From 2803046ac3a0246084071e2b5f54a84b4e5accd2 Mon Sep 17 00:00:00 2001 From: Muayyad alsadi Date: Tue, 21 Dec 2021 22:54:27 +0200 Subject: [PATCH] add awx 17 example --- examples/awx17/README.md | 37 ++++ .../roles/local_docker/defaults/main.yml | 11 + .../roles/local_docker/tasks/compose.yml | 74 +++++++ .../awx17/roles/local_docker/tasks/main.yml | 15 ++ .../roles/local_docker/tasks/set_image.yml | 46 ++++ .../local_docker/tasks/upgrade_postgres.yml | 64 ++++++ .../local_docker/templates/credentials.py.j2 | 13 ++ .../templates/docker-compose.yml.j2 | 208 ++++++++++++++++++ .../local_docker/templates/environment.sh.j2 | 10 + .../local_docker/templates/nginx.conf.j2 | 122 ++++++++++ .../local_docker/templates/redis.conf.j2 | 4 + podman_compose.py | 5 +- 12 files changed, 608 insertions(+), 1 deletion(-) create mode 100644 examples/awx17/README.md create mode 100644 examples/awx17/roles/local_docker/defaults/main.yml create mode 100644 examples/awx17/roles/local_docker/tasks/compose.yml create mode 100644 examples/awx17/roles/local_docker/tasks/main.yml create mode 100644 examples/awx17/roles/local_docker/tasks/set_image.yml create mode 100644 examples/awx17/roles/local_docker/tasks/upgrade_postgres.yml create mode 100644 examples/awx17/roles/local_docker/templates/credentials.py.j2 create mode 100644 examples/awx17/roles/local_docker/templates/docker-compose.yml.j2 create mode 100644 examples/awx17/roles/local_docker/templates/environment.sh.j2 create mode 100644 examples/awx17/roles/local_docker/templates/nginx.conf.j2 create mode 100644 examples/awx17/roles/local_docker/templates/redis.conf.j2 diff --git a/examples/awx17/README.md b/examples/awx17/README.md new file mode 100644 index 0000000..be6802b --- /dev/null +++ b/examples/awx17/README.md @@ -0,0 +1,37 @@ +# AWX Compose + +the directory roles is taken from [here](https://github.com/ansible/awx/tree/17.1.0/installer/roles/local_docker) + +also look at https://github.com/ansible/awx/tree/17.1.0/tools/docker-compose + +``` +mkdir deploy awx17 +ansible localhost \ + -e host_port=8080 \ + -e awx_secret_key='awx,secret.123' \ + -e secret_key='awx,secret.123' \ + -e admin_user='admin' \ + -e admin_password='admin' \ + -e pg_password='awx,123.' \ + -e pg_username='awx' \ + -e pg_database='awx' \ + -e pg_port='5432' \ + -e redis_image="docker.io/library/redis:6-alpine" \ + -e postgres_data_dir="./data/pg" \ + -e compose_start_containers=false \ + -e dockerhub_base='docker.io/ansible' \ + -e awx_image='docker.io/ansible/awx' \ + -e awx_version='17.1.0' \ + -e dockerhub_version='17.1.0' \ + -e docker_deploy_base_path=$PWD/deploy \ + -e docker_compose_dir=$PWD/awx17 \ + -e awx_task_hostname=awx \ + -e awx_web_hostname=awxweb \ + -m include_role -a name=local_docker +cp awx17/docker-compose.yml awx17/docker-compose.yml.orig +sed -i -re "s#- \"$PWD/awx17/(.*):/#- \"./\1:/#" awx17/docker-compose.yml +cd awx17 +podman-compose run --rm --service-ports task awx-manage migrate --no-input +podman-compose up -d +``` + diff --git a/examples/awx17/roles/local_docker/defaults/main.yml b/examples/awx17/roles/local_docker/defaults/main.yml new file mode 100644 index 0000000..4b97d47 --- /dev/null +++ b/examples/awx17/roles/local_docker/defaults/main.yml @@ -0,0 +1,11 @@ +--- +dockerhub_version: "{{ lookup('file', playbook_dir + '/../VERSION') }}" + +awx_image: "awx" +redis_image: "redis" + +postgresql_version: "12" +postgresql_image: "postgres:{{postgresql_version}}" + +compose_start_containers: true +upgrade_postgres: false diff --git a/examples/awx17/roles/local_docker/tasks/compose.yml b/examples/awx17/roles/local_docker/tasks/compose.yml new file mode 100644 index 0000000..59ba262 --- /dev/null +++ b/examples/awx17/roles/local_docker/tasks/compose.yml @@ -0,0 +1,74 @@ +--- +- name: Create {{ docker_compose_dir }} directory + file: + path: "{{ docker_compose_dir }}" + state: directory + +- name: Create Redis socket directory + file: + path: "{{ docker_compose_dir }}/redis_socket" + state: directory + mode: 0777 + +- name: Create Docker Compose Configuration + template: + src: "{{ item.file }}.j2" + dest: "{{ docker_compose_dir }}/{{ item.file }}" + mode: "{{ item.mode }}" + loop: + - file: environment.sh + mode: "0600" + - file: credentials.py + mode: "0600" + - file: docker-compose.yml + mode: "0600" + - file: nginx.conf + mode: "0600" + - file: redis.conf + mode: "0664" + register: awx_compose_config + +- name: Render SECRET_KEY file + copy: + content: "{{ secret_key }}" + dest: "{{ docker_compose_dir }}/SECRET_KEY" + mode: 0600 + register: awx_secret_key + +- block: + - name: Remove AWX containers before migrating postgres so that the old postgres container does not get used + docker_compose: + project_src: "{{ docker_compose_dir }}" + state: absent + ignore_errors: true + + - name: Run migrations in task container + shell: docker-compose run --rm --service-ports task awx-manage migrate --no-input + args: + chdir: "{{ docker_compose_dir }}" + + - name: Start the containers + docker_compose: + project_src: "{{ docker_compose_dir }}" + restarted: "{{ awx_compose_config is changed or awx_secret_key is changed }}" + register: awx_compose_start + + - name: Update CA trust in awx_web container + command: docker exec awx_web '/usr/bin/update-ca-trust' + when: awx_compose_config.changed or awx_compose_start.changed + + - name: Update CA trust in awx_task container + command: docker exec awx_task '/usr/bin/update-ca-trust' + when: awx_compose_config.changed or awx_compose_start.changed + + - name: Wait for launch script to create user + wait_for: + timeout: 10 + delegate_to: localhost + + - name: Create Preload data + command: docker exec awx_task bash -c "/usr/bin/awx-manage create_preload_data" + when: create_preload_data|bool + register: cdo + changed_when: "'added' in cdo.stdout" + when: compose_start_containers|bool diff --git a/examples/awx17/roles/local_docker/tasks/main.yml b/examples/awx17/roles/local_docker/tasks/main.yml new file mode 100644 index 0000000..e2b793e --- /dev/null +++ b/examples/awx17/roles/local_docker/tasks/main.yml @@ -0,0 +1,15 @@ +--- +- name: Generate broadcast websocket secret + set_fact: + broadcast_websocket_secret: "{{ lookup('password', '/dev/null length=128') }}" + run_once: true + no_log: true + when: broadcast_websocket_secret is not defined + +- import_tasks: upgrade_postgres.yml + when: + - postgres_data_dir is defined + - pg_hostname is not defined + +- import_tasks: set_image.yml +- import_tasks: compose.yml diff --git a/examples/awx17/roles/local_docker/tasks/set_image.yml b/examples/awx17/roles/local_docker/tasks/set_image.yml new file mode 100644 index 0000000..995214b --- /dev/null +++ b/examples/awx17/roles/local_docker/tasks/set_image.yml @@ -0,0 +1,46 @@ +--- +- name: Manage AWX Container Images + block: + - name: Export Docker awx image if it isnt local and there isnt a registry defined + docker_image: + name: "{{ awx_image }}" + tag: "{{ awx_version }}" + archive_path: "{{ awx_local_base_config_path|default('/tmp') }}/{{ awx_image }}_{{ awx_version }}.tar" + when: inventory_hostname != "localhost" and docker_registry is not defined + delegate_to: localhost + + - name: Set docker base path + set_fact: + docker_deploy_base_path: "{{ awx_base_path|default('/tmp') }}/docker_deploy" + when: ansible_connection != "local" and docker_registry is not defined + + - name: Ensure directory exists + file: + path: "{{ docker_deploy_base_path }}" + state: directory + when: ansible_connection != "local" and docker_registry is not defined + + - name: Copy awx image to docker execution + copy: + src: "{{ awx_local_base_config_path|default('/tmp') }}/{{ awx_image }}_{{ awx_version }}.tar" + dest: "{{ docker_deploy_base_path }}/{{ awx_image }}_{{ awx_version }}.tar" + when: ansible_connection != "local" and docker_registry is not defined + + - name: Load awx image + docker_image: + name: "{{ awx_image }}" + tag: "{{ awx_version }}" + load_path: "{{ docker_deploy_base_path }}/{{ awx_image }}_{{ awx_version }}.tar" + timeout: 300 + when: ansible_connection != "local" and docker_registry is not defined + + - name: Set full image path for local install + set_fact: + awx_docker_actual_image: "{{ awx_image }}:{{ awx_version }}" + when: docker_registry is not defined + when: dockerhub_base is not defined + +- name: Set DockerHub Image Paths + set_fact: + awx_docker_actual_image: "{{ dockerhub_base }}/awx:{{ dockerhub_version }}" + when: dockerhub_base is defined diff --git a/examples/awx17/roles/local_docker/tasks/upgrade_postgres.yml b/examples/awx17/roles/local_docker/tasks/upgrade_postgres.yml new file mode 100644 index 0000000..7887960 --- /dev/null +++ b/examples/awx17/roles/local_docker/tasks/upgrade_postgres.yml @@ -0,0 +1,64 @@ +--- + +- name: Create {{ postgres_data_dir }} directory + file: + path: "{{ postgres_data_dir }}" + state: directory + +- name: Get full path of postgres data dir + shell: "echo {{ postgres_data_dir }}" + register: fq_postgres_data_dir + +- name: Register temporary docker container + set_fact: + container_command: "docker run --rm -v '{{ fq_postgres_data_dir.stdout }}:/var/lib/postgresql' centos:8 bash -c " + +- name: Check for existing Postgres data (run from inside the container for access to file) + shell: + cmd: | + {{ container_command }} "[[ -f /var/lib/postgresql/10/data/PG_VERSION ]] && echo 'exists'" + register: pg_version_file + ignore_errors: true + +- name: Record Postgres version + shell: | + {{ container_command }} "cat /var/lib/postgresql/10/data/PG_VERSION" + register: old_pg_version + when: pg_version_file is defined and pg_version_file.stdout == 'exists' + +- name: Determine whether to upgrade postgres + set_fact: + upgrade_postgres: "{{ old_pg_version.stdout == '10' }}" + when: old_pg_version.changed + +- name: Set up new postgres paths pre-upgrade + shell: | + {{ container_command }} "mkdir -p /var/lib/postgresql/12/data/" + when: upgrade_postgres | bool + +- name: Stop AWX before upgrading postgres + docker_compose: + project_src: "{{ docker_compose_dir }}" + stopped: true + when: upgrade_postgres | bool + +- name: Upgrade Postgres + shell: | + docker run --rm \ + -v {{ postgres_data_dir }}/10/data:/var/lib/postgresql/10/data \ + -v {{ postgres_data_dir }}/12/data:/var/lib/postgresql/12/data \ + -e PGUSER={{ pg_username }} -e POSTGRES_INITDB_ARGS="-U {{ pg_username }}" \ + tianon/postgres-upgrade:10-to-12 --username={{ pg_username }} + when: upgrade_postgres | bool + +- name: Copy old pg_hba.conf + shell: | + {{ container_command }} "cp /var/lib/postgresql/10/data/pg_hba.conf /var/lib/postgresql/12/data/pg_hba.conf" + when: upgrade_postgres | bool + +- name: Remove old data directory + shell: | + {{ container_command }} "rm -rf /var/lib/postgresql/10/data" + when: + - upgrade_postgres | bool + - compose_start_containers|bool diff --git a/examples/awx17/roles/local_docker/templates/credentials.py.j2 b/examples/awx17/roles/local_docker/templates/credentials.py.j2 new file mode 100644 index 0000000..9ea7ac2 --- /dev/null +++ b/examples/awx17/roles/local_docker/templates/credentials.py.j2 @@ -0,0 +1,13 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': "{{ pg_database }}", + 'USER': "{{ pg_username }}", + 'PASSWORD': "{{ pg_password }}", + 'HOST': "{{ pg_hostname | default('postgres') }}", + 'PORT': "{{ pg_port }}", + } +} + +BROADCAST_WEBSOCKET_SECRET = "{{ broadcast_websocket_secret | b64encode }}" diff --git a/examples/awx17/roles/local_docker/templates/docker-compose.yml.j2 b/examples/awx17/roles/local_docker/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..b18aa83 --- /dev/null +++ b/examples/awx17/roles/local_docker/templates/docker-compose.yml.j2 @@ -0,0 +1,208 @@ +#jinja2: lstrip_blocks: True +version: '2' +services: + + web: + image: {{ awx_docker_actual_image }} + container_name: awx_web + depends_on: + - redis + {% if pg_hostname is not defined %} + - postgres + {% endif %} + {% if (host_port is defined) or (host_port_ssl is defined) %} + ports: + {% if (host_port_ssl is defined) and (ssl_certificate is defined) %} + - "{{ host_port_ssl }}:8053" + {% endif %} + {% if host_port is defined %} + - "{{ host_port }}:8052" + {% endif %} + {% endif %} + hostname: {{ awx_web_hostname }} + user: root + restart: unless-stopped + {% if (awx_web_container_labels is defined) and (',' in awx_web_container_labels) %} + {% set awx_web_container_labels_list = awx_web_container_labels.split(',') %} + labels: + {% for awx_web_container_label in awx_web_container_labels_list %} + - {{ awx_web_container_label }} + {% endfor %} + {% elif awx_web_container_labels is defined %} + labels: + - {{ awx_web_container_labels }} + {% endif %} + volumes: + - supervisor-socket:/var/run/supervisor + - rsyslog-socket:/var/run/awx-rsyslog/ + - rsyslog-config:/var/lib/awx/rsyslog/ + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" + - "{{ docker_compose_dir }}/nginx.conf:/etc/nginx/nginx.conf:ro" + - "{{ docker_compose_dir }}/redis_socket:/var/run/redis/:rw" + {% if project_data_dir is defined %} + - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" + {% endif %} + {% if custom_venv_dir is defined %} + - "{{ custom_venv_dir +':'+ custom_venv_dir +':rw' }}" + {% endif %} + {% if ca_trust_dir is defined %} + - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}" + {% endif %} + {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %} + - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}" + - "{{ ssl_certificate_key +':/etc/nginx/awxweb_key.pem:ro' }}" + {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %} + - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}" + {% endif %} + {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %} + {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %} + dns_search: + {% for awx_container_search_domain in awx_container_search_domains_list %} + - {{ awx_container_search_domain }} + {% endfor %} + {% elif awx_container_search_domains is defined %} + dns_search: "{{ awx_container_search_domains }}" + {% endif %} + {% if (awx_alternate_dns_servers is defined) and (',' in awx_alternate_dns_servers) %} + {% set awx_alternate_dns_servers_list = awx_alternate_dns_servers.split(',') %} + dns: + {% for awx_alternate_dns_server in awx_alternate_dns_servers_list %} + - {{ awx_alternate_dns_server }} + {% endfor %} + {% elif awx_alternate_dns_servers is defined %} + dns: "{{ awx_alternate_dns_servers }}" + {% endif %} + {% if (docker_compose_extra_hosts is defined) and (':' in docker_compose_extra_hosts) %} + {% set docker_compose_extra_hosts_list = docker_compose_extra_hosts.split(',') %} + extra_hosts: + {% for docker_compose_extra_host in docker_compose_extra_hosts_list %} + - "{{ docker_compose_extra_host }}" + {% endfor %} + {% endif %} + environment: + http_proxy: {{ http_proxy | default('') }} + https_proxy: {{ https_proxy | default('') }} + no_proxy: {{ no_proxy | default('') }} + {% if docker_logger is defined %} + logging: + driver: {{ docker_logger }} + {% endif %} + + task: + image: {{ awx_docker_actual_image }} + container_name: awx_task + depends_on: + - redis + - web + {% if pg_hostname is not defined %} + - postgres + {% endif %} + command: /usr/bin/launch_awx_task.sh + hostname: {{ awx_task_hostname }} + user: root + restart: unless-stopped + volumes: + - supervisor-socket:/var/run/supervisor + - rsyslog-socket:/var/run/awx-rsyslog/ + - rsyslog-config:/var/lib/awx/rsyslog/ + - "{{ docker_compose_dir }}/SECRET_KEY:/etc/tower/SECRET_KEY" + - "{{ docker_compose_dir }}/environment.sh:/etc/tower/conf.d/environment.sh" + - "{{ docker_compose_dir }}/credentials.py:/etc/tower/conf.d/credentials.py" + - "{{ docker_compose_dir }}/redis_socket:/var/run/redis/:rw" + {% if project_data_dir is defined %} + - "{{ project_data_dir +':/var/lib/awx/projects:rw' }}" + {% endif %} + {% if custom_venv_dir is defined %} + - "{{ custom_venv_dir +':'+ custom_venv_dir +':rw' }}" + {% endif %} + {% if ca_trust_dir is defined %} + - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}" + {% endif %} + {% if ssl_certificate is defined %} + - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}" + {% endif %} + {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %} + {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %} + dns_search: + {% for awx_container_search_domain in awx_container_search_domains_list %} + - {{ awx_container_search_domain }} + {% endfor %} + {% elif awx_container_search_domains is defined %} + dns_search: "{{ awx_container_search_domains }}" + {% endif %} + {% if (awx_alternate_dns_servers is defined) and (',' in awx_alternate_dns_servers) %} + {% set awx_alternate_dns_servers_list = awx_alternate_dns_servers.split(',') %} + dns: + {% for awx_alternate_dns_server in awx_alternate_dns_servers_list %} + - {{ awx_alternate_dns_server }} + {% endfor %} + {% elif awx_alternate_dns_servers is defined %} + dns: "{{ awx_alternate_dns_servers }}" + {% endif %} + {% if (docker_compose_extra_hosts is defined) and (':' in docker_compose_extra_hosts) %} + {% set docker_compose_extra_hosts_list = docker_compose_extra_hosts.split(',') %} + extra_hosts: + {% for docker_compose_extra_host in docker_compose_extra_hosts_list %} + - "{{ docker_compose_extra_host }}" + {% endfor %} + {% endif %} + environment: + AWX_SKIP_MIGRATIONS: "1" + http_proxy: {{ http_proxy | default('') }} + https_proxy: {{ https_proxy | default('') }} + no_proxy: {{ no_proxy | default('') }} + SUPERVISOR_WEB_CONFIG_PATH: '/etc/supervisord.conf' + + redis: + image: {{ redis_image }} + container_name: awx_redis + restart: unless-stopped + environment: + http_proxy: {{ http_proxy | default('') }} + https_proxy: {{ https_proxy | default('') }} + no_proxy: {{ no_proxy | default('') }} + command: ["/usr/local/etc/redis/redis.conf"] + volumes: + - "{{ docker_compose_dir }}/redis.conf:/usr/local/etc/redis/redis.conf:ro" + - "{{ docker_compose_dir }}/redis_socket:/var/run/redis/:rw" + {% if docker_logger is defined %} + logging: + driver: {{ docker_logger }} + {% endif %} + + {% if pg_hostname is not defined %} + postgres: + image: {{ postgresql_image }} + container_name: awx_postgres + restart: unless-stopped + volumes: + - "{{ postgres_data_dir }}/12/data/:/var/lib/postgresql/data:Z" + environment: + POSTGRES_USER: {{ pg_username }} + POSTGRES_PASSWORD: {{ pg_password }} + POSTGRES_DB: {{ pg_database }} + http_proxy: {{ http_proxy | default('') }} + https_proxy: {{ https_proxy | default('') }} + no_proxy: {{ no_proxy | default('') }} + {% if docker_logger is defined %} + logging: + driver: {{ docker_logger }} + {% endif %} + {% endif %} + +{% if docker_compose_subnet is defined %} +networks: + default: + driver: bridge + ipam: + driver: default + config: + - subnet: {{ docker_compose_subnet }} +{% endif %} + +volumes: + supervisor-socket: + rsyslog-socket: + rsyslog-config: diff --git a/examples/awx17/roles/local_docker/templates/environment.sh.j2 b/examples/awx17/roles/local_docker/templates/environment.sh.j2 new file mode 100644 index 0000000..fc07631 --- /dev/null +++ b/examples/awx17/roles/local_docker/templates/environment.sh.j2 @@ -0,0 +1,10 @@ +DATABASE_USER={{ pg_username|quote }} +DATABASE_NAME={{ pg_database|quote }} +DATABASE_HOST={{ pg_hostname|default('postgres')|quote }} +DATABASE_PORT={{ pg_port|default('5432')|quote }} +DATABASE_PASSWORD={{ pg_password|default('awxpass')|quote }} +{% if pg_admin_password is defined %} +DATABASE_ADMIN_PASSWORD={{ pg_admin_password|quote }} +{% endif %} +AWX_ADMIN_USER={{ admin_user|quote }} +AWX_ADMIN_PASSWORD={{ admin_password|quote }} diff --git a/examples/awx17/roles/local_docker/templates/nginx.conf.j2 b/examples/awx17/roles/local_docker/templates/nginx.conf.j2 new file mode 100644 index 0000000..327b59a --- /dev/null +++ b/examples/awx17/roles/local_docker/templates/nginx.conf.j2 @@ -0,0 +1,122 @@ +#user awx; + +worker_processes 1; + +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + server_tokens off; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /dev/stdout main; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + sendfile on; + #tcp_nopush on; + #gzip on; + + upstream uwsgi { + server 127.0.0.1:8050; + } + + upstream daphne { + server 127.0.0.1:8051; + } + + {% if ssl_certificate is defined %} + server { + listen 8052 default_server; + server_name _; + + # Redirect all HTTP links to the matching HTTPS page + return 301 https://$host$request_uri; + } + {%endif %} + + server { + {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %} + listen 8053 ssl; + + ssl_certificate /etc/nginx/awxweb.pem; + ssl_certificate_key /etc/nginx/awxweb_key.pem; + {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %} + listen 8053 ssl; + + ssl_certificate /etc/nginx/awxweb.pem; + ssl_certificate_key /etc/nginx/awxweb.pem; + {% else %} + listen 8052 default_server; + {% endif %} + + # If you have a domain name, this is where to add it + server_name _; + keepalive_timeout 65; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + + # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) + add_header X-Frame-Options "DENY"; + + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } + + location /static/ { + alias /var/lib/awx/public/static/; + } + + location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } + + location /websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location / { + # Add trailing / if missing + rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + {%- if extra_nginx_include is defined %} + include {{ extra_nginx_include }}; + {%- endif %} + proxy_set_header X-Forwarded-Port 443; + uwsgi_param HTTP_X_FORWARDED_PORT 443; + } + } +} diff --git a/examples/awx17/roles/local_docker/templates/redis.conf.j2 b/examples/awx17/roles/local_docker/templates/redis.conf.j2 new file mode 100644 index 0000000..017bb06 --- /dev/null +++ b/examples/awx17/roles/local_docker/templates/redis.conf.j2 @@ -0,0 +1,4 @@ +unixsocket /var/run/redis/redis.sock +unixsocketperm 660 +port 0 +bind 127.0.0.1 diff --git a/podman_compose.py b/podman_compose.py index b873762..c540b0a 100755 --- a/podman_compose.py +++ b/podman_compose.py @@ -1485,7 +1485,7 @@ def compose_run(compose, args): create_pods(compose, args) container_names=compose.container_names_by_service[args.service] container_name=container_names[0] - cnt = compose.container_by_name[container_name] + cnt = dict(compose.container_by_name[container_name]) deps = cnt["_deps"] if not args.no_deps: up_args = argparse.Namespace(**dict(args.__dict__, @@ -1516,6 +1516,9 @@ def compose_run(compose, args): cnt['tty']=False if args.T else True if args.cnt_command is not None and len(args.cnt_command) > 0: cnt['command']=args.cnt_command + # can't restart and --rm + if args.rm and 'restart' in cnt: + del cnt['restart'] # run podman podman_args = container_to_args(compose, cnt, args.detach) if not args.detach: