport: "{{ os_haproxy_selinux_seport[ansible_os_family] }}"
     haproxy_config: |
       global
         daemon
@@ -329,6 +341,14 @@
         uid 604
         gid 604
         pidfile /var/run/haproxy.pid
+      {% elif ansible_os_family == 'RedHat' %}
+      log         127.0.0.1 local2
+      chroot      /var/lib/haproxy
+      pidfile     /var/run/haproxy.pid
+      maxconn     4000
+      user        haproxy
+      group       haproxy
+      daemon
       {% endif %}
 
       defaults
@@ -369,4 +389,6 @@
         #CONFIG="/etc/haproxy/haproxy.cfg"
         #EXTRAOPTS="-de -m 16"
       OpenBSD: ""
+      RedHat: |
+        OPTIONS=""
     haproxy_flags: "{{ os_haproxy_flags[ansible_os_family] }}"

vars/RedHat.yml

@@ -4,9 +4,10 @@ __opensearch_group: opensearch
 __opensearch_log_dir: /var/log/opensearch
 __opensearch_db_dir: /var/lib/opensearch
 __opensearch_package: opensearch
-__opensearch_conf_dir: /etc/opensearch
+__opensearch_conf_dir: /usr/local/opensearch/config
+__opensearch_root_dir: /usr/local/opensearch
 __opensearch_scripts_dir: ""
-__opensearch_plugins_dir: /usr/share/opensearch/plugins
-__opensearch_plugin_command: /usr/share/opensearch/bin/opensearch-plugin
+__opensearch_plugins_dir: /usr/local/opensearch/plugins
+__opensearch_plugin_command: /usr/local/opensearch/bin/opensearch-plugin
 __opensearch_service: opensearch
-__opensearch_java_home: ""
+__opensearch_java_home: /usr/local/opensearch/jdk