Add Rocky support (#122)

* Add Rocky/RHEL8/RHEL9 support * Add `install_rpm_repositories` variable, to skip installing any rpm repo
artefactual-labs · Oct 12, 2023 · d597bd8 · d597bd8
1 parent 48e04bf
commit d597bd8
Show file tree

Hide file tree

Showing 16 changed files with 141 additions and 37 deletions.
diff --git a/README.md b/README.md
@@ -11,13 +11,13 @@ Please visit our [deploy-pub](https://github.com/artefactual/deploy-pub/tree/mas
 This role allows to install AtoM on CentOS 7 and Ubuntu 14.04, 16:04, 18.04 and
 20.04. But not all the AtoM versions can be installed in all OS.
 
-|AtoM version| PHP version    | CentOS support | Ubuntu support | ElasticSearch version | MySQL version |
-|------------|----------------|----------------|----------------|-----------------------|---------------|
-|  AtoM 2.3  |5.5, 5.6 and 7.0|    CentOS 7    | 14.04 and 16.04|      >=1.3,<2.0       |  >=5.1,<6.0   |
-|  AtoM 2.4  |5.5, 5.6 and 7.0|    CentOS 7    | 14.04 and 16.04|      >=1.3,<2.0       |  >=5.1,<6.0   |
-|  AtoM 2.5  |  7.0 and 7.2   |    CentOS 7    | 16.04 and 18.04|      >=5.0,<6.0       |  >=5.1,<6.0   |
-|  AtoM 2.6  |  7.2 and 7.3   |    CentOS 7    |     18.04      |      >=5.0,<6.0       |     >=8.0     |
-|  AtoM 2.7  |      7.4       |    CentOS 7    |     20.04      |      >=5.0,<6.0       |     >=8.0     |
+|AtoM version| PHP version    | CentOS/RH/Rocky support | Ubuntu support | ElasticSearch version | MySQL version |
+|------------|----------------|-------------------------|----------------|-----------------------|---------------|
+|  AtoM 2.3  |5.5, 5.6 and 7.0|     CentOS/RedHat 7     | 14.04 and 16.04|      >=1.3,<2.0       |  >=5.1,<6.0   |
+|  AtoM 2.4  |5.5, 5.6 and 7.0|     CentOS/RedHat 7     | 14.04 and 16.04|      >=1.3,<2.0       |  >=5.1,<6.0   |
+|  AtoM 2.5  |  7.0 and 7.2   |     CentOS/RedHat 7     | 16.04 and 18.04|      >=5.0,<6.0       |  >=5.1,<6.0   |
+|  AtoM 2.6  |  7.2 and 7.3   |     CentOS/RedHat 7     |     18.04      |      >=5.0,<6.0       |     >=8.0     |
+|  AtoM 2.7  |      7.4       |CentOS/RH 7, Rocky/RH 8-9|     20.04      |      >=5.0,<6.0       |     >=8.0     |
 
 The next table explains the valid `atom_php_version` values that you can use
 depending on the AtoM version and Linux Distro. It is very important to take
@@ -27,15 +27,17 @@ or `group_vars` files to the desired version.
 
 |Linux Distro| AtoM 2.3 | AtoM 2.4 | AtoM 2.5 | AtoM 2.6 | AtoM 2.7 |  Default |
 |------------|----------|----------|----------|----------|----------|----------|
-| CentOS 7   |    70    |     70   | 70,71,72 |  72,73   |    74    |    72    |
+|CentOS/RH 7 |    70    |     70   | 70,71,72 |  72,73   |    74    |    72    |
+|Rocky/RH 8  |          |          |          |          |    74    |    74    |
+|Rocky/RH 9  |          |          |          |          |    74    |    74    |
 |Ubuntu 14.04|     5    |      5   |          |          |          |     5    |
 |Ubuntu 16.04|    7.0   |     7.0  |    7.0   |          |          |    7.0   |
 |Ubuntu 18.04|          |          |    7.2   |   7.2    |          |    7.2   |
 |Ubuntu 20.04|          |          |          |          |   7.4    |    7.4   |
 
-From the table above, you can see the Linux distro you need depending on
-the AtoM version. For instance, AtoM 2.7 can only be installed on CentOS 7 or
-Ubuntu 20.04.
+From the table above, you can see the Linux distro you need depending on the
+AtoM version. For instance, AtoM 2.6 can only be installed on CentOS 7 or
+Ubuntu 18.04.
 
 ## Notes on dependencies
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -72,6 +72,10 @@ atom_flush_data: "no"
 # Build static assets
 atom_build_static_assets: "yes"
 
+# Change to false if you don't want to install rpm repos
+# Useful in offline or rpm repos controlled environments
+install_rpm_repositories: "true"
+
 # Themes (to build)
 atom_themes:
   - path: "{{ atom_path }}/{{ atom_extra_path }}/plugins/arDominionPlugin"

diff --git a/tasks/basic.yml b/tasks/basic.yml
@@ -159,18 +159,30 @@
 - name: "SELinux tasks"
   block:
     - name: "Selinux: allow httpd to write on atom folder (when using atom_revision_directory)"
-      shell: 'semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_path }}/{{ atom_extra_path }}\(/.*\)? && restorecon -R -v {{ atom_path }}/{{ atom_extra_path }}'
+      sefcontext:
+        target: "{{ atom_path }}/{{ atom_extra_path }}(/.*)?"
+        setype: httpd_sys_rw_content_t
+        state: present
+      when: atom_revision_directory|bool
+    - name: "Selinux: Apply restorecon  on atom folder (when using atom_revision_directory)"
+      shell: "restorecon -R -v {{ atom_path }}/{{ atom_extra_path }}"
       when: atom_revision_directory|bool
     - name: "Selinux: allow httpd to write on atom folder (when not using atom_revision_directory)"
-      shell: 'semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_path }}\(/.*\)? && restorecon -R -v {{ atom_path }}'
+      sefcontext:
+        target: "{{ atom_path }}(/.*)?"
+        setype: httpd_sys_rw_content_t
+        state: present
+      when: not atom_revision_directory|bool
+    - name: "Selinux: Apply restorecon  on atom folder (when not using atom_revision_directory)"
+      shell: "restorecon -R -v {{ atom_path }}"
       when: not atom_revision_directory|bool
     - name: "Selinux: enable httpd_can_network_connect"
       seboolean:
         name: httpd_can_network_connect
         state: yes
         persistent: yes
   when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat","Rocky"]
     - ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
   tags:
     - selinux
diff --git a/tasks/build.yml b/tasks/build.yml
@@ -60,20 +60,20 @@
       when:
         - not atom_compile_all_themes|bool # Don't compile themes when they are alreay compiled
   when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat"]
     - php_version|int < 74
 
-- name: "Build AtoM themes (CentOS/RH and php version >= 7.4)"
+- name: "Build AtoM themes (CentOS/RH/Rocky and php version >= 7.4)"
   block:
-    - name: "Build all AtoM themes (CentOS/RH)"
+    - name: "Build all AtoM themes (CentOS/RH/Rocky)"
       shell: "make"
       args:
         chdir: "{{ item }}"
       with_items: "{{ theme_makefiles.stdout_lines }}"
       become: "no"
       when:
         - atom_compile_all_themes|bool
-    - name: "Build selected AtoM themes (CentOS/RH)"
+    - name: "Build selected AtoM themes (CentOS/RH/Rocky)"
       shell: "{{ item.build_cmd }}"
       args:
         chdir: "{{ item.path }}"
@@ -82,7 +82,7 @@
       when:
         - not atom_compile_all_themes|bool # Don't compile themes when they are alreay compiled
   when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat","Rocky"]
     - php_version|int >= 74
 
 #
@@ -149,18 +149,19 @@
       command: "scl enable rh-nodejs6 'npm update' || npm update"
       args:
         chdir: "{{ atom_drmc_path }}"
+      when: install_rpm_repositories|bool
     # using --force option to ignore Error compiling ../../arDominionPlugin/css/main.less
     - name: "Build DRMC (SCL)"
       shell: "scl enable rh-nodejs6 'grunt build --force' || grunt build --force"
       args:
         chdir: "{{ atom_drmc_path }}"
   when:
     - "atom_drmc is defined and atom_drmc|bool"
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat"]
     - php_version|int < 74
   become: "no"
 
-- name: "Binder npm build tasks (CentOS/RedHat and php version >= 7.4)"
+- name: "Binder npm build tasks (CentOS/RedHat/Rocky and php version >= 7.4)"
   block:
     - name: "Install npm local dependencies"
       npm:
@@ -173,7 +174,7 @@
         chdir: "{{ atom_drmc_path }}"
   when:
     - "atom_drmc is defined and atom_drmc|bool"
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat","Rocky"]
     - php_version|int >= 74
   become: "no"
 

diff --git a/tasks/deps-rh-php-74.yml b/tasks/deps-rh-php-74.yml
@@ -4,38 +4,58 @@
   yum:
     name: "epel-release"
     state: "installed"
+  when: install_rpm_repositories|bool
 
 - name: "Enable epel repo"
   ini_file:
     path: /etc/yum.repos.d/epel.repo
     section: epel
     option: enabled
     value: 1
+  when: install_rpm_repositories|bool
 
 - name: "Import Remi GPG key (php version >= 7.4)"
   rpm_key:
     key: "https://rpms.remirepo.net/RPM-GPG-KEY-remi2022"
     state: present
+  when: install_rpm_repositories|bool
 
 - name: "Install Remi Repo (php version >= 7.4)"
   yum:
-    name: "https://rpms.remirepo.net/enterprise/remi-release-7.rpm"
+    name: "https://rpms.remirepo.net/enterprise/remi-release-{{ ansible_distribution_major_version }}.rpm"
     state: "installed"
+  when: install_rpm_repositories|bool
+
+- name: "Disable nodejs module on RedHat/Rocky 8"
+  command: "dnf module -y disable nodejs"
+  when:
+    - ansible_distribution_major_version|int == 8
+    - install_rpm_repositories|bool
 
 - name: "Import nodesource GPG key (php version >= 7.4)"
   rpm_key:
     key: "https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL"
     state: present
+  when: install_rpm_repositories|bool
 
 - name: "Install nodesource Repo (php version >= 7.4)"
   yum:
-    name: "https://rpm.nodesource.com/pub_14.x/el/7/x86_64/nodesource-release-el7-1.noarch.rpm"
+    name: "https://rpm.nodesource.com/pub_14.x/el/{{ ansible_distribution_major_version }}/x86_64/nodesource-release-el{{ ansible_distribution_major_version }}-1.noarch.rpm"
     state: "installed"
+  when: install_rpm_repositories|bool
 
 - name: "Add rpmfusion free repo (for ffmpeg)"
-  command: 'yum localinstall -y --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm'
+  command: 'yum localinstall -y --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm'
   args:
     creates: "/etc/yum.repos.d/rpmfusion-free-updates.repo"
+  when: install_rpm_repositories|bool
+
+# Required by ffmpeg
+- name: "Enable powertools repo on RedHat/Rocky 8)"
+  command: "dnf config-manager --set-enabled powertools"
+  when:
+    - ansible_distribution_major_version|int == 8
+    - install_rpm_repositories|bool
 
 - name: "Install AtoM dependencies"
   yum:
@@ -48,7 +68,6 @@
       - "make"                        #
       - "gcc"                         #
       - "java-11-openjdk-headless"    # needed by FOP
-      - "Judy-devel"                  # needed by memprof
     state: "latest"
 
 - name: "Install nodejs build dependency (php version >= 7.4)"
@@ -75,3 +94,10 @@
   with_items:
     - "grunt-cli"
     - "less@<4.0.0"
+
+- name: "Install selinux necessary packages required by this ansible role"
+  yum:
+    name: "{{ atom_selinux_ansible_deps }}"
+    state: "latest"
+  when:
+    - ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
diff --git a/tasks/deps-rh.yml b/tasks/deps-rh.yml
@@ -4,31 +4,36 @@
   yum:
     name: "epel-release"
     state: "installed"
+  when: install_rpm_repositories|bool
 
 - name: "Enable epel repo"
   ini_file:
     path: /etc/yum.repos.d/epel.repo
     section: epel
     option: enabled
     value: 1
+  when: install_rpm_repositories|bool
 
 - name: "Install scl repo (CentOS)"
   yum:
     name: "centos-release-scl"
     state: "installed"
   when:
     - ansible_distribution == "CentOS"
+    - install_rpm_repositories|bool
 
 - name: "Enable scl repo (RedHat)"
   rhsm_repository:
     name: rhel-server-rhscl-7-rpms
   when:
     - ansible_distribution == "RedHat"
+    - install_rpm_repositories|bool
 
 - name: "Add rpmfusion free repo (for ffmpeg)"
   command: 'yum localinstall -y --nogpgcheck https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm'
   args:
     creates: "/etc/yum.repos.d/rpmfusion-free-updates.repo"
+  when: install_rpm_repositories|bool
 
 - name: "Install AtoM dependencies"
   yum:
@@ -48,3 +53,10 @@
 # don't quote the shell command, or it won't work (also need to escape the <)
 - name: "Install npm (SCL) global dependencies (also required during the build)"
   shell: scl enable rh-nodejs6 'npm install -g grunt-cli less@\<4.0.0'
+
+- name: "Install selinux necessary packages required by this ansible role"
+  yum:
+    name: "{{ atom_selinux_ansible_deps }}"
+    state: "latest"
+  when:
+    - ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
diff --git a/tasks/fop.yml b/tasks/fop.yml
@@ -12,7 +12,7 @@
   set_fact:
     fop_version: "2.1"
   when: ( ansible_distribution_version is version('16.04', '==') ) or
-    ( ansible_os_family == "RedHat" )
+    ( ansible_os_family in ["RedHat","Rocky"] )
   tags:
     - "atom-fop"
 
@@ -45,7 +45,7 @@
         dest: "/usr/local/bin/fop"
         state: "link"
   when: ( ansible_distribution_version is version('16.04', '<=') ) or
-          ( ansible_os_family == "RedHat" )
+          ( ansible_os_family in ["RedHat","Rocky"] )
   tags:
       - "atom-fop"
 

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,6 +4,7 @@
   include_vars: "{{ item }}"
   with_first_found:
     - "{{ ansible_distribution }}-{{ ansible_distribution_version}}.yml"
+    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version}}.yml"
     - "{{ ansible_distribution }}.yml"
   tags: "always"
 
@@ -19,14 +20,14 @@
       tags:
         - "atom-deps"
       when:
-        - ansible_os_family == "RedHat"
+        - ansible_os_family in ["RedHat"]
         - php_version|int < 74
 
     - include: "deps-rh-php-74.yml"
       tags:
         - "atom-deps"
       when:
-        - ansible_os_family == "RedHat"
+        - ansible_os_family in ["RedHat","Rocky"]
         - php_version|int >= 74
 
     - include: "php.yml"
@@ -41,7 +42,7 @@
       tags:
         - "atom-php"
       when:
-        - ansible_os_family == "RedHat"
+        - ansible_os_family in ["RedHat","Rocky"]
         - php_version|int < 74
 
     - include: "php-rh-74.yml"
@@ -50,7 +51,7 @@
       tags:
         - "atom-php"
       when:
-        - ansible_os_family == "RedHat"
+        - ansible_os_family in ["RedHat","Rocky"]
         - php_version|int >= 74
 
     - include: "php-composer.yml"

diff --git a/tasks/php-pool-cfg.yml b/tasks/php-pool-cfg.yml
@@ -52,4 +52,4 @@
       notify:
         - "Restart PHP service"
   when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat","Rocky"]
diff --git a/tasks/symlink-dirs.yml b/tasks/symlink-dirs.yml
@@ -81,15 +81,29 @@
 - name: "SELinux tasks for symlinks"
   block:
     - name: "Selinux: allow httpd to write on uploads folders"
-      shell: 'semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_uploads_symlink }}\(/.*\)? && restorecon -R -v {{ atom_uploads_symlink }}'
+      sefcontext:
+        target: "semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_uploads_symlink }}(/.*)?"
+        setype: httpd_sys_rw_content_t
+        state: present
+      when:
+        - "atom_uploads_symlink is defined"
+    - name: "Selinux: Apply restorecon on uploads folders"
+      shell: 'restorecon -R -v {{ atom_uploads_symlink }}'
       when:
         - "atom_uploads_symlink is defined"
     - name: "Selinux: allow httpd to write on downloads folders"
-      shell: 'semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_downloads_symlink }}\(/.*\)? && restorecon -R -v {{ atom_downloads_symlink }}'
+      sefcontext:
+        target: "semanage fcontext -a -t httpd_sys_rw_content_t {{ atom_downloads_symlink }}(/.*)?"
+        setype: httpd_sys_rw_content_t
+        state: present
+      when:
+        - "atom_downloads_symlink is defined"
+    - name: "Selinux: Apply restorecon on downloads folders"
+      shell: 'restorecon -R -v {{ atom_downloads_symlink }}'
       when:
         - "atom_downloads_symlink is defined"
   when:
-    - ansible_os_family == "RedHat"
+    - ansible_os_family in ["RedHat","Rocky"]
     - ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled'
   tags:
     - selinux
diff --git a/templates/lib/systemd/system/atom-worker.service b/templates/lib/systemd/system/atom-worker.service
@@ -18,7 +18,7 @@ WorkingDirectory={{ atom_path }}/{{ atom_revision_directory_latest_symlink_dir }
 {% else %}
 WorkingDirectory={{ atom_path }}
 {% endif %}
-{% if ansible_os_family == "RedHat" %}
+{% if ansible_os_family in ["RedHat","Rocky"] %}
 {% if atom_worker_old_config|bool %}
 ExecStart={{ php_rh_centos_path }}/php -d memory_limit={{ atom_worker_systemd_memory_limit }} -d error_reporting="{{ atom_worker_systemd_error_reporting }}" {{ atom_worker_systemd_execstart_php_extra_args }} symfony tools:gearman-worker {{ atom_worker_systemd_execstart_worker_extra_args }}
 {% else %}

diff --git a/vars/CentOS.yml b/vars/CentOS.yml
@@ -2,3 +2,7 @@ php_version: "{{ atom_php_version|default('72') }}" # Without dots. 70, 71, 73 a
 php_service_name: "{% if php_version|int < 74 %}rh-php{{ php_version }}-php-fpm{% else %}php{{ php_version }}-php-fpm{% endif %}"
 php_rh_centos_path: "{% if php_version|int < 74 %}/opt/rh/rh-php{{ php_version }}/root/bin{% else %}/opt/remi/php{{ php_version }}/root/bin{% endif %}"
 php_rh_centos_etc_path: "{% if php_version|int < 74 %}/etc/opt/rh/rh-php{{ php_version }}{% else %}/etc/opt/remi/php{{ php_version }}{% endif %}"
+
+atom_selinux_ansible_deps:
+  - "libsemanage-python"
+  - "policycoreutils-python"