mirror of
https://github.com/GeekOops/geekoops-php-fpm.git
synced 2024-05-18 22:51:15 +00:00
Refactor and tidy the role (#10)
* Move apparmor to separate yaml file * Add switch for apparmor * Remove Leap 15.3 from molecule * Fix the CI
This commit is contained in:
parent
8037666487
commit
e7a01655b3
|
@ -17,6 +17,7 @@ Due to the very different php configuration on Debian/Ubuntu I'm not planning to
|
|||
|-------|-------------|---------|
|
||||
| `configure_php_ini` | Configrue the `php.ini` file | `true` |
|
||||
| `configure_php_fpm` | Configure php-fpm configuration files | `true` |
|
||||
| `configure_apparmor` | Configure apparmor configuration files | `false` |
|
||||
| `enable_php_fpm` | Enable `php-fpm` service | `true` |
|
||||
| `apcu_enable` | Enable the [APCu](https://www.php.net/manual/en/book.apcu.php) cache | `false` |
|
||||
| `apcu_shm_size` | APCu cache size | `32M` |
|
||||
|
@ -106,4 +107,4 @@ First try to set the `php-fpm` AppArmor profile to complain and check if this re
|
|||
|
||||
# aa-complain /etc/apparmor.d/php-fpm
|
||||
|
||||
If so, you can use the `yast apparmor` module of YaST to modify the `php-fpm` module to allow access to your php files. Then you can set AppArmor back to enforce.
|
||||
If so, you can use the `yast apparmor` module of YaST to modify the `php-fpm` module to allow access to your php files. Then you can set AppArmor back to enforce.
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
|
||||
configure_php_ini: true
|
||||
configure_php_fpm: true
|
||||
configure_apparmor: false
|
||||
enable_php_fpm: true
|
||||
|
||||
# The pool to configure
|
||||
|
|
|
@ -1,7 +0,0 @@
|
|||
FROM registry.opensuse.org/opensuse/leap:15.3
|
||||
|
||||
# Install systemd and development tools, clear cache
|
||||
RUN zypper in -y systemd systemd-sysvinit firewalld python3 python3-firewall curl && rm -rf /var/cache/* && rm -f /etc/machine-id /var/lib/dbus/machine-id
|
||||
|
||||
# Start container with systemd
|
||||
ENTRYPOINT ["/usr/sbin/init"]
|
|
@ -15,6 +15,16 @@
|
|||
include_role:
|
||||
name: "geekoops-php-fpm"
|
||||
## Setup test enviroment
|
||||
# Smoke test for nginx
|
||||
- name: Deploy index.html
|
||||
copy:
|
||||
content: |
|
||||
This page is a stub.
|
||||
dest: "{{www_dir}}/index.html"
|
||||
group: "root"
|
||||
owner: "root"
|
||||
mode: 0644
|
||||
register: deployed
|
||||
# We setup phpinfo.php and configure nginx to use php for *.php files
|
||||
- name: Deploy phpinfo script
|
||||
copy:
|
||||
|
@ -31,13 +41,13 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
root {{ www_dir }};
|
||||
index index.php index.html index.htm;
|
||||
root "{{ www_dir }}";
|
||||
index index.html index.htm;
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||
fastcgi_pass unix:/run/php-fpm/www.sock;
|
||||
fastcgi_index index.php;
|
||||
fastcgi_param SCRIPT_FILENAME $request_filename;
|
||||
include fastcgi_params;
|
||||
|
|
|
@ -4,23 +4,12 @@ dependency:
|
|||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: leap15_3
|
||||
image: registry.opensuse.org/opensuse/leap:15.3
|
||||
dockerfile: Dockerfile.leap15_3
|
||||
command: ${MOLECULE_DOCKER_COMMAND:-"/usr/sbin/init"}
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
tmpfs:
|
||||
- /run
|
||||
- /tmp
|
||||
- name: leap15_4
|
||||
image: registry.opensuse.org/opensuse/leap:15.4
|
||||
dockerfile: Dockerfile.leap15_4
|
||||
command: ${MOLECULE_DOCKER_COMMAND:-"/usr/sbin/init"}
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
cgroupns: host
|
||||
tmpfs:
|
||||
- /run
|
||||
- /tmp
|
||||
|
@ -28,14 +17,6 @@ provisioner:
|
|||
name: ansible
|
||||
inventory:
|
||||
host_vars:
|
||||
leap15_3:
|
||||
www_dir: "/srv/www/htdocs"
|
||||
vhosts_dir: "/etc/nginx/vhosts.d"
|
||||
phpgroup: www
|
||||
phpuser: wwwrun
|
||||
nginxuser: nginx
|
||||
nginxgroup: nginx
|
||||
deploy_nginx_config: true
|
||||
leap15_4:
|
||||
www_dir: "/srv/www/htdocs"
|
||||
vhosts_dir: "/etc/nginx/vhosts.d"
|
||||
|
@ -46,7 +27,3 @@ provisioner:
|
|||
deploy_nginx_config: true
|
||||
verifier:
|
||||
name: testinfra
|
||||
lint:
|
||||
name: flake8
|
||||
lint: |
|
||||
yamllint -d "{extends: relaxed, rules: {line-length: {max: disabled}}}" .
|
||||
|
|
|
@ -6,9 +6,22 @@ import testinfra.utils.ansible_runner
|
|||
import os
|
||||
|
||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
|
||||
|
||||
|
||||
# Check if the service is enabled and running
|
||||
def test_php_active(host):
|
||||
php_fpm = host.service("php-fpm")
|
||||
assert php_fpm.is_running
|
||||
assert php_fpm.is_enabled
|
||||
|
||||
# Smoketest for nginx
|
||||
def test_nginx(host):
|
||||
cmd = host.run("curl -v --fail http://127.0.0.1/")
|
||||
assert 'HTTP/1.1 200 OK' in cmd.stderr
|
||||
assert "This page is a stub" in cmd.stdout
|
||||
|
||||
# Check if we can access the phpinfo.php
|
||||
def test_phpinfo(host):
|
||||
cmd = host.run("curl -v http://127.0.0.1/phpinfo.php")
|
||||
cmd = host.run("curl -v --fail http://127.0.0.1/phpinfo.php")
|
||||
assert 'HTTP/1.1 200 OK' in cmd.stderr
|
||||
assert "PHP Version" in cmd.stdout
|
||||
assert "php-fpm" in cmd.stdout
|
||||
|
|
21
tasks/apparmor.yml
Normal file
21
tasks/apparmor.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
|
||||
- name: Ensure AppArmor knows about our new config file, the socket, and some log files it tries to create
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/apparmor.d/local/php-fpm
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK {{php_fpm_pool}}"
|
||||
state: present
|
||||
block: |
|
||||
/var/log/php-fpm/{{php_fpm_pool}}.access.log rw,
|
||||
/var/log/php-fpm/{{php_fpm_pool}}.log.slow rw,
|
||||
/var/log/{{php_fpm_pool}}.log rw,
|
||||
@{run}/php{,-fpm}/{{php_fpm_pool}}.pid rw,
|
||||
@{run}/{{php_fpm_pool}}.pid rw,
|
||||
@{run}/php{,-fpm}/{{php_fpm_pool}}.sock rwlk,
|
||||
tags: ['apparmor']
|
||||
|
||||
- name: Ensure AppArmor is reloaded
|
||||
systemd:
|
||||
name: apparmor
|
||||
state: restarted
|
||||
tags: ['apparmor']
|
|
@ -4,6 +4,8 @@
|
|||
- name: include distribution specific vars
|
||||
include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}.yml"
|
||||
|
||||
## Install and configure php ###################################################
|
||||
|
||||
- name: Ensure php packages are installed
|
||||
package:
|
||||
name: "{{ packages }}"
|
||||
|
@ -43,32 +45,21 @@
|
|||
tags: ['php-fpm']
|
||||
when: configure_php_fpm == true
|
||||
|
||||
- name: Ensure AppArmor knows about our new config file, the socket, and some log files it tries to create
|
||||
ansible.builtin.blockinfile:
|
||||
path: /etc/apparmor.d/local/php-fpm
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK {{php_fpm_pool}}"
|
||||
state: present
|
||||
block: |
|
||||
/var/log/php-fpm/{{php_fpm_pool}}.access.log rw,
|
||||
/var/log/php-fpm/{{php_fpm_pool}}.log.slow rw,
|
||||
/var/log/{{php_fpm_pool}}.log rw,
|
||||
@{run}/php{,-fpm}/{{php_fpm_pool}}.pid rw,
|
||||
@{run}/{{php_fpm_pool}}.pid rw,
|
||||
@{run}/php{,-fpm}/{{php_fpm_pool}}.sock rwlk,
|
||||
|
||||
- name: create log directory for php-fpm
|
||||
- name: Create log directory for php-fpm
|
||||
ansible.builtin.file:
|
||||
path: "/var/log/php-fpm/"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
group: 'www'
|
||||
owner: 'wwwrun'
|
||||
tags: ['php-fpm']
|
||||
|
||||
- name: Ensure AppArmor is reloaded
|
||||
systemd:
|
||||
name: apparmor
|
||||
state: restarted
|
||||
enabled: true
|
||||
## Additional tasks ############################################################
|
||||
|
||||
- include_tasks: apparmor.yml
|
||||
when: configure_apparmor
|
||||
|
||||
## Finalize steps ##############################################################
|
||||
|
||||
- name: Ensure php-fpm is enabled
|
||||
systemd:
|
||||
|
|
Loading…
Reference in a new issue