From f86320b161d4541e24277357f24a8e12ece476f8 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Thu, 27 Nov 2025 15:22:20 +0100 Subject: [PATCH 01/14] sap_hana_install: SELinux and fapolicyd handling - unify the definition of SELinux and fapolicyd directories - add an option to enable and start fapolicyd after the installation of SAP HANA (default is now not to enable and not to start it) Solves issue #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/README.md | 2 ++ roles/sap_hana_install/defaults/main.yml | 14 +++++++----- roles/sap_hana_install/tasks/main.yml | 4 ++-- .../tasks/post_tasks/fapolicyd.yml | 8 ++++--- .../tasks/post_tasks/selinux.yml | 22 ++++++++++++++----- .../tasks/pre_tasks/selinux.yml | 2 +- .../templates/fapolicyd-rules.j2 | 4 ++-- 7 files changed, 37 insertions(+), 19 deletions(-) diff --git a/roles/sap_hana_install/README.md b/roles/sap_hana_install/README.md index a713de00d..6615e1b21 100644 --- a/roles/sap_hana_install/README.md +++ b/roles/sap_hana_install/README.md @@ -293,6 +293,7 @@ Steps: 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. 8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`. +Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. @@ -306,6 +307,7 @@ Steps: 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. 8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`. +Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index 658abc45a..ced0dc606 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -34,22 +34,26 @@ sap_hana_install_keep_copied_sarfiles: false # For installing SAP HANA with fapolicyd support, set the following variable to `true`: sap_hana_install_use_fapolicyd: false -# (RedHat specific) fapolicyd package is present on RedHat systems +# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_use_fapolicyd is 'true') +# For enabling and starting the fapolicyd service after the installation has finished, set the following variable to `true`: +sap_hana_install_enable_fapolicyd: false + +# (RedHat specific) fapolicyd integrity level # When using fapolicyd, you can set the following variable to one of `none`, `size`, `sha256`, or `ima`. Note that before setting # to `ima`, it is essential to prepare the system accordingly (e.g. boot with a different kernel parameter). See the # RHEL 9 Managing, monitoring, and updating the kernel guide for more information on this topic. sap_hana_install_fapolicyd_integrity: 'sha256' -# (RedHat specific) fapolicyd package is present on RedHat systems +# (RedHat specific) name of fapolicyd rule file for protecting shell sripts # When using fapolicyd, the following variable is used to define the fapolicyd rule file in which the rules for # protecting shell scripts are stored. The rule file will be created in the directory '/etc/fapolicyd/rules.d'. # Note: The mandatory file ending '.rules' will be added in the corresponding task of this role. sap_hana_install_fapolicyd_rule_file: '71-sap-shellscripts' -# (RedHat specific) fapolicyd package is present on RedHat systems -# When using fapolicyd, modify the following variable to change or add the directories which contain SAP HANA executables: -sap_hana_install_fapolicyd_trusted_directories: +# Directories which are used for the SAP HANA installation (relevant for SELinux relabeling and for fapolicyd protection) +sap_hana_install_directories: - "{{ sap_hana_install_root_path }}" + - '/lss/shared' - '/usr/sap' # File name of SAPCAR*EXE in the software directory. If the variable is not set and there is more than one SAPCAR executable diff --git a/roles/sap_hana_install/tasks/main.yml b/roles/sap_hana_install/tasks/main.yml index 9b8497354..a4e40a77f 100644 --- a/roles/sap_hana_install/tasks/main.yml +++ b/roles/sap_hana_install/tasks/main.yml @@ -170,10 +170,10 @@ Firewall is enabled and SAP HANA ports are open. {% endif %} {% if sap_hana_install_modify_selinux_labels %} - SELinux file contexts are configured for SAP folders '{{ sap_hana_install_root_path }}' and '/usr/sap'. + SELinux file contexts are configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} {% if ansible_os_family == "RedHat" and sap_hana_install_use_fapolicyd %} - Fapolicyd is configured for SAP folders '{{ sap_hana_install_root_path }}' and '/usr/sap'. + Fapolicyd is configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} vars: __sap_hana_install_fact_hana_version: "{{ __sap_hana_install_register_completion_result.stdout.split(';')[0] }}" diff --git a/roles/sap_hana_install/tasks/post_tasks/fapolicyd.yml b/roles/sap_hana_install/tasks/post_tasks/fapolicyd.yml index ddc2e90c0..9b68b6bd5 100644 --- a/roles/sap_hana_install/tasks/post_tasks/fapolicyd.yml +++ b/roles/sap_hana_install/tasks/post_tasks/fapolicyd.yml @@ -69,10 +69,10 @@ msg: "{{ sap_hana_install_register_fagenrules_load.stdout_lines }}" # We want to add files which have the execute mode bit set AND which are reported as executables - # by fapolicyd-cli -t, one for each directory of sap_hana_install_fapolicyd_trusted_directories. + # by fapolicyd-cli -t, one for each directory of sap_hana_install_directories. # The fapolicy trust file name will be created from the directory names by replacing '/' by '_' and # omitting the first '_'. - - name: SAP HANA - Post-Tasks - Put all executable files from 'sap_hana_install_fapolicyd_trusted_directories' into fapolicyd trust files + - name: SAP HANA - Post-Tasks - Put all executable files from 'sap_hana_install_directories' into fapolicyd trust files ansible.builtin.shell: | set -o pipefail && find {{ __sap_hana_install_item }} -type f -executable -exec fapolicyd-cli -t {} \; -print | @@ -83,7 +83,7 @@ {{ __sap_hana_install_item | regex_replace('//*', '_') | regex_replace("^_", "") }}"); a=0; b=0 } }' - loop: "{{ sap_hana_install_fapolicyd_trusted_directories }}" + loop: "{{ sap_hana_install_directories }}" loop_control: loop_var: __sap_hana_install_item label: >- @@ -98,9 +98,11 @@ name: fapolicyd enabled: true state: started + when: sap_hana_install_enable_fapolicyd - name: SAP HANA - Post-Tasks - Restart fapolicyd ansible.builtin.service: name: fapolicyd enabled: true state: restarted + when: sap_hana_install_enable_fapolicyd diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index bccb46bda..5ed68fead 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -1,16 +1,26 @@ # SPDX-License-Identifier: Apache-2.0 --- -# This configuration includes also Pre-Tasks content to ensure they are all set same. -- name: SAP HANA - Post-Tasks - Configure 'sap_hana_install_root_path' SELinux file contexts +# We do not need to configure sap_hana_install_root_path here because that was already configured in Pre-Tasks. +- name: SAP HANA - Post-Tasks - Define dict for selinux_fcontexts + ansible.builtin.set_fact: + __sap_hana_install_fcontexts_list: "{{ __sap_hana_install_fcontexts_list | d([]) + [ __sap_hana_install_target_setype_dict ] }}" + loop: "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}" + loop_control: + loop_var: __sap_hana_install_selinux_fapolicyd_directory_item + vars: + __sap_hana_install_target_setype_dict: + target: "{{ __sap_hana_install_selinux_fapolicyd_directory_item }}(/.*)?" + setype: 'usr_t' + when: sap_hana_install_modify_selinux_labels + +- name: SAP HANA - Post-Tasks - Configure SELinux file contexts for the remaining directories ansible.builtin.include_role: name: '{{ sap_hana_install_system_roles_collection }}.selinux' vars: selinux_booleans: - { name: 'selinuxuser_execmod', state: 'on' } selinux_fcontexts: - - { target: '{{ sap_hana_install_root_path }}(/.*)?', setype: 'usr_t' } - - { target: '/usr/sap(/.*)?', setype: 'usr_t' } + - "{{ __sap_hana_install_fcontexts_list }}" selinux_restore_dirs: - - '{{ sap_hana_install_root_path }}' - - /usr/sap + - "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}" diff --git a/roles/sap_hana_install/tasks/pre_tasks/selinux.yml b/roles/sap_hana_install/tasks/pre_tasks/selinux.yml index 3260a4459..434b8bb68 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/selinux.yml @@ -1,7 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 --- -- name: SAP HANA - Pre-Tasks - Configure 'sap_hana_install_root_path' SELinux file contexts +- name: SAP HANA - Pre-Tasks - Configure SELinux file contexts for 'sap_hana_install_root_path' ansible.builtin.include_role: name: '{{ sap_hana_install_system_roles_collection }}.selinux' vars: diff --git a/roles/sap_hana_install/templates/fapolicyd-rules.j2 b/roles/sap_hana_install/templates/fapolicyd-rules.j2 index 20f79847f..b308f7ed3 100644 --- a/roles/sap_hana_install/templates/fapolicyd-rules.j2 +++ b/roles/sap_hana_install/templates/fapolicyd-rules.j2 @@ -2,8 +2,8 @@ # File managed by Ansible deny_audit perm=any all : ftype=text/x-shellscript dir= -{%- for __sap_hana_install_fapolicyd_trusted_directory in sap_hana_install_fapolicyd_trusted_directories -%} -{{ __sap_hana_install_fapolicyd_trusted_directory }}/{{ "" if loop.last else "," }} +{%- for __sap_hana_install_directory in sap_hana_install_directories -%} +{{ __sap_hana_install_directory }}/{{ "" if loop.last else "," }} {%- endfor %} trust=0 From 1f636fccea331acc3e1eb4d0a207c00854c46df1 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Thu, 27 Nov 2025 16:16:35 +0100 Subject: [PATCH 02/14] sap_hana_install: Fix ansible-lint Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/post_tasks/selinux.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index 5ed68fead..494052c44 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -4,7 +4,7 @@ # We do not need to configure sap_hana_install_root_path here because that was already configured in Pre-Tasks. - name: SAP HANA - Post-Tasks - Define dict for selinux_fcontexts ansible.builtin.set_fact: - __sap_hana_install_fcontexts_list: "{{ __sap_hana_install_fcontexts_list | d([]) + [ __sap_hana_install_target_setype_dict ] }}" + __sap_hana_install_fcontexts_list: "{{ __sap_hana_install_fcontexts_list | d([]) + [__sap_hana_install_target_setype_dict] }}" loop: "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}" loop_control: loop_var: __sap_hana_install_selinux_fapolicyd_directory_item From 5ff835ab84f3bec570f6bae4b05ac0eb002cd36c Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Thu, 27 Nov 2025 16:24:58 +0100 Subject: [PATCH 03/14] sap_hana_install: Fix codespell Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index ced0dc606..193c0fde4 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -44,7 +44,7 @@ sap_hana_install_enable_fapolicyd: false # RHEL 9 Managing, monitoring, and updating the kernel guide for more information on this topic. sap_hana_install_fapolicyd_integrity: 'sha256' -# (RedHat specific) name of fapolicyd rule file for protecting shell sripts +# (RedHat specific) name of fapolicyd rule file for protecting shell scripts # When using fapolicyd, the following variable is used to define the fapolicyd rule file in which the rules for # protecting shell scripts are stored. The rule file will be created in the directory '/etc/fapolicyd/rules.d'. # Note: The mandatory file ending '.rules' will be added in the corresponding task of this role. From ba6457c4e8aae0bd35a26642f227cfbb823c3309 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 11:26:01 +0100 Subject: [PATCH 04/14] sap_hana_install: Add assertion for sap_hana_install_directories Also rename a loop variable. Relates to ##1134. Signed-off-by: Bernd Finger --- .../tasks/post_tasks/selinux.yml | 4 ++-- .../tasks/pre_tasks/assert_variables.yml | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index 494052c44..ab1b1f661 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -7,10 +7,10 @@ __sap_hana_install_fcontexts_list: "{{ __sap_hana_install_fcontexts_list | d([]) + [__sap_hana_install_target_setype_dict] }}" loop: "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}" loop_control: - loop_var: __sap_hana_install_selinux_fapolicyd_directory_item + loop_var: __sap_hana_install_directory_item vars: __sap_hana_install_target_setype_dict: - target: "{{ __sap_hana_install_selinux_fapolicyd_directory_item }}(/.*)?" + target: "{{ __sap_hana_install_directory_item }}(/.*)?" setype: 'usr_t' when: sap_hana_install_modify_selinux_labels diff --git a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml index 1d606bdab..62be451e4 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml @@ -82,6 +82,30 @@ when: - not sap_hana_install_new_system +- name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_directories' is defined as a list containing at least one directory + ansible.builtin.assert: + that: + - sap_hana_install_directories is defined + - sap_hana_install_directories | type_debug == 'list' + - sap_hana_install_directories | reject('string') | list | length == 0 + - sap_hana_install_directories | reject('match', '^/') | list | length == 0 + success_msg: | + PASS: The variable 'sap_hana_install_directories' is defined as list containing at least one directory. + fail_msg: | + {% if sap_hana_install_directories is not defined %} + FAIL: The variable 'sap_hana_install_directories' is not defined. + {% elif (sap_hana_install_directories | type_debug) != 'list' %} + FAIL: The variable 'sap_hana_install_directories' is not defined as a list. + {% elif sap_hana_install_directories | select('string') | list | length == 0 %} + FAIL: The variable 'sap_hana_install_directories' does not contain at least one string + {% elif sap_hana_install_directories | select('match', '^/') | list | length == 0 %} + FAIL: The variable 'sap_hana_install_directories' does not contain at least one directory + {% else %} + FAIL: The variable 'sap_hana_install_directories' is empty. + {% endif %} + when: + - sap_hana_install_modify_selinux_labels or sap_hana_install_use_fapolicyd + # TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password # Master Password cannot be used in combination with other initial passwords # Mandatory parameter 'password' (Password) is missing or invalid From bf752434c6ee3f798b13310b8cbdf4ac86774caa Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 12:30:37 +0100 Subject: [PATCH 05/14] sap_hana_install: use only a list of dicts for selinux_fcontexts Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/post_tasks/selinux.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index ab1b1f661..92d4029a8 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -20,7 +20,6 @@ vars: selinux_booleans: - { name: 'selinuxuser_execmod', state: 'on' } - selinux_fcontexts: - - "{{ __sap_hana_install_fcontexts_list }}" + selinux_fcontexts: "{{ __sap_hana_install_fcontexts_list }}" selinux_restore_dirs: - "{{ sap_hana_install_directories | reject('equalto', sap_hana_install_root_path) }}" From ed3b4eeb14bb91edf9c877a8c2bdb6525e3e3492 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 13:34:05 +0100 Subject: [PATCH 06/14] sap_hana_install: Rename sap_hana_install_use_fapolicyd ... to sap_hana_install_configure_fapolicy. Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/README.md | 8 ++++---- roles/sap_hana_install/defaults/main.yml | 4 ++-- roles/sap_hana_install/tasks/main.yml | 2 +- roles/sap_hana_install/tasks/post_addhosts.yml | 4 ++-- roles/sap_hana_install/tasks/post_install.yml | 4 ++-- roles/sap_hana_install/tasks/pre_addhosts.yml | 2 +- roles/sap_hana_install/tasks/pre_install.yml | 2 +- .../sap_hana_install/tasks/pre_tasks/assert_variables.yml | 2 +- roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml | 2 +- 9 files changed, 15 insertions(+), 15 deletions(-) diff --git a/roles/sap_hana_install/README.md b/roles/sap_hana_install/README.md index 6615e1b21..21c7d44e6 100644 --- a/roles/sap_hana_install/README.md +++ b/roles/sap_hana_install/README.md @@ -229,7 +229,7 @@ This part is performed when: - Existing SAP HANA was not detected. Steps: -1. If the variable `sap_hana_install_use_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. +1. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 2. Configure permissions for the SAP HANA directories on all new hosts. 3. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts. 4. Prepare the directory defined in variable `sap_hana_install_software_directory`. @@ -253,7 +253,7 @@ Steps: - Generate password hash for `sapadm` user using the value of `sap_hana_install_sapadm_password` variable. 2. Create the user `adm` on all addhosts. - This is not required during installation, because the `root` user is used instead. -3. If the variable `sap_hana_install_use_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. +3. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 4. Configure permissions for the SAP HANA directories on all new hosts. 5. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts. 6. If the file `configfiles/configfile.cfg` is found in the directory defined in `sap_hana_install_software_directory`, make copy of it and use it for installation. @@ -292,7 +292,7 @@ Steps: 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new installations. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. -8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`. +8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. @@ -306,7 +306,7 @@ Steps: 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new hosts. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. -8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_use_fapolicyd` is set to `true`. +8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index 193c0fde4..0ffcf975a 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -32,9 +32,9 @@ sap_hana_install_keep_copied_sarfiles: false # (RedHat specific) fapolicyd package is present on RedHat systems # For installing SAP HANA with fapolicyd support, set the following variable to `true`: -sap_hana_install_use_fapolicyd: false +sap_hana_install_configure_fapolicy: false -# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_use_fapolicyd is 'true') +# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicy is 'true') # For enabling and starting the fapolicyd service after the installation has finished, set the following variable to `true`: sap_hana_install_enable_fapolicyd: false diff --git a/roles/sap_hana_install/tasks/main.yml b/roles/sap_hana_install/tasks/main.yml index a4e40a77f..636fe6e34 100644 --- a/roles/sap_hana_install/tasks/main.yml +++ b/roles/sap_hana_install/tasks/main.yml @@ -172,7 +172,7 @@ {% if sap_hana_install_modify_selinux_labels %} SELinux file contexts are configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} - {% if ansible_os_family == "RedHat" and sap_hana_install_use_fapolicyd %} + {% if ansible_os_family == "RedHat" and sap_hana_install_configure_fapolicy %} Fapolicyd is configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} vars: diff --git a/roles/sap_hana_install/tasks/post_addhosts.yml b/roles/sap_hana_install/tasks/post_addhosts.yml index dee91eb6d..a3b2e59c7 100644 --- a/roles/sap_hana_install/tasks/post_addhosts.yml +++ b/roles/sap_hana_install/tasks/post_addhosts.yml @@ -33,5 +33,5 @@ when: # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - - sap_hana_install_use_fapolicyd - tags: sap_hana_install_use_fapolicyd + - sap_hana_install_configure_fapolicy + tags: sap_hana_install_configure_fapolicy diff --git a/roles/sap_hana_install/tasks/post_install.yml b/roles/sap_hana_install/tasks/post_install.yml index 2030cc7b3..dd827a95a 100644 --- a/roles/sap_hana_install/tasks/post_install.yml +++ b/roles/sap_hana_install/tasks/post_install.yml @@ -84,5 +84,5 @@ when: # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - - sap_hana_install_use_fapolicyd - tags: sap_hana_install_use_fapolicyd + - sap_hana_install_configure_fapolicy + tags: sap_hana_install_configure_fapolicy diff --git a/roles/sap_hana_install/tasks/pre_addhosts.yml b/roles/sap_hana_install/tasks/pre_addhosts.yml index f4bc4b987..1952a2bc1 100644 --- a/roles/sap_hana_install/tasks/pre_addhosts.yml +++ b/roles/sap_hana_install/tasks/pre_addhosts.yml @@ -51,7 +51,7 @@ # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - __sap_hana_install_fact_is_new_addhost_host - tags: sap_hana_install_use_fapolicyd + tags: sap_hana_install_configure_fapolicy - name: SAP HANA - Addhosts - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }} diff --git a/roles/sap_hana_install/tasks/pre_install.yml b/roles/sap_hana_install/tasks/pre_install.yml index bbcc0fb92..613b73a38 100644 --- a/roles/sap_hana_install/tasks/pre_install.yml +++ b/roles/sap_hana_install/tasks/pre_install.yml @@ -8,7 +8,7 @@ # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - not __sap_hana_install_fact_is_installed - tags: sap_hana_install_use_fapolicyd + tags: sap_hana_install_configure_fapolicy - name: SAP HANA - Install - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }} diff --git a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml index 62be451e4..f1ca89602 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml @@ -104,7 +104,7 @@ FAIL: The variable 'sap_hana_install_directories' is empty. {% endif %} when: - - sap_hana_install_modify_selinux_labels or sap_hana_install_use_fapolicyd + - sap_hana_install_modify_selinux_labels or sap_hana_install_configure_fapolicy # TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password # Master Password cannot be used in combination with other initial passwords diff --git a/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml b/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml index e77bf5980..ae2b55531 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml @@ -5,7 +5,7 @@ ansible.builtin.package: name: fapolicyd state: present - when: sap_hana_install_use_fapolicyd + when: sap_hana_install_configure_fapolicy # We must ensure fapolicyd is disabled before installing SAP HANA in all cases. # Otherwise, the installation of SAP HANA will fail. From 1cebeddd89afca2a7177a4b9e46caf4ef5557c78 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 13:39:15 +0100 Subject: [PATCH 07/14] sap_hana_install: Rename sap_hana_install_modify_selinux_labels ... to sap_hana_install_configure_selinux Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/README.md | 8 ++++---- roles/sap_hana_install/defaults/main.yml | 2 +- roles/sap_hana_install/tasks/main.yml | 4 ++-- roles/sap_hana_install/tasks/post_addhosts.yml | 2 +- roles/sap_hana_install/tasks/post_install.yml | 2 +- roles/sap_hana_install/tasks/post_tasks/selinux.yml | 2 +- roles/sap_hana_install/tasks/pre_addhosts.yml | 2 +- roles/sap_hana_install/tasks/pre_install.yml | 2 +- .../sap_hana_install/tasks/pre_tasks/assert_variables.yml | 2 +- .../tasks/pre_tasks/check_filesystems.yml | 2 +- 10 files changed, 14 insertions(+), 14 deletions(-) diff --git a/roles/sap_hana_install/README.md b/roles/sap_hana_install/README.md index 21c7d44e6..50251d857 100644 --- a/roles/sap_hana_install/README.md +++ b/roles/sap_hana_install/README.md @@ -231,7 +231,7 @@ This part is performed when: Steps: 1. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 2. Configure permissions for the SAP HANA directories on all new hosts. -3. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts. +3. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts. 4. Prepare the directory defined in variable `sap_hana_install_software_directory`. 5. If the `hdblcm` was not found in the directory `sap_hana_install_software_directory`: - Find latest `SAPCAR` executable in the directory `sap_hana_install_software_directory` and use latest one matching OS Architecture. @@ -255,7 +255,7 @@ Steps: - This is not required during installation, because the `root` user is used instead. 3. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 4. Configure permissions for the SAP HANA directories on all new hosts. -5. If the variable `sap_hana_install_modify_selinux_labels` is set to `true`, configure `SElinux` on all new hosts. +5. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts. 6. If the file `configfiles/configfile.cfg` is found in the directory defined in `sap_hana_install_software_directory`, make copy of it and use it for installation. - If the file was not found, create template using `hdblcm` command and fill it in with jinja2 template. @@ -291,7 +291,7 @@ Steps: 4. Recreate the initial tenant database if the variable `sap_hana_install_recreate_tenant_database` is set to `true`, for new installations. 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new installations. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. -7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. +7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`. 8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. @@ -305,7 +305,7 @@ Steps: 1. Update Secure User Store configuration (`hdbuserstore`) for `adm` user, for new hosts. 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new hosts. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. -7. Apply SElinux policies if the variable `sap_hana_install_modify_selinux_labels` is set to `true`. +7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`. 8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index 0ffcf975a..80ca33564 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -124,7 +124,7 @@ sap_hana_install_recreate_tenant_database: false # For compatibility of SAP HANA with SELinux in enforcing mode, the role will recursively relabel directories and files # in `/hana` before the installation starts and in `/usr/sap` after the installation has finished. # If relabeling not desired, set the following variable to `false`. -sap_hana_install_modify_selinux_labels: true +sap_hana_install_configure_selinux: true ################ # Parameters for hdblcm: diff --git a/roles/sap_hana_install/tasks/main.yml b/roles/sap_hana_install/tasks/main.yml index 636fe6e34..a3937b0d1 100644 --- a/roles/sap_hana_install/tasks/main.yml +++ b/roles/sap_hana_install/tasks/main.yml @@ -53,7 +53,7 @@ # This can still be overwritten by extra variables. - name: SAP HANA Pre Install - Ensure SELinux does not execute for SLES ansible.builtin.set_fact: - sap_hana_install_modify_selinux_labels: false + sap_hana_install_configure_selinux: false when: ansible_os_family == "Suse" @@ -169,7 +169,7 @@ {% if sap_hana_install_update_firewall %} Firewall is enabled and SAP HANA ports are open. {% endif %} - {% if sap_hana_install_modify_selinux_labels %} + {% if sap_hana_install_configure_selinux %} SELinux file contexts are configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} {% if ansible_os_family == "RedHat" and sap_hana_install_configure_fapolicy %} diff --git a/roles/sap_hana_install/tasks/post_addhosts.yml b/roles/sap_hana_install/tasks/post_addhosts.yml index a3b2e59c7..47ed4fd7e 100644 --- a/roles/sap_hana_install/tasks/post_addhosts.yml +++ b/roles/sap_hana_install/tasks/post_addhosts.yml @@ -25,7 +25,7 @@ - name: SAP HANA - Addhosts - Post-Tasks - SELinux ansible.builtin.include_tasks: file: post_tasks/selinux.yml - when: sap_hana_install_modify_selinux_labels + when: sap_hana_install_configure_selinux - name: SAP HANA - Addhosts - Post-Tasks - Fapolicyd ansible.builtin.include_tasks: diff --git a/roles/sap_hana_install/tasks/post_install.yml b/roles/sap_hana_install/tasks/post_install.yml index dd827a95a..0e5aac790 100644 --- a/roles/sap_hana_install/tasks/post_install.yml +++ b/roles/sap_hana_install/tasks/post_install.yml @@ -76,7 +76,7 @@ - name: SAP HANA - Install - Post-Tasks - SELinux ansible.builtin.include_tasks: file: post_tasks/selinux.yml - when: sap_hana_install_modify_selinux_labels + when: sap_hana_install_configure_selinux - name: SAP HANA - Install - Post-Tasks - Fapolicyd ansible.builtin.include_tasks: diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index 92d4029a8..0111fcb2d 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -12,7 +12,7 @@ __sap_hana_install_target_setype_dict: target: "{{ __sap_hana_install_directory_item }}(/.*)?" setype: 'usr_t' - when: sap_hana_install_modify_selinux_labels + when: sap_hana_install_configure_selinux - name: SAP HANA - Post-Tasks - Configure SELinux file contexts for the remaining directories ansible.builtin.include_role: diff --git a/roles/sap_hana_install/tasks/pre_addhosts.yml b/roles/sap_hana_install/tasks/pre_addhosts.yml index 1952a2bc1..c2f10d423 100644 --- a/roles/sap_hana_install/tasks/pre_addhosts.yml +++ b/roles/sap_hana_install/tasks/pre_addhosts.yml @@ -58,7 +58,7 @@ ansible.builtin.include_tasks: file: pre_tasks/selinux.yml when: - - sap_hana_install_modify_selinux_labels + - sap_hana_install_configure_selinux - __sap_hana_install_fact_is_new_addhost_host diff --git a/roles/sap_hana_install/tasks/pre_install.yml b/roles/sap_hana_install/tasks/pre_install.yml index 613b73a38..93764e9b9 100644 --- a/roles/sap_hana_install/tasks/pre_install.yml +++ b/roles/sap_hana_install/tasks/pre_install.yml @@ -15,7 +15,7 @@ ansible.builtin.include_tasks: file: pre_tasks/selinux.yml when: - - sap_hana_install_modify_selinux_labels + - sap_hana_install_configure_selinux - not __sap_hana_install_fact_is_installed diff --git a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml index f1ca89602..a96c6bf1a 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml @@ -104,7 +104,7 @@ FAIL: The variable 'sap_hana_install_directories' is empty. {% endif %} when: - - sap_hana_install_modify_selinux_labels or sap_hana_install_configure_fapolicy + - sap_hana_install_configure_selinux or sap_hana_install_configure_fapolicy # TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password # Master Password cannot be used in combination with other initial passwords diff --git a/roles/sap_hana_install/tasks/pre_tasks/check_filesystems.yml b/roles/sap_hana_install/tasks/pre_tasks/check_filesystems.yml index 54a6d7eb5..b912bd80b 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/check_filesystems.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/check_filesystems.yml @@ -2,7 +2,7 @@ --- # We need to ensure that Scale-Out system has filesystems shared to avoid failure in hdblcm. -# We cannot fully test with 'touch' as it can be blocked by SElinux or Fapolicyd. +# We cannot fully test with 'touch' as it can be blocked by SELinux or Fapolicyd. # NOTE: We cannot validate shared filesystems for Scale-Up! From 261da3201cd91566fcefb284a6d4313460507313 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 14:42:38 +0100 Subject: [PATCH 08/14] sap_hana_install: Further improvements - Ensure backward compatibility with selinux and fapolicyd variables - Fix typo in fapolicyd var names - Improve explanation section for selinux var in defaults/main.yml Signed-off-by: Bernd Finger --- roles/sap_hana_install/README.md | 8 ++++---- roles/sap_hana_install/defaults/main.yml | 11 ++++++----- roles/sap_hana_install/tasks/main.yml | 18 +++++++++++++++--- roles/sap_hana_install/tasks/post_addhosts.yml | 6 +++--- roles/sap_hana_install/tasks/post_install.yml | 6 +++--- .../tasks/post_tasks/selinux.yml | 2 +- roles/sap_hana_install/tasks/pre_addhosts.yml | 4 ++-- roles/sap_hana_install/tasks/pre_install.yml | 4 ++-- .../tasks/pre_tasks/assert_variables.yml | 2 +- .../tasks/pre_tasks/fapolicyd.yml | 2 +- 10 files changed, 38 insertions(+), 25 deletions(-) diff --git a/roles/sap_hana_install/README.md b/roles/sap_hana_install/README.md index 50251d857..121444d3c 100644 --- a/roles/sap_hana_install/README.md +++ b/roles/sap_hana_install/README.md @@ -229,7 +229,7 @@ This part is performed when: - Existing SAP HANA was not detected. Steps: -1. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. +1. If the variable `sap_hana_install_configure_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 2. Configure permissions for the SAP HANA directories on all new hosts. 3. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts. 4. Prepare the directory defined in variable `sap_hana_install_software_directory`. @@ -253,7 +253,7 @@ Steps: - Generate password hash for `sapadm` user using the value of `sap_hana_install_sapadm_password` variable. 2. Create the user `adm` on all addhosts. - This is not required during installation, because the `root` user is used instead. -3. If the variable `sap_hana_install_configure_fapolicy` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. +3. If the variable `sap_hana_install_configure_fapolicyd` is set to `true` and operating system is `RedHat`, install and disable `fapolicyd` on all new hosts. 4. Configure permissions for the SAP HANA directories on all new hosts. 5. If the variable `sap_hana_install_configure_selinux` is set to `true`, configure `SELinux` on all new hosts. 6. If the file `configfiles/configfile.cfg` is found in the directory defined in `sap_hana_install_software_directory`, make copy of it and use it for installation. @@ -292,7 +292,7 @@ Steps: 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new installations. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`. -8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. +8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicyd` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. @@ -306,7 +306,7 @@ Steps: 5. Set expiration of unix users to `never` if the variable `sap_hana_install_set_sidadm_noexpire` is set to `true`, for new hosts. 6. Apply firewall rules if the variable `sap_hana_install_update_firewall` is set to `true`. 7. Apply SELinux policies if the variable `sap_hana_install_configure_selinux` is set to `true`. -8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicy` is set to `true`. +8. (Red Hat specific) Configure `fapolicyd` if the variable `sap_hana_install_configure_fapolicyd` is set to `true`. Additionally, if `sap_hana_install_enable_fapolicyd` is set to `true`, also enable and start the `fapolicyd` service. 9. Output final status of installed system. diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index 80ca33564..a4e26977a 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -32,9 +32,9 @@ sap_hana_install_keep_copied_sarfiles: false # (RedHat specific) fapolicyd package is present on RedHat systems # For installing SAP HANA with fapolicyd support, set the following variable to `true`: -sap_hana_install_configure_fapolicy: false +sap_hana_install_configure_fapolicyd: false -# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicy is 'true') +# (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicyd is 'true') # For enabling and starting the fapolicyd service after the installation has finished, set the following variable to `true`: sap_hana_install_enable_fapolicyd: false @@ -121,9 +121,10 @@ sap_hana_install_new_system: true # In case this is not desired, you can set the following parameter to `true` to recreate the initial tenant database. sap_hana_install_recreate_tenant_database: false -# For compatibility of SAP HANA with SELinux in enforcing mode, the role will recursively relabel directories and files -# in `/hana` before the installation starts and in `/usr/sap` after the installation has finished. -# If relabeling not desired, set the following variable to `false`. +# For compatibility of SAP HANA with SELinux in enforcing mode, the role will set the SELinux boolean 'selinuxuser_execmod' to 'on'. +# It will also recursively relabel directories and files in `/hana` before the installation starts and in all other directories +# specified in 'sap_hana_install_directories' after the installation has finished. +# If this not desired, set the following variable to `false`. sap_hana_install_configure_selinux: true ################ diff --git a/roles/sap_hana_install/tasks/main.yml b/roles/sap_hana_install/tasks/main.yml index a3937b0d1..66ccaeb48 100644 --- a/roles/sap_hana_install/tasks/main.yml +++ b/roles/sap_hana_install/tasks/main.yml @@ -39,6 +39,18 @@ - sap_hana_install_set_log_mode - sap_hana_install_configure_firewall +# Load selinux and fapolicyd variables while maintaining backwards compatibility +- name: SAP HANA - Main - Set variables for selinux and fapolicyd + ansible.builtin.set_fact: + __sap_hana_install_configure_selinux: + "{{ sap_hana_install_modify_selinux_labels | d(false) + if sap_hana_install_configure_selinux is not defined + else sap_hana_install_configure_selinux | bool }}" + __sap_hana_install_configure_fapolicyd: + "{{ sap_hana_install_use_fapolicyd | d(false) + if sap_hana_install_configure_fapolicyd is not defined + else sap_hana_install_configure_fapolicyd | bool }}" + - name: SAP HANA - Main - Validate the role variables ansible.builtin.include_tasks: file: pre_tasks/assert_variables.yml @@ -53,7 +65,7 @@ # This can still be overwritten by extra variables. - name: SAP HANA Pre Install - Ensure SELinux does not execute for SLES ansible.builtin.set_fact: - sap_hana_install_configure_selinux: false + __sap_hana_install_configure_selinux: false when: ansible_os_family == "Suse" @@ -169,10 +181,10 @@ {% if sap_hana_install_update_firewall %} Firewall is enabled and SAP HANA ports are open. {% endif %} - {% if sap_hana_install_configure_selinux %} + {% if __sap_hana_install_configure_selinux %} SELinux file contexts are configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} - {% if ansible_os_family == "RedHat" and sap_hana_install_configure_fapolicy %} + {% if ansible_os_family == "RedHat" and __sap_hana_install_configure_fapolicyd %} Fapolicyd is configured for SAP folders ({{ sap_hana_install_directories | map('quote') | join(', ') }}). {% endif %} vars: diff --git a/roles/sap_hana_install/tasks/post_addhosts.yml b/roles/sap_hana_install/tasks/post_addhosts.yml index 47ed4fd7e..1da3b61b8 100644 --- a/roles/sap_hana_install/tasks/post_addhosts.yml +++ b/roles/sap_hana_install/tasks/post_addhosts.yml @@ -25,7 +25,7 @@ - name: SAP HANA - Addhosts - Post-Tasks - SELinux ansible.builtin.include_tasks: file: post_tasks/selinux.yml - when: sap_hana_install_configure_selinux + when: __sap_hana_install_configure_selinux - name: SAP HANA - Addhosts - Post-Tasks - Fapolicyd ansible.builtin.include_tasks: @@ -33,5 +33,5 @@ when: # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - - sap_hana_install_configure_fapolicy - tags: sap_hana_install_configure_fapolicy + - __sap_hana_install_configure_fapolicyd + tags: sap_hana_install_configure_fapolicyd diff --git a/roles/sap_hana_install/tasks/post_install.yml b/roles/sap_hana_install/tasks/post_install.yml index 0e5aac790..c7c5764a4 100644 --- a/roles/sap_hana_install/tasks/post_install.yml +++ b/roles/sap_hana_install/tasks/post_install.yml @@ -76,7 +76,7 @@ - name: SAP HANA - Install - Post-Tasks - SELinux ansible.builtin.include_tasks: file: post_tasks/selinux.yml - when: sap_hana_install_configure_selinux + when: __sap_hana_install_configure_selinux - name: SAP HANA - Install - Post-Tasks - Fapolicyd ansible.builtin.include_tasks: @@ -84,5 +84,5 @@ when: # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - - sap_hana_install_configure_fapolicy - tags: sap_hana_install_configure_fapolicy + - __sap_hana_install_configure_fapolicyd + tags: sap_hana_install_configure_fapolicyd diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index 0111fcb2d..56cb511b7 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -12,7 +12,7 @@ __sap_hana_install_target_setype_dict: target: "{{ __sap_hana_install_directory_item }}(/.*)?" setype: 'usr_t' - when: sap_hana_install_configure_selinux + when: __sap_hana_install_configure_selinux - name: SAP HANA - Post-Tasks - Configure SELinux file contexts for the remaining directories ansible.builtin.include_role: diff --git a/roles/sap_hana_install/tasks/pre_addhosts.yml b/roles/sap_hana_install/tasks/pre_addhosts.yml index c2f10d423..9e90c08b4 100644 --- a/roles/sap_hana_install/tasks/pre_addhosts.yml +++ b/roles/sap_hana_install/tasks/pre_addhosts.yml @@ -51,14 +51,14 @@ # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - __sap_hana_install_fact_is_new_addhost_host - tags: sap_hana_install_configure_fapolicy + tags: sap_hana_install_configure_fapolicyd - name: SAP HANA - Addhosts - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }} ansible.builtin.include_tasks: file: pre_tasks/selinux.yml when: - - sap_hana_install_configure_selinux + - __sap_hana_install_configure_selinux - __sap_hana_install_fact_is_new_addhost_host diff --git a/roles/sap_hana_install/tasks/pre_install.yml b/roles/sap_hana_install/tasks/pre_install.yml index 93764e9b9..0772a7aa0 100644 --- a/roles/sap_hana_install/tasks/pre_install.yml +++ b/roles/sap_hana_install/tasks/pre_install.yml @@ -8,14 +8,14 @@ # Ensure fapolicyd is checked only on supported systems. - ansible_os_family == "RedHat" - not __sap_hana_install_fact_is_installed - tags: sap_hana_install_configure_fapolicy + tags: sap_hana_install_configure_fapolicyd - name: SAP HANA - Install - Pre-Tasks - Configure SELinux file contexts for {{ sap_hana_install_root_path }} ansible.builtin.include_tasks: file: pre_tasks/selinux.yml when: - - sap_hana_install_configure_selinux + - __sap_hana_install_configure_selinux - not __sap_hana_install_fact_is_installed diff --git a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml index a96c6bf1a..af17c281f 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml @@ -104,7 +104,7 @@ FAIL: The variable 'sap_hana_install_directories' is empty. {% endif %} when: - - sap_hana_install_configure_selinux or sap_hana_install_configure_fapolicy + - __sap_hana_install_configure_selinux or __sap_hana_install_configure_fapolicyd # TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password # Master Password cannot be used in combination with other initial passwords diff --git a/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml b/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml index ae2b55531..4adead8f9 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/fapolicyd.yml @@ -5,7 +5,7 @@ ansible.builtin.package: name: fapolicyd state: present - when: sap_hana_install_configure_fapolicy + when: __sap_hana_install_configure_fapolicyd # We must ensure fapolicyd is disabled before installing SAP HANA in all cases. # Otherwise, the installation of SAP HANA will fail. From c4ea37dd7e19af4b2ac9e401f2702db6699d08a9 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Fri, 28 Nov 2025 16:31:26 +0100 Subject: [PATCH 09/14] sap_hana_install: Remove superfluous when condition Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/post_tasks/selinux.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/sap_hana_install/tasks/post_tasks/selinux.yml b/roles/sap_hana_install/tasks/post_tasks/selinux.yml index 56cb511b7..8ddd56741 100644 --- a/roles/sap_hana_install/tasks/post_tasks/selinux.yml +++ b/roles/sap_hana_install/tasks/post_tasks/selinux.yml @@ -12,7 +12,6 @@ __sap_hana_install_target_setype_dict: target: "{{ __sap_hana_install_directory_item }}(/.*)?" setype: 'usr_t' - when: __sap_hana_install_configure_selinux - name: SAP HANA - Post-Tasks - Configure SELinux file contexts for the remaining directories ansible.builtin.include_role: From 1e6a660ce16ae22d65e6e9ed701598171cf3cef5 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Sun, 30 Nov 2025 07:21:12 +0100 Subject: [PATCH 10/14] sap_hana_install: Further improvements - Move variable preparation, including assertions, to separate task file - Set the default for starting fapolicyd to 'true' Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/defaults/main.yml | 5 +- roles/sap_hana_install/tasks/main.yml | 64 +------- ...rt_variables.yml => prepare_variables.yml} | 143 +++++++++++++----- 3 files changed, 109 insertions(+), 103 deletions(-) rename roles/sap_hana_install/tasks/pre_tasks/{assert_variables.yml => prepare_variables.yml} (71%) diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index a4e26977a..2eb5b6231 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -35,8 +35,9 @@ sap_hana_install_keep_copied_sarfiles: false sap_hana_install_configure_fapolicyd: false # (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicyd is 'true') -# For enabling and starting the fapolicyd service after the installation has finished, set the following variable to `true`: -sap_hana_install_enable_fapolicyd: false +# For not enabling and and not starting the fapolicyd service after the installation has finished, set the following +# variable to `false`: +sap_hana_install_enable_fapolicyd: true # (RedHat specific) fapolicyd integrity level # When using fapolicyd, you can set the following variable to one of `none`, `size`, `sha256`, or `ima`. Note that before setting diff --git a/roles/sap_hana_install/tasks/main.yml b/roles/sap_hana_install/tasks/main.yml index 66ccaeb48..5ed85e705 100644 --- a/roles/sap_hana_install/tasks/main.yml +++ b/roles/sap_hana_install/tasks/main.yml @@ -1,59 +1,10 @@ # SPDX-License-Identifier: Apache-2.0 --- -# Load variables while maintaining backwards compatibility when variable is empty string. -# Check if variable is defined and non-empty before using it, otherwise fall back to backwards -# compatible variable or default empty string that will fail asserts afterwards. -# NOTE: This is not __var assignment so it will not override user specified vars due to precedence! -- name: SAP HANA - Main - Set mandatory variables used by hdblcm configfile - ansible.builtin.set_fact: - sap_hana_install_sid: - "{{ sap_hana_sid | d('') - if sap_hana_install_sid | string | length == 0 - else sap_hana_install_sid }}" - sap_hana_install_number: - "{{ sap_hana_instance_number | d(sap_hana_install_instance_nr) | d(sap_hana_install_instance_number) | d('') - if sap_hana_install_number | string | length == 0 - else sap_hana_install_number }}" - sap_hana_install_system_usage: "{{ sap_hana_install_env_type | d(sap_hana_install_system_usage) | d('custom') }}" - sap_hana_install_restrict_max_mem: "{{ sap_hana_install_mem_restrict | d(sap_hana_install_restrict_max_mem) | d('n') }}" - tags: - - sap_hana_install_check_hana_exists - - sap_hana_install_check_installation - - sap_hana_install_preinstall - - sap_hana_install_set_log_mode - - sap_hana_install_configure_firewall - -# Separate task for password with no_log -- name: SAP HANA - Main - Set mandatory variables used by hdblcm configfile - passwords - ansible.builtin.set_fact: - sap_hana_install_master_password: - "{{ sap_hana_install_common_master_password | d('') - if sap_hana_install_master_password is not defined or sap_hana_install_master_password | string | length == 0 - else sap_hana_install_master_password }}" - no_log: true # Required for password handling - tags: - - sap_hana_install_check_hana_exists - - sap_hana_install_check_installation - - sap_hana_install_preinstall - - sap_hana_install_set_log_mode - - sap_hana_install_configure_firewall - -# Load selinux and fapolicyd variables while maintaining backwards compatibility -- name: SAP HANA - Main - Set variables for selinux and fapolicyd - ansible.builtin.set_fact: - __sap_hana_install_configure_selinux: - "{{ sap_hana_install_modify_selinux_labels | d(false) - if sap_hana_install_configure_selinux is not defined - else sap_hana_install_configure_selinux | bool }}" - __sap_hana_install_configure_fapolicyd: - "{{ sap_hana_install_use_fapolicyd | d(false) - if sap_hana_install_configure_fapolicyd is not defined - else sap_hana_install_configure_fapolicyd | bool }}" - -- name: SAP HANA - Main - Validate the role variables +# SAP HANA +- name: SAP HANA - Main - Prepare some variables ansible.builtin.include_tasks: - file: pre_tasks/assert_variables.yml + file: pre_tasks/prepare_variables.yml tags: - sap_hana_install_check_hana_exists - sap_hana_install_check_installation @@ -61,14 +12,6 @@ - sap_hana_install_set_log_mode - sap_hana_install_configure_firewall -# SELinux is not currently supported by SAP using SLES4SAP -# This can still be overwritten by extra variables. -- name: SAP HANA Pre Install - Ensure SELinux does not execute for SLES - ansible.builtin.set_fact: - __sap_hana_install_configure_selinux: false - when: ansible_os_family == "Suse" - - # SAP HANA presence has to be validated for both new system and adding new hosts. - name: SAP HANA - Main - Validate presence of existing SAP HANA database ansible.builtin.include_tasks: @@ -105,7 +48,6 @@ - name: SAP HANA - Install - Pre-Tasks ansible.builtin.include_tasks: file: pre_install.yml - tags: sap_hana_install_preinstall - name: SAP HANA - Install ansible.builtin.include_tasks: diff --git a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml similarity index 71% rename from roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml rename to roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml index af17c281f..2462c7e8e 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/assert_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml @@ -1,6 +1,32 @@ # SPDX-License-Identifier: Apache-2.0 --- +# Load variables while maintaining backwards compatibility when variable is empty string. +# Check if variable is defined and non-empty before using it, otherwise fall back to backwards +# compatible variable or default empty string that will fail asserts afterwards. +# NOTE: This is not __var assignment so it will not override user specified vars due to precedence! +# +# Vars used in the hdblcm ćonfigfile: +- name: SAP HANA - Pre-Tasks - Set mandatory variables used by hdblcm configfile + ansible.builtin.set_fact: + sap_hana_install_sid: + "{{ sap_hana_sid | d('') + if sap_hana_install_sid | string | length == 0 + else sap_hana_install_sid }}" + sap_hana_install_number: + "{{ sap_hana_instance_number | d(sap_hana_install_instance_nr) | d(sap_hana_install_instance_number) | d('') + if sap_hana_install_number | string | length == 0 + else sap_hana_install_number }}" + sap_hana_install_system_usage: "{{ sap_hana_install_env_type | d(sap_hana_install_system_usage) | d('custom') }}" + sap_hana_install_restrict_max_mem: "{{ sap_hana_install_mem_restrict | d(sap_hana_install_restrict_max_mem) | d('n') }}" + tags: + - sap_hana_install_check_hana_exists + - sap_hana_install_check_installation + - sap_hana_install_preinstall + - sap_hana_install_set_log_mode + - sap_hana_install_configure_firewall + +# SID - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_sid' is defined as String consisting of 3 characters ansible.builtin.assert: that: @@ -26,6 +52,7 @@ fail_msg: | FAIL: The SAP HANA System ID '{{ sap_hana_install_sid }}' is in the list of reserved SAP SIDs in SAP note 1979280 v.20! +# Instance Number - name: Assert that the variable 'sap_hana_install_number' is defined as String consisting of 2 digits ansible.builtin.assert: that: @@ -44,6 +71,21 @@ FAIL: The SAP HANA Instance Number '{{ sap_hana_install_number }}' is not 2 digits! {% endif %} +# Master password +- name: SAP HANA - Pre-Tasks - Set mandatory variables used by hdblcm configfile - passwords + ansible.builtin.set_fact: + sap_hana_install_master_password: + "{{ sap_hana_install_common_master_password | d('') + if sap_hana_install_master_password is not defined or sap_hana_install_master_password | string | length == 0 + else sap_hana_install_master_password }}" + no_log: true # Required for password handling + tags: + - sap_hana_install_check_hana_exists + - sap_hana_install_check_installation + - sap_hana_install_preinstall + - sap_hana_install_set_log_mode + - sap_hana_install_configure_firewall + - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_master_password' is defined as String and not empty ansible.builtin.assert: that: @@ -61,7 +103,49 @@ FAIL: The variable 'sap_hana_install_master_password' is empty. {% endif %} +# TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password +# Master Password cannot be used in combination with other initial passwords +# Mandatory parameter 'password' (Password) is missing or invalid + +# # This will not replace user defined variables due to variable precedence. +# - name: SAP HANA - Pre-Tasks - Set password facts when using master password +# ansible.builtin.set_fact: +# sap_hana_install_sapadm_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_sidadm_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_db_system_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_ase_user_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_xs_org_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_lss_user_password: "{{ sap_hana_install_master_password }}" +# sap_hana_install_lss_backup_password: "{{ sap_hana_install_master_password }}" +# no_log: true +# when: +# - sap_hana_install_use_master_password is defined +# - sap_hana_install_use_master_password == 'y' + + +# - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_sapadm_password' is defined as String and not empty +# ansible.builtin.assert: +# that: +# - sap_hana_install_sapadm_password is defined +# - sap_hana_install_sapadm_password is string +# - sap_hana_install_sapadm_password | trim | length > 0 +# success_msg: | +# PASS: The variable 'sap_hana_install_sapadm_password' is defined as String and not empty. +# fail_msg: | +# {% if sap_hana_install_sapadm_password is not defined %} +# FAIL: The variable 'sap_hana_install_sapadm_password' is not defined. +# {% elif sap_hana_install_sapadm_password is not string %} +# FAIL: The variable 'sap_hana_install_sapadm_password' is not String. +# {% else %} +# FAIL: The variable 'sap_hana_install_sapadm_password' is empty. +# {% endif %} +# This variable is required when 'sap_hana_install_new_system' is set to false. +# when: +# - not sap_hana_install_new_system +# - sap_hana_install_use_master_password is undefined +# or sap_hana_install_use_master_password != 'y' +# addhosts - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_addhosts' is defined as String and not empty ansible.builtin.assert: that: @@ -82,6 +166,19 @@ when: - not sap_hana_install_new_system +# Load selinux and fapolicyd related variables while maintaining backwards compatibility +- name: SAP HANA - Pre-Tasks - Set variables for selinux and fapolicyd + ansible.builtin.set_fact: + __sap_hana_install_configure_selinux: + "{{ sap_hana_install_modify_selinux_labels | d(false) + if sap_hana_install_configure_selinux is not defined + else sap_hana_install_configure_selinux | bool }}" + __sap_hana_install_configure_fapolicyd: + "{{ sap_hana_install_use_fapolicyd | d(false) + if sap_hana_install_configure_fapolicyd is not defined + else sap_hana_install_configure_fapolicyd | bool }}" + +# SAP HANA Directories processed by selinux and fapolicyd - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_directories' is defined as a list containing at least one directory ansible.builtin.assert: that: @@ -106,44 +203,10 @@ when: - __sap_hana_install_configure_selinux or __sap_hana_install_configure_fapolicyd -# TODO: Issue#1123 Uncomment and update when fixing issue with use_master_password -# Master Password cannot be used in combination with other initial passwords -# Mandatory parameter 'password' (Password) is missing or invalid - -# # This will not replace user defined variables due to variable precedence. -# - name: SAP HANA - Pre-Tasks - Set password facts when using master password -# ansible.builtin.set_fact: -# sap_hana_install_sapadm_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_sidadm_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_db_system_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_ase_user_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_xs_org_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_lss_user_password: "{{ sap_hana_install_master_password }}" -# sap_hana_install_lss_backup_password: "{{ sap_hana_install_master_password }}" -# no_log: true -# when: -# - sap_hana_install_use_master_password is defined -# - sap_hana_install_use_master_password == 'y' - +# SELinux is not currently supported by SAP using SLES4SAP +# This can still be overwritten by extra variables. +- name: SAP HANA Pre Install - Ensure SELinux does not execute for SLES + ansible.builtin.set_fact: + __sap_hana_install_configure_selinux: false + when: ansible_os_family == "Suse" -# - name: SAP HANA - Pre-Tasks - Assert that the variable 'sap_hana_install_sapadm_password' is defined as String and not empty -# ansible.builtin.assert: -# that: -# - sap_hana_install_sapadm_password is defined -# - sap_hana_install_sapadm_password is string -# - sap_hana_install_sapadm_password | trim | length > 0 -# success_msg: | -# PASS: The variable 'sap_hana_install_sapadm_password' is defined as String and not empty. -# fail_msg: | -# {% if sap_hana_install_sapadm_password is not defined %} -# FAIL: The variable 'sap_hana_install_sapadm_password' is not defined. -# {% elif sap_hana_install_sapadm_password is not string %} -# FAIL: The variable 'sap_hana_install_sapadm_password' is not String. -# {% else %} -# FAIL: The variable 'sap_hana_install_sapadm_password' is empty. -# {% endif %} -# This variable is required when 'sap_hana_install_new_system' is set to false. -# when: -# - not sap_hana_install_new_system -# - sap_hana_install_use_master_password is undefined -# or sap_hana_install_use_master_password != 'y' From 4798277bb1bc2fd0f64783baf93ca794434ca111 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Mon, 1 Dec 2025 08:22:21 +0100 Subject: [PATCH 11/14] sap_hana_preconfigure: No longer mention ssh in debug message It should be sufficient to display the local command to be executed on the managed node. Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/hana_install.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/roles/sap_hana_install/tasks/hana_install.yml b/roles/sap_hana_install/tasks/hana_install.yml index 1ffa0700f..a3ee2e9e6 100644 --- a/roles/sap_hana_install/tasks/hana_install.yml +++ b/roles/sap_hana_install/tasks/hana_install.yml @@ -18,8 +18,6 @@ - 'Once the task "Install SAP HANA" has started, you can use the following command' - 'in a terminal session on {{ inventory_hostname }} to watch the install progress in real time:' - "{{ __sap_hana_install_register_tmpdir.path }}/tail-f-hdblcm-install-trc.sh" - - 'Alternatively, you can run the following command on the control node:' - - "ssh {{ inventory_hostname }} {{ __sap_hana_install_register_tmpdir.path }}/tail-f-hdblcm-install-trc.sh" - name: SAP HANA - Install - Set fact for the hdblcm verify_signature argument ansible.builtin.set_fact: From 02350882ded48c195dfa7696918cbf278040e93f Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Mon, 1 Dec 2025 09:53:03 +0100 Subject: [PATCH 12/14] sap_hana_preconfigure: Prioritize old selinux and faplicyd vars If sap_hana_install_modify_selinux_labels is defined in a playbook or inventory, use that one instead of sap_hana_install_configure_selinux (which is also defined in defaults/main.ylm). If sap_hana_install_use_fapolicyd is defined in a playbook or inventory, use that one instead of sap_hana_install_configure_fapolicyd (which is also defined in defaults/main.ylm). As a consequence, when using the new variables, the old ones should be removed from the playbook or inventory - otherwise, the new variables will be ignored. Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml index 2462c7e8e..a15aee356 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml @@ -171,11 +171,11 @@ ansible.builtin.set_fact: __sap_hana_install_configure_selinux: "{{ sap_hana_install_modify_selinux_labels | d(false) - if sap_hana_install_configure_selinux is not defined + if sap_hana_install_modify_selinux_labels is defined and (sap_hana_install_modify_selinux_labels | type_debug) == 'bool' else sap_hana_install_configure_selinux | bool }}" __sap_hana_install_configure_fapolicyd: "{{ sap_hana_install_use_fapolicyd | d(false) - if sap_hana_install_configure_fapolicyd is not defined + if sap_hana_install_use_fapolicyd is defined and (sap_hana_install_use_fapolicyd | type_debug) == 'bool' else sap_hana_install_configure_fapolicyd | bool }}" # SAP HANA Directories processed by selinux and fapolicyd From b71a3719d583c470bf4e8458981fd142adf2ea74 Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Mon, 1 Dec 2025 10:15:54 +0100 Subject: [PATCH 13/14] sap_hana_install: Fix linting error Signed-off-by: Bernd Finger --- roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml index a15aee356..9be9545a3 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml @@ -209,4 +209,3 @@ ansible.builtin.set_fact: __sap_hana_install_configure_selinux: false when: ansible_os_family == "Suse" - From 47899df7b80e3ad1a474295077aa93cffac35ffb Mon Sep 17 00:00:00 2001 From: Bernd Finger Date: Tue, 2 Dec 2025 11:06:00 +0100 Subject: [PATCH 14/14] sap_hana_preconfigure: Fix some typos Relates to #1134. Signed-off-by: Bernd Finger --- roles/sap_hana_install/defaults/main.yml | 2 +- roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sap_hana_install/defaults/main.yml b/roles/sap_hana_install/defaults/main.yml index 2eb5b6231..4d8e19fa7 100644 --- a/roles/sap_hana_install/defaults/main.yml +++ b/roles/sap_hana_install/defaults/main.yml @@ -35,7 +35,7 @@ sap_hana_install_keep_copied_sarfiles: false sap_hana_install_configure_fapolicyd: false # (RedHat specific) desired fapolicyd service status (only if sap_hana_install_configure_fapolicyd is 'true') -# For not enabling and and not starting the fapolicyd service after the installation has finished, set the following +# For not enabling and not starting the fapolicyd service after the installation has finished, set the following # variable to `false`: sap_hana_install_enable_fapolicyd: true diff --git a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml index 9be9545a3..27487e81c 100644 --- a/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml +++ b/roles/sap_hana_install/tasks/pre_tasks/prepare_variables.yml @@ -6,7 +6,7 @@ # compatible variable or default empty string that will fail asserts afterwards. # NOTE: This is not __var assignment so it will not override user specified vars due to precedence! # -# Vars used in the hdblcm ćonfigfile: +# Vars used in the hdblcm configfile: - name: SAP HANA - Pre-Tasks - Set mandatory variables used by hdblcm configfile ansible.builtin.set_fact: sap_hana_install_sid: