feat(roles/php): allow for PHP-FPM pools to be configured individually.#248
Open
ebuerki-lf wants to merge 62 commits into
Open
feat(roles/php): allow for PHP-FPM pools to be configured individually.#248ebuerki-lf wants to merge 62 commits into
ebuerki-lf wants to merge 62 commits into
Conversation
…ially finished) to allow for multiple PHP-FPM pools to be configured individually
Contributor
Author
|
…dance with example role, ensure session.save_path is now set correctly
…s (not complete), update template for RedHat-based systems.
Deploy /etc/icingaweb2/modules/pdfexport/config.ini so the module talks to the chrome-headless service over the Chrome DevTools Protocol by default (host/port), with an optional fall-back to a local Chrome binary. Move the platform-variables import into an always-tagged block so the new icingaweb2_module_pdfexport:configure tag can be run on its own. Wire the repo_epel, repo_google_chrome and google_chrome roles into both the standalone playbook and setup_icinga2_master.yml, with *__skip_* opt-outs tracking the existing pdfexport skip flag.
…d in front of Chrome
…lean Without bind_any the chrome-headless-proxy.socket cannot bind the listen port on hosts where the port carries an unexpected SELinux port type (on Rocky/RHEL 9 the default 9222 is registered as hplip_port_t).
Remove the comments and the chrome-headless-before-socket ordering that only existed to handle the cut-over from a pre-existing, non-socket- activated chrome service. With no such legacy unit in the wild, the regular notify chain (daemon-reload, restart socket, restart chrome on template change) is sufficient.
Declare the two user-facing variables (basic_auth_login as 'raw',
mirror_url as 'str'), matching the pattern repo_remi established.
Also sort entries in roles/google_chrome/{meta/argument_specs.yml,
defaults/main.yml} alphabetically per CONTRIBUTING.md.
- Split SELinux booleans into their own block, scoped to `google_chrome` only, so `google_chrome:configure` is limited to unit-file deployment as documented in the README. - Move daemon-reload from a handler into a regular task, gated by `is changed` on the three deploy tasks. The state block now runs with the freshly reloaded unit definitions without needing an intermediate `flush_handlers`, and the restart-socket handler can rely on `__google_chrome__service_state_result is not changed` (with an `is not defined` fallback for tag-restricted runs) to skip the redundant restart right after a fresh service start. - Drop the `restart chrome-headless` handler. Changes to the proxy or Chrome service unit only need a daemon-reload now; they take effect on the next socket-activation cycle. Only socket-template changes still trigger an immediate restart, because that unit holds the externally-visible listen port. - Fix descriptions for `google_chrome__service_enabled` and `google_chrome__service_state` in `meta/argument_specs.yml`: both manage the `chrome-headless-proxy.socket` unit, not `chrome-headless.service`. - Drop `mesa-libOSMesa-devel` from the runtime package list; the runtime library `mesa-libOSMesa` stays.
…251) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.1 to 2.19.3. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@a5ad31d...ab7a940) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ocalhost Chromium's --remote-debugging-address now always binds 127.0.0.1 instead of chromium_headless__listen_address. Only the proxy socket is meant to be the public endpoint; binding the backend to a routable listen_address exposed Chromium's unauthenticated CDP port off-host and let clients bypass the idle-managed proxy. The proxy and the ExecStartPost health check connect to 127.0.0.1 accordingly. Also documents why MemoryDenyWriteExecute must stay false (V8 JIT) and bumps the two unit-template timestamps.
…ons on temp-file tasks
and some other minor improvements
…eprecation warning
- Deduplicate the repo_baseos/repo_epel blocks in clamav and duplicity by folding them into the single block at the top of roles:. - Keep EPEL enabled on RHEL 7/8 by standardizing every repo_epel block on the ["7", "8", "9", "10"] version list. - Restore the "CRB formerly came from EPEL" rationale in the block comments and fix their indentation. - Document the new repo_baseos/repo_epel skip variables in playbooks/README.md for duplicity, fangfrisch, mongodb and python_venv. - Fix fangfrisch using the clamav__skip_python_venv variable. - Normalize | default(false) to | d(false) and restore stripped blank lines in influxdb and python_venv. - Drop the stale glances CHANGELOG entry left over from the revert.
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.9.0 to 5.0.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@2031cfc...a1d282b) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…255) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.19.3 to 2.19.4. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@ab7a940...9af89fc) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.4 to 4.35.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@68bde55...9e0d7b8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
which is required to start influxdb but missing as a package dependency
…olation variable (mariadb 10.6+), defaulting to 'on'
…rror URL is set The basic-auth block in the repo templates was gated solely on `*_basic_auth_login`, independent of `*_mirror_url`. Setting `lfops__repo_basic_auth_login` without `lfops__repo_mirror_url` wrote username/password into repo files that still pointed at the public vendor mirrors, causing the package manager to send those credentials to servers that do not use basic auth. Tighten the guard so credentials are only emitted when a custom mirror URL is configured, and clarify the affected role READMEs accordingly. repo_icinga is intentionally left unchanged: its public subscription URL legitimately requires basic auth without a custom mirror. repo_redis (apt) never emitted basic auth and is out of scope.
The combined value was computed and printed in the debug output but never passed to fedora.linux_system_roles.kernel_settings, so a configured CPU affinity had no effect.
The tools/particle runner and the bundled lib submodule were already dropped in f428973, but the root particle/Vagrantfile and its .gitignore entry remained. Remove them too. The Linuxfabrik lib stays: it is still deployed at runtime by monitoring_plugins (install_method: source) and demonstrated by the example role; no bundled local lib exists and no lfops plugin imports it.
* test: add plugin unit-test infrastructure Adds a tox-driven matrix (Python 3.9-3.13 x ansible-core 2.15-2.18 and latest) for the controller-side plugins, a pytest layout under tests/, the 'Linuxfabrik: Unit Tests' CI workflow, and a local pre-commit hook that runs the unit tests on every commit. Documents the controller vs managed-node (RHEL 8 / Python 3.6) test tiers in tests/README.md and CONTRIBUTING.md, where plugin unit tests are now mandatory. * fix(plugins/filter/combine_lod): error on incomplete composite unique_key A composite unique_key (list of keys) produced a tuple that is always truthy, so an item missing one of the keys was silently grouped under a (None, ...) key instead of raising. Validate each component explicitly. Also adopt the standard Linuxfabrik file header, switch to f-strings, fix the DOCUMENTATION so ansible-doc renders the filter again, and move the embedded tests into tests/unit/plugins/filter/test_combine_lod.py (plus new composite-key cases).
Bring the bitwarden lookup, module and module_util to the standard plugin style (header, f-strings, single quotes, modern ansible.module_utils.common.text.converters) without changing behavior. Safe fixes only: - fix the lookup DOCUMENTATION so ansible-doc renders it again - module: fail_json(msg=...) instead of positional, drop dead try/except - module_util: drop the (object) base, correct get_item_by_id docstring, nosec the /tmp cache fallback and the charset default (false positives) - remove the dead commented example block from the lookup Behaviour-changing bugs (check_mode mutation, None-password overwrite, get_item_by_id returns-or-raises contract) are intentionally left for separate, individually tested fixes. Add unit tests for the family plus tests/conftest.py, which makes this checkout importable as ansible_collections.linuxfabrik.lfops so module/lookup tests resolve their collection imports under pytest/tox. Exclude tests/ from bandit (fixture passwords are expected).
#267) A description bullet containing a colon followed by a space is parsed by YAML as a mapping, which makes ansible-doc abort with 'expected str instance, AnsibleMapping found'. Rephrase the offending bullets in the nextcloud_occ_app_config / nextcloud_occ_system_config modules and the alert_contacts / mwindows / monitors option docs of the uptimerobot_monitor / uptimerobot_psp modules. Add tests/unit/test_plugin_docs.py, which parses every in-house plugin's DOCUMENTATION/RETURN and asserts each description is a string or list of strings, so this class of error fails at unit-test time instead of only at render time. Vendored plugins are out of scope (the ipa* modules also fail ansible-doc, but because their ansible-freeipa doc_fragment is not installed, which is unrelated).
Bring the uptimerobot module_util and all nine uptimerobot_* modules to the standard plugin style: standard file header (also unifies the module_util copyright line) and f-strings throughout, replacing every str.format() call. No behavior change from the formatting. Safe fixes: - module_util: the four get_* functions now pass a non-list API response (the stat-ok message fallback) straight through instead of iterating it and crashing - module_util: drop the no-op ternary and the now-unused is_paginated_field bookkeeping in _request_uncached Add unit tests for the pure helpers: the module_util wire builders, secret redaction, cache-key hashing, friendly-name resolution and the read-direction response translators; the monitor alert_contacts/mwindows normalizers; and the mwindow time helpers (incl. the midnight wrap).
…es + tests (#269) Bring the remaining in-house plugins to the standard style: standard file header, single quotes, f-strings (replacing the last .format() calls in sqlite_query and gpg_key), modern ansible.module_utils.common.text.converters instead of the deprecated _text, fixed import ordering, and removal of leftover boilerplate / commented-out debug code. ipa_diff gains the standard header it lacked. Security: - gpg_key no longer passes input_data (which contains the cleartext passphrase) into fail_json on a failed key generation. Safe fixes: - sqlite_query: REGEXP no longer raises on NULL column values (returns no-match); bare 'except:' narrowed to 'except Exception:'; mutable default argument replaced with None. Add unit tests: ipa_diff (pure diff helpers), sqlite_query (connect / select / regexp / close against a real temp DB) and gpg_key (match_key). Deferred (behaviour-changing, separate PRs): sqlite_query reporting a failed query as a successful run, and nextcloud_occ_app_config array idempotency.
) main() ignored the success flag returned by select(), so a failed query exited with changed=false and the error message smuggled into query_result - reporting success for a broken query. Check the flag and call fail_json with the error instead. Add a reusable Ansible module test harness (tests/ansible_harness.py: set_module_args + exit_json/fail_json patching, profile-aware so it works on ansible-core 2.15 through 2.21) and main()-level tests covering both the success and the failure path.
…ssword on None (#271) Two behavior fixes: - check_mode: the module declared supports_check_mode but wrote to the vault regardless (edit/create/add_attachment). Guard every write behind 'not module.check_mode' and return the predicted item in check mode. - None password: diff_and_update saw target password None vs an existing real password as a change and overwrote it with null. A None password now preserves the existing item's password, matching the documented behavior ('overwritten by every non-None value'). Clarify the DOCUMENTATION accordingly and add main()-level tests (fake Bitwarden client + the ansible module harness) for both paths. The get_item_by_id returns-or-raises contract is left for a separate PR.
…s JSON (#272) Nextcloud stores an array config value and returns it as a parsed JSON array (verified against Nextcloud 33: config:list yields ["alpha", "beta"]). The module stringified that list with str() (Python repr, single quotes) and compared it against the user's array literal, which never matched - so the module reported a change and re-ran config:app:set on every run. Compare array values as parsed JSON instead (values_match()), and store the cached current value as canonical JSON. Add unit tests for the helper and for the cached (installed_config_json) idempotency path. The occ output formats were verified empirically in a Nextcloud podman container.
…ct docs - Sync plugins/module_utils/gnupg.py with upstream python-gnupg 0.5.6 (byte-identical), keeping the module working on current Python and GnuPG. - gnupghome is now type=path (expands ~, resolves relative paths). - Drop the misleading "python-gnupg required on the controller" requirement; the library ships with the collection. Document the returned field as uids. - Document the vendored module_util in CONTRIBUTING and exclude it from bandit, consistent with the vendored ipa*.py modules.
…ially finished) to allow for multiple PHP-FPM pools to be configured individually
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
|
|
||
| __metaclass__ = type | ||
|
|
||
| import os |
| try: | ||
| conn.close() | ||
| except: | ||
| except Exception: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.