Merge branch 'devel' into wsrelay

tools/ansible/roles/dockerfile/templates/Dockerfile.j2

@@ -273,7 +273,8 @@ RUN for dir in \
       /var/lib/shared/vfs-layers/layers.lock \
       /var/run/nginx.pid \
       /var/lib/awx/venv/awx/lib/python3.9/site-packages/awx.egg-link ; \
-    do touch $file ; chmod g+rw $file ; done
+    do touch $file ; chmod g+rw $file ; done && \
+    echo "\setenv PAGER 'less -S'" > /var/lib/awx/.psqlrc
 {% endif %}
 
 {% if not build_dev|bool %}

tools/docker-compose/ansible/roles/sources/defaults/main.yml

@@ -13,6 +13,7 @@ receptor_image: quay.io/ansible/receptor:devel
 # Keys for signing work
 receptor_rsa_bits: 4096
 receptor_work_sign_reconfigure: false
+sign_work: no  # currently defaults to no because openssl version mismatch causes "unknown block type PRIVATE KEY"
 work_sign_key_dir: '../_sources/receptor'
 work_sign_private_keyfile: "{{ work_sign_key_dir }}/work_private_key.pem"
 work_sign_public_keyfile: "{{ work_sign_key_dir }}/work_public_key.pem"

tools/docker-compose/ansible/roles/sources/tasks/main.yml

@@ -86,11 +86,13 @@
   command: openssl genrsa -out {{ work_sign_private_keyfile }} {{ receptor_rsa_bits }}
   args:
     creates: "{{ work_sign_private_keyfile }}"
+  when: sign_work | bool
 
 - name: Generate public RSA key for signing work
   command: openssl rsa -in {{ work_sign_private_keyfile }} -out {{ work_sign_public_keyfile }} -outform PEM -pubout
   args:
     creates: "{{ work_sign_public_keyfile }}"
+  when: sign_work | bool
 
 - name: Include LDAP tasks if enabled
   include_tasks: ldap.yml
@@ -128,6 +130,8 @@
     src: "receptor-hop.conf.j2"
     dest: "{{ sources_dest }}/receptor/receptor-hop.conf"
     mode: '0600'
+  when:
+    - execution_node_count | int > 0
 
 - name: Render Receptor Worker Config(s)
   template:

tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2

@@ -43,8 +43,10 @@ services:
       - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
       - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
       - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf.lock:/etc/receptor/receptor.conf.lock"
+{% if sign_work|bool %}
       - "../../docker-compose/_sources/receptor/work_public_key.pem:/etc/receptor/work_public_key.pem"
       - "../../docker-compose/_sources/receptor/work_private_key.pem:/etc/receptor/work_private_key.pem"
+{% endif %}
       # - "../../docker-compose/_sources/certs:/etc/receptor/certs"  # TODO: optionally generate certs
       - "/sys/fs/cgroup:/sys/fs/cgroup"
       - "~/.kube/config:/var/lib/awx/.kube/config"

tools/docker-compose/ansible/roles/sources/templates/receptor-awx.conf.j2

@@ -11,12 +11,16 @@
 - tcp-listener:
     port: 2222
 
+{% if sign_work|bool %}
 - work-signing:
     privatekey: /etc/receptor/work_private_key.pem
     tokenexpiration: 1m
+{% endif %}
 
+{% if sign_work|bool %}
 - work-verification:
     publickey: /etc/receptor/work_public_key.pem
+{% endif %}
 
 {% for i in range(item | int + 1, control_plane_node_count | int + 1) %}
 - tcp-peer:
@@ -40,7 +44,7 @@
     command: ansible-runner
     params: worker
     allowruntimeparams: true
-    verifysignature: true
+    verifysignature: {{ sign_work }}
 
 - work-kubernetes:
     worktype: kubernetes-runtime-auth
@@ -48,7 +52,7 @@
     allowruntimeauth: true
     allowruntimepod: true
     allowruntimeparams: true
-    verifysignature: true
+    verifysignature: {{ sign_work }}
 
 - work-kubernetes:
     worktype: kubernetes-incluster-auth
@@ -56,4 +60,4 @@
     allowruntimeauth: true
     allowruntimepod: true
     allowruntimeparams: true
-    verifysignature: true
+    verifysignature: {{ sign_work }}

tools/docker-compose/ansible/roles/sources/templates/receptor-worker.conf.j2

@@ -8,15 +8,17 @@
     address: tools_receptor_hop:5555
     redial: true
 
+{% if sign_work|bool %}
 - work-verification:
     publickey: /etc/receptor/work_public_key.pem
+{% endif %}
 
 - work-command:
     worktype: ansible-runner
     command: ansible-runner
     params: worker
     allowruntimeparams: true
-    verifysignature: true
+    verifysignature: {{ sign_work }}
 
 - control-service:
     service: control

tools/elastic/README.md

@@ -3,7 +3,7 @@
 These are tools to run a containerized version of ELK stack, comprising
 of Logstash, Elastic Search, and Kibana.
 
-A copy of the license is in `docs/licenses/docker-elk.txt`
+A copy of the license is in `licenses/docker-elk.txt`
 
 ## Instructions
 

tools/elastic/docker-compose.elastic-override.yml

@@ -2,7 +2,7 @@
 # Structure for the Elastic Stack docker configuration came from docker-elk:
 # https://github.com/deviantony/docker-elk
 # docker-elk is under the MIT License,
-# a copy of its license is provided in docs/licenses/docker-elk.txt
+# a copy of its license is provided in licenses/docker-elk.txt
 # contents modified
 
 version: '2'

tools/sosreport/controller.py

@@ -70,6 +70,7 @@ class Controller(Plugin, RedHatPlugin):
         for path in SOSREPORT_CONTROLLER_DIRS:
             self.add_copy_spec(path)
 
-        self.add_forbidden_path(SOSREPORT_FORBIDDEN_PATHS)
+        for path in SOSREPORT_FORBIDDEN_PATHS:
+            self.add_forbidden_path(path)
 
         self.add_cmd_output(SOSREPORT_CONTROLLER_COMMANDS)