Merge "libvirt: don't enable security_driver if selinux disabled" into stable/newton

2017-02-22 10:08:00 +00:00 · 2017-02-22 10:08:00 +00:00 · 6a39d7d08b
parent a28847063f 1ab68a4b13
commit 6a39d7d08b
2 changed files with 41 additions and 12 deletions
--- a/deployment/puppet/openstack_tasks/manifests/roles/compute.pp
+++ b/deployment/puppet/openstack_tasks/manifests/roles/compute.pp
@ -429,18 +429,33 @@ class openstack_tasks::roles::compute {

  case $::osfamily {
    'RedHat': {
-      file_line { 'qemu_selinux':
-        path    => '/etc/libvirt/qemu.conf',
-        line    => 'security_driver = "selinux"',
-        require => Package['libvirt'],
-        notify  => Service['libvirt']
+      if str2bool("${::selinux}") {
+        file_line { 'qemu_selinux':
+          path    => '/etc/libvirt/qemu.conf',
+          line    => 'security_driver = "selinux"',
+          require => Package['libvirt'],
+          notify  => Service['libvirt']
+        }
+      } else {
+        file_line { 'qemu_selinux_disabled':
+          ensure            => absent,
+          path              => '/etc/libvirt/qemu.conf',
+          match             => '^security_driver',
+          match_for_absence => true,
+          require           => Package['libvirt'],
+          notify            => Service['libvirt']
+        }
      }
    }
    'Debian': {
+      service { 'apparmor':
+        ensure => running,
+      }
+
      file_line { 'qemu_apparmor':
        path    => '/etc/libvirt/qemu.conf',
        line    => 'security_driver = "apparmor"',
-        require => Package['libvirt'],
+        require => [Package['libvirt'], Service['apparmor']],
        notify  => Service['libvirt']
      }

--- a/tests/noop/spec/hosts/roles/compute_spec.rb
+++ b/tests/noop/spec/hosts/roles/compute_spec.rb
@ -22,6 +22,7 @@ describe manifest do
      Noop.ubuntu_facts.merge({
        :libvirt_uuid        => '0251bf3e0a3f48da8cdf8daad5473a7f',
        :allocated_hugepages => '{"1G":true,"2M":true}',
+        :selinux             => 'true',
      })
    }

@ -245,14 +246,27 @@ describe manifest do
    # libvirt/qemu with(out) selinux/apparmor
    it 'libvirt/qemu config should have proper security_driver and apparmor configuration' do
      if facts[:osfamily] == 'RedHat'
-        should contain_file_line('qemu_selinux').with(
-          'path' => '/etc/libvirt/qemu.conf',
-          'line' => 'security_driver = "selinux"',
-        ).that_notifies('Service[libvirt]')
+        if facts[:selinux] == 'true'
+          should contain_file_line('qemu_selinux').with(
+            'path' => '/etc/libvirt/qemu.conf',
+            'line' => 'security_driver = "selinux"',
+          ).that_notifies('Service[libvirt]')
+        else
+          should contain_file_line('qemu_selinux_disabled').with(
+            'ensure'            => 'absent',
+            'path'              => '/etc/libvirt/qemu.conf',
+            'match'             => '^security_driver',
+            'match_for_absence' => 'true',
+          ).that_notifies('Service[libvirt]')
+        end
      elsif facts[:osfamily] == 'Debian'
+        should contain_service('apparmor').with(
+          'ensure' => 'running',
+        )
        should contain_file_line('qemu_apparmor').with(
-          'path' => '/etc/libvirt/qemu.conf',
-          'line' => 'security_driver = "apparmor"',
+          'path'    => '/etc/libvirt/qemu.conf',
+          'line'    => 'security_driver = "apparmor"',
+          'require' => ['Package[libvirt]', 'Service[apparmor]'],
        ).that_notifies('Service[libvirt]')
        should contain_file_line('apparmor_libvirtd').with(
          'path' => '/etc/apparmor.d/usr.sbin.libvirtd',