Merge pull request #2 from wyhasany/master

Set network capabilities on cloudflared when using privileged port (<1024)
bendews · Nov 8, 2018 · 932ea23 · 932ea23
2 parents a9e753e + 605d329
commit 932ea23
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -9,6 +9,9 @@ before_install:
   - sudo apt-get update -qq
 
 install:
+  #Workaround for ssl exception
+  - wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb -P /tmp/
+
   # Install Ansible.
   - pip install ansible
 
@@ -19,8 +22,10 @@ script:
   # Check the role/playbook's syntax.
   - "ansible-playbook -i tests/inventory tests/$TESTBOOK --syntax-check"
   # Run role and ensure it completes successfully.
-  - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags web-api"
+  - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags systemd"
+  # Check setting ansible port
+  - "ansible-playbook -i tests/inventory tests/$TESTBOOK --extra-vars 'cloudflared_port=53' --skip-tags systemd"
   # Run role again and check for idempotence.
-  - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags web-api | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)"
+  - "ansible-playbook -i tests/inventory tests/$TESTBOOK --skip-tags systemd | grep -q 'changed=0.*failed=0' && (echo 'Idempotence test: pass' && exit 0) || (echo 'Idempotence test: fail' && exit 1)"
   # Check cloudflared has been installed correctly
   - "cloudflared"
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -14,6 +14,13 @@
   import_tasks: install_binary.yml
   when: (not cloudflared_installed) and (pkg_mgr_output is undefined or pkg_mgr_output is failed)
 
+- name: Set network capabilities for cloudflared
+  capabilities:
+    path: "{{ cloudflared_bin_location }}/cloudflared"
+    capability: cap_net_bind_service+ep
+    state: present
+  when: cloudflared_port|int < 1024
+
 - command: cloudflared update
   register: update_command
   changed_when: update_command.rc == '64'
@@ -30,6 +37,7 @@
     owner: cloudflared
     group: cloudflared
   notify: restart cloudflared service
+  tags: systemd
 
 - name: copy systemd service
   copy:
@@ -40,12 +48,14 @@
     mode: 0644
   notify: restart cloudflared service
   register: service
+  tags: systemd
 
 - name: enable systemd service
   service:
     name: cloudflared
     enabled: "{{ cloudflared_enable_service }}"
   when: service.changed
+  tags: systemd
 
 - name: Allow port in firewall
   ufw:

diff --git a/tests/test.yml b/tests/test.yml
@@ -4,10 +4,10 @@
   become: yes
   tasks:
 
-    - name: Test role with variables
-      include_role:
-        name: ../ansible-cloudflared
-      vars:
+  - name: Test role with variables
+    include_role:
+      name: ../ansible-cloudflared
+    vars:
       cloudflared_allow_firewall: false
       cloudflared_enable_service: false
       cloudflared_port: 5053