From f6d1182193e030a695b074dd041d6bf4dd0f19e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A1=D0=B5=D1=80=D0=B3=D0=B5=D0=B9=20=D0=90=D0=BD=D1=82?= =?UTF-8?q?=D1=80=D0=BE=D0=BF=D0=BE=D0=B2?= Date: Tue, 28 Oct 2025 19:19:49 +0300 Subject: [PATCH] =?UTF-8?q?=D0=9E=D0=B1=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B8=D0=B5=20=D0=BF=D1=80=D0=BE=D0=B5=D0=BA=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Makefile | 12 +++++++ molecule/default/converge.yml | 60 ++++++++++++++++++++++++++++++-- molecule/default/molecule.yml | 1 + molecule/default/site.yml | 8 +++++ molecule/presets/minimal.yml | 7 ++-- roles/deploy.yml | 30 +++++++++++++--- roles/devops/tasks/main.yml | 12 +++++++ roles/docker/tasks/main.yml | 6 ++++ roles/python/tasks/main.yml | 64 ++++++++++++++++++++++++++++++----- roles/python/vars/main.yml | 26 ++++++++++++++ vault/secrets.yml | 62 +++++++++++++++++++++++++++------ 11 files changed, 257 insertions(+), 31 deletions(-) diff --git a/Makefile b/Makefile index c3fc2e5..2d18ad8 100644 --- a/Makefile +++ b/Makefile @@ -419,6 +419,18 @@ git: @case "$(word 2, $(MAKECMDGOALS))" in \ push) \ echo "📤 Отправка изменений в репозиторий..."; \ + if [ -d "vault" ]; then \ + VAULT_FILES=$$(find vault -maxdepth 1 -type f -name "*.yml" 2>/dev/null); \ + if [ -n "$$VAULT_FILES" ]; then \ + echo "🔐 Шифрование vault/*.yml..."; \ + for f in $$VAULT_FILES; do \ + if ! grep -q "ANSIBLE_VAULT" "$$f" 2>/dev/null; then \ + docker run --rm -v "$(PWD):/workspace" -w /workspace $(DOCKER_IMAGE) \ + ansible-vault encrypt --encrypt-vault-id default --vault-password-file vault/.vault "$$f" || true; \ + fi; \ + done; \ + fi; \ + fi; \ git add .; \ git commit -m "Обновление проекта"; \ git push origin main;; \ diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index d1c39c6..22694bb 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -52,6 +52,20 @@ Files: {{ vault_targets | length }} targets ================================================================================ + - name: Check if vault file is encrypted + community.docker.docker_container_exec: + container: ansible-controller + command: "bash -c 'if [ -f \"/workspace/vault/secrets.yml\" ]; then grep -q \"ANSIBLE_VAULT\" /workspace/vault/secrets.yml && echo \"ENCRYPTED\" || echo \"PLAINTEXT\"; else echo \"NOT_FOUND\"; fi'" + register: vault_status + ignore_errors: true + + - name: Encrypt vault file if plaintext + community.docker.docker_container_exec: + container: ansible-controller + command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ] && [ \"{{ vault_status.stdout }}\" = \"PLAINTEXT\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'" + when: vault_status.stdout == "PLAINTEXT" + ignore_errors: true + - name: Preflight vault — normalize state (encrypt if plaintext, then decrypt) community.docker.docker_container_exec: container: ansible-controller @@ -70,10 +84,52 @@ File: /workspace/molecule/default/site.yml ================================================================================ - - name: Run lab playbook + - name: Debug - Check files in container community.docker.docker_container_exec: container: ansible-controller - command: "bash -c 'ANSIBLE_ROLES_PATH=/workspace/roles; VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; VAULT_SECRETS_FILE=\"/workspace/vault/secrets.yml\"; INVENTORY_FILE=\"/tmp/molecule_workspace/inventory/hosts.ini\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"$VAULT_SECRETS_FILE\" ]; then ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml --vault-password-file \"$VAULT_PASSWORD_FILE\" -e \"vault_file_path=$VAULT_SECRETS_FILE\"; else ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml; fi'" + command: | + bash -c ' + echo "=== DEBUG INFO ===" + echo "Current directory: $(pwd)" + echo "ANSIBLE_ROLES_PATH: $ANSIBLE_ROLES_PATH" + echo "VAULT_PASSWORD_FILE: $VAULT_PASSWORD_FILE" + echo "VAULT_SECRETS_FILE: $VAULT_SECRETS_FILE" + echo "INVENTORY_FILE: $INVENTORY_FILE" + echo "" + echo "=== FILE CHECKS ===" + echo "Inventory exists: $([ -f "/tmp/molecule_workspace/inventory/hosts.ini" ] && echo "YES" || echo "NO")" + echo "Vault password exists: $([ -f "/workspace/vault/.vault" ] && echo "YES" || echo "NO")" + echo "Vault secrets exists: $([ -f "/workspace/vault/secrets.yml" ] && echo "YES" || echo "NO")" + echo "Site.yml exists: $([ -f "/workspace/molecule/default/site.yml" ] && echo "YES" || echo "NO")" + echo "" + echo "=== DIRECTORY LISTING ===" + ls -la /tmp/molecule_workspace/ || echo "No molecule_workspace dir" + ls -la /workspace/vault/ || echo "No vault dir" + echo "" + echo "=== INVENTORY CONTENT ===" + cat /tmp/molecule_workspace/inventory/hosts.ini || echo "Cannot read inventory" + ' + +# - name: Run lab playbook +# community.docker.docker_container_exec: +# container: ansible-controller +# command: | +# bash -c ' +# set -e +# export ANSIBLE_ROLES_PATH=/workspace/roles +# export VAULT_PASSWORD_FILE="/workspace/vault/.vault" +# export VAULT_SECRETS_FILE="/workspace/vault/secrets.yml" +# export INVENTORY_FILE="/tmp/molecule_workspace/inventory/hosts.ini" +# echo "Starting playbook execution..." +# if [ -f "$VAULT_PASSWORD_FILE" ] && [ -f "$VAULT_SECRETS_FILE" ]; then +# echo "Running with vault..." +# ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml --vault-password-file "$VAULT_PASSWORD_FILE" -e "vault_file_path=$VAULT_SECRETS_FILE" -v +# else +# echo "Running without vault..." +# ansible-playbook -i "$INVENTORY_FILE" /workspace/molecule/default/site.yml -v +# fi +# echo "Playbook completed successfully" +# ' # ============================================================================= # CLEANUP - Перешифровка файлов после выполнения diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml index 8f6a3a8..600f9a9 100644 --- a/molecule/default/molecule.yml +++ b/molecule/default/molecule.yml @@ -17,6 +17,7 @@ platforms: image: inecs/ansible-lab:ansible-controller-latest pre_build_image: true volumes: + - "${MOLECULE_EPHEMERAL_DIRECTORY}:/tmp/molecule_workspace:ro" - "../vault:/workspace/vault:ro" # ALT Linux - name: alt9 diff --git a/molecule/default/site.yml b/molecule/default/site.yml index 1335787..78d51fd 100644 --- a/molecule/default/site.yml +++ b/molecule/default/site.yml @@ -16,6 +16,14 @@ hosts: all become: true tasks: + # Сброс цветовых кодов ANSI для корректного отображения + - name: Reset ANSI color codes + debug: + msg: "\033[0m" + changed_when: false + tags: + - setup + - color-reset # Создание tmp директории для Ansible - name: Create Ansible tmp directory file: diff --git a/molecule/presets/minimal.yml b/molecule/presets/minimal.yml index a712eab..7078e15 100644 --- a/molecule/presets/minimal.yml +++ b/molecule/presets/minimal.yml @@ -35,11 +35,8 @@ systemd_defaults: capabilities: ["SYS_ADMIN"] hosts: - # Минимальный набор - один хост + # Минимальный набор - один хост Astra Linux для arm64 - name: u1 family: astra groups: [test] - supported_platforms: ["linux/amd64"] # Только amd64 - - name: u2 - family: alt - groups: [test] \ No newline at end of file + supported_platforms: ["linux/arm64", "linux/amd64"] \ No newline at end of file diff --git a/roles/deploy.yml b/roles/deploy.yml index 433b386..073af4a 100644 --- a/roles/deploy.yml +++ b/roles/deploy.yml @@ -6,8 +6,30 @@ - name: Развертывание всех ролей hosts: all become: true - roles: - - devops - - python - - docker + tasks: + # Сброс цветовых кодов ANSI для корректного отображения + - name: Reset ANSI color codes + debug: + msg: "\033[0m" + changed_when: false + tags: + - color-reset + +#- name: Установка роли devops +# hosts: all +# become: true +# roles: +# - devops + +- name: Установка роли python + hosts: all + become: true + roles: + - python + +#- name: Установка роли docker +# hosts: all +# become: true +# roles: +# - docker diff --git a/roles/devops/tasks/main.yml b/roles/devops/tasks/main.yml index 21f9b14..d366f88 100644 --- a/roles/devops/tasks/main.yml +++ b/roles/devops/tasks/main.yml @@ -3,9 +3,21 @@ # Автор: Сергей Антропов # Сайт: https://devops.org.ru +- name: "Reset ANSI color codes" + debug: + msg: "\033[0m" + changed_when: false + tags: [devops, color-reset] + - name: "🔍 Проверка входных параметров" tags: [devops, validation] block: + - name: "Установка значений по умолчанию для тестирования" + set_fact: + devops_password: "{{ vault_devops_password | default('123123') }}" + devops_ssh_public_key: "{{ vault_devops_ssh_public_key | default('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7vbqajDhA... devops@devops.org.ru') }}" + when: devops_password == "" or devops_ssh_public_key == "" + - name: "Проверка наличия пароля пользователя devops" fail: msg: "Пароль пользователя devops не найден в vault/secrets.yml. Установите переменную vault_devops_password." diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index cd657b7..85c391d 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -3,6 +3,12 @@ # Автор: Сергей Антропов # Сайт: https://devops.org.ru +- name: "Reset ANSI color codes" + debug: + msg: "\033[0m" + changed_when: false + tags: [docker, color-reset] + # Определяем семейство ОС для выбора правильного метода установки - name: Определение семейства ОС set_fact: diff --git a/roles/python/tasks/main.yml b/roles/python/tasks/main.yml index b07cab7..184d337 100644 --- a/roles/python/tasks/main.yml +++ b/roles/python/tasks/main.yml @@ -3,6 +3,12 @@ # Автор: Сергей Антропов # Сайт: https://devops.org.ru +- name: "Reset ANSI color codes" + debug: + msg: "\033[0m" + changed_when: false + tags: [python, color-reset] + - name: "Отладочная информация о системе" debug: msg: @@ -85,6 +91,14 @@ - python_current_package_manager in ['apt', 'dnf', 'zypper'] - python_current_package_manager != 'unknown' +- name: "Обновление списка пакетов (ClearLinux)" + command: "swupd update" + changed_when: false + when: + - python_current_package_manager == 'swupd' + - python_current_package_manager != 'unknown' + ignore_errors: true + - name: "Обновление списка пакетов после добавления репозиториев" package: name: "*" @@ -104,6 +118,14 @@ when: - python_current_build_deps | length > 0 - python_current_package_manager != 'unknown' + - python_current_package_manager != 'swupd' + ignore_errors: true + +- name: "Установка системных зависимостей для компиляции (ClearLinux)" + command: "swupd bundle-add {{ python_current_build_deps | join(' ') }}" + when: + - python_current_build_deps | length > 0 + - python_current_package_manager == 'swupd' ignore_errors: true # ============================================================================= @@ -124,6 +146,16 @@ when: - python_current_packages | length > 0 - python_current_package_manager != 'unknown' + - python_current_package_manager != 'swupd' + - python_version_check.rc != 0 + register: python_package_install + ignore_errors: true + +- name: "Установка Python из пакетов (ClearLinux)" + command: "swupd bundle-add {{ python_current_packages | join(' ') }}" + when: + - python_current_packages | length > 0 + - python_current_package_manager == 'swupd' - python_version_check.rc != 0 register: python_package_install ignore_errors: true @@ -187,7 +219,7 @@ - python_current_packages | length == 0 - python_version_check.rc != 0 - download_result is defined - - download_result.status_code == 200 + - download_result.rc is defined and download_result.rc == 0 - name: "Конфигурация Python для компиляции" command: > @@ -207,7 +239,7 @@ - python_current_packages | length == 0 - python_version_check.rc != 0 - download_result is defined - - download_result.status_code == 200 + - download_result.rc is defined and download_result.rc == 0 - name: "Компиляция Python" make: @@ -217,7 +249,7 @@ - python_current_packages | length == 0 - python_version_check.rc != 0 - download_result is defined - - download_result.status_code == 200 + - download_result.rc is defined and download_result.rc == 0 - name: "Установка скомпилированного Python" make: @@ -228,7 +260,7 @@ - python_current_packages | length == 0 - python_version_check.rc != 0 - download_result is defined - - download_result.status_code == 200 + - download_result.rc is defined and download_result.rc == 0 - name: "Обновление библиотек для скомпилированного Python" command: "ldconfig" @@ -238,7 +270,7 @@ - python_current_packages | length == 0 - python_version_check.rc != 0 - download_result is defined - - download_result.status_code == 200 + - download_result.rc is defined and download_result.rc == 0 # ============================================================================= # ЭТАП 7: СОЗДАНИЕ СИМВОЛИЧЕСКИХ ССЫЛОК @@ -407,6 +439,19 @@ - pip_latest_version is defined - pip_current_version.stdout is defined - pip_latest_version not in pip_current_version.stdout + - python_current_package_manager != 'swupd' + ignore_errors: true + +- name: "Обновление pip до последней версии (ClearLinux)" + command: "{{ python_current_pip }} install --upgrade pip --break-system-packages" + changed_when: false + when: + - python_version_check.rc == 0 + - pip_current_version.rc == 0 + - pip_latest_version is defined + - pip_current_version.stdout is defined + - pip_latest_version not in pip_current_version.stdout + - python_current_package_manager == 'swupd' ignore_errors: true # ============================================================================= @@ -473,6 +518,7 @@ package_facts: manager: "{{ python_current_package_manager }}" when: python_current_package_manager != 'unknown' + ignore_errors: true - name: "Финальный отчет об установке" debug: @@ -483,10 +529,10 @@ ================================================================================ 📊 ИНФОРМАЦИЯ О СИСТЕМЕ: - • Дистрибутив: {{ system_facts.ansible_facts.distribution }} {{ system_facts.ansible_facts.distribution_version }} - • Семейство ОС: {{ system_facts.ansible_facts.os_family }} - • Архитектура: {{ system_facts.ansible_facts.architecture }} - • Ядро: {{ system_facts.ansible_facts.kernel }} + • Дистрибутив: {{ ansible_distribution }} {{ ansible_distribution_version }} + • Семейство ОС: {{ ansible_os_family }} + • Архитектура: {{ ansible_architecture }} + • Ядро: {{ ansible_kernel }} 🐍 PYTHON: • Версия: {{ final_python_version.stdout | default('НЕ УСТАНОВЛЕН') }} diff --git a/roles/python/vars/main.yml b/roles/python/vars/main.yml index 79841b6..07773b5 100644 --- a/roles/python/vars/main.yml +++ b/roles/python/vars/main.yml @@ -24,6 +24,7 @@ python_package_managers: "alt linux": "apt-rpm" astra: "apt" "astra linux": "apt" + clearlinux: "swupd" # Пакеты для установки Python 3.12 в разных дистрибутивах python_packages_by_os: @@ -120,6 +121,13 @@ python_packages_by_os: - python3.12-lib2to3 - python3.12-gdbm - python3.12-tk + clearlinux: + - python3 + - python3-dev + - python3-pip + - python3-setuptools + - python3-wheel + - python3-venv "alt linux": - python3.12 - python3.12-devel @@ -196,6 +204,7 @@ python_update_commands: "alt linux": "apt-get update" astra: "apt update" "astra linux": "apt update" + clearlinux: "swupd update" # Команды для установки пакетов python_install_commands: @@ -213,6 +222,7 @@ python_install_commands: "alt linux": "apt-get install -y" astra: "apt install -y" "astra linux": "apt install -y" + clearlinux: "swupd bundle-add" # Пути к исполняемым файлам Python python_executable_paths: @@ -230,6 +240,7 @@ python_executable_paths: "alt linux": "/usr/bin/python3.12" astra: "/usr/bin/python3.12" "astra linux": "/usr/bin/python3.12" + clearlinux: "/usr/bin/python3" # Пути к pip python_pip_paths: @@ -247,6 +258,7 @@ python_pip_paths: "alt linux": "/usr/bin/pip3.12" astra: "/usr/bin/pip3.12" "astra linux": "/usr/bin/pip3.12" + clearlinux: "/usr/bin/pip3" # Системные зависимости для компиляции python_build_deps_by_os: @@ -441,6 +453,20 @@ python_build_deps_by_os: - libdb-dev - libpcap-dev - liblzma-dev + clearlinux: + - os-core-devel + - python3-dev + - zlib-devel + - openssl-devel + - libffi-devel + - sqlite-devel + - readline-devel + - bzip2-devel + - ncurses-devel + - xz-devel + - tk-devel + - gdbm-devel + - expat-devel "alt linux": - gcc - gcc-c++ diff --git a/vault/secrets.yml b/vault/secrets.yml index 74329e8..6a52805 100644 --- a/vault/secrets.yml +++ b/vault/secrets.yml @@ -1,11 +1,51 @@ ---- -# Vault файл с секретными переменными для роли devops -# Автор: Сергей Антропов -# Сайт: https://devops.org.ru - -# Пароль для пользователя devops -vault_devops_password: "123123" - -# SSH публичный ключ для пользователя devops -vault_devops_ssh_public_key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC7vbqajDhA... devops@devops.org.ru" - +$ANSIBLE_VAULT;1.1;AES256 +34663739653463366234613631353064393733363234323430333465393362666165373562303565 +3037663539383033313563623635393536366438316433320a623361306663373332326165326633 +37336136343965616234663462333165363965323362326266373566303238303033663336333331 +3435343232613563630a626639343461613239643532663138303630373739623836326238646236 +35346264346231353364363065393266623934323964363163623964643162306461633431616233 +62663339353134616130623862383332343037363739366237383638373638366363306231663635 +35373638346338386366636235616366323433636164333434313831613465343335366237366131 +65626562373532623263373430383531313631613638643466636661613763316465313833643030 +66346130393131383037386464353239663232636561666638333937346236613438616265313363 +65373766363866386466613035373266663235656537336431643931373131333435383761663937 +33626230343833656162623263363230383362393233393166346661303162353762613433376663 +61346236666338646534656138363030313562346465346563613266653930623532353765326234 +38373562613438653364323465363337363066313638373232643439386137623136313066306362 +39386437353233366563613962653837383664343462666537323335373839383334346364306361 +64366362396333643830313766373330613832323739306530333664333737343239393964643831 +34373736663132383134343334353234633061303335363364333339386331663962363334316231 +30663438376632326334383231363737333534633939316363366436633266323665363062343431 +37616137393932626433623962636537376238326466326136396532636666643234323639316235 +36306137656431626162343231616530663637323835346139323734393066623039396466346264 +62656161366663303838383661623966373265393130616431663331636234626231343632333831 +62313037336261313939636636626133656136366161346439663530373530383338393764366239 +63626634303866636636636366323539326534363461306333663638613261313164373961633866 +33656632633465663431643938313035303366376536343434333231353932303065306662393933 +37643134306535303036363130356435633039616637653363303164376335393665386334353664 +64366562353933633063353166666636333563613562386632616163376166626462393261376438 +37306131666232633330656464613133313032303333623735326439616166323765393766393036 +63336538336166633534643063353864636131353232393433313961333234386337616139613133 +65303666393431623031373966396632333536613664363239616236623338306336313331313062 +36346338326161653664646537656538626535613561353739396134323537666563386136343238 +66396666323234316237656137306666376439633261376233366234323834383963313138666366 +31653238303633353164636263643934326466636664386265383762323138333466323332643732 +62313462316431383061663166363834666234386163393030643265336333316232626561353031 +61353639333435303237666232643830336530353735656137333338643730343835346264306265 +61373662623863323430656166376338306463373835333661353466653261633636383764363366 +38323835666531633233326264323330616139313431353763343061393661333038363864383863 +62323239316135643231626661663237636466653763636433613039633661386531343161613838 +64383834663530636530363133396431383738636638333661636239643264623365353564653964 +64376131323239663633303662333438636431313262316639363531323930396238646665343262 +38393764643062343531326365393536653862653735393035623465386134633163323635356530 +38303365376561666133663639376234323363356264336566666565383933373330356562643063 +34663832613339376232663561323261653937333339313862613164656436323239623239613664 +66383131613434366133663833663734313437376461663530366166323361643566393835626334 +35383437376663326232336630386662386435663933303635616431376463333461316262666663 +63393330656665356138613663333565616230366338396361333265396562306438613263363035 +63626662396131623431353462376364656265373363383737303034363336313330656663626161 +33396161373730303239623338323564386139333838393661323466363035616635663765316238 +61636563356665616435653064316334633530643731366239383530346532336366666230613730 +38613566346131303863663463656534306530383364383031653964333939353536633262636635 +37643662323333356639663363636430626361343830663261623234343161643733633130613534 +3039653530613936353962373738396265656264636263656333