From 1ab68a4b137b0f68e744f9ce82d395efb030b758 Mon Sep 17 00:00:00 2001 From: Pavel Glushchak Date: Tue, 4 Oct 2016 18:34:29 +0300 Subject: [PATCH] libvirt: don't enable security_driver if selinux disabled Change-Id: Ifdc8f5d18ae35651b3e27399217bbd22593122be Closes-Bug: #1630284 Signed-off-by: Pavel Glushchak (cherry picked from commit 72d80348b774995214e88b45a490112fc3fe2187) --- .../manifests/roles/compute.pp | 27 ++++++++++++++----- tests/noop/spec/hosts/roles/compute_spec.rb | 26 +++++++++++++----- 2 files changed, 41 insertions(+), 12 deletions(-) diff --git a/deployment/puppet/openstack_tasks/manifests/roles/compute.pp b/deployment/puppet/openstack_tasks/manifests/roles/compute.pp index 8b26104c11..2e98a7e1fc 100644 --- a/deployment/puppet/openstack_tasks/manifests/roles/compute.pp +++ b/deployment/puppet/openstack_tasks/manifests/roles/compute.pp @@ -429,18 +429,33 @@ class openstack_tasks::roles::compute { case $::osfamily { 'RedHat': { - file_line { 'qemu_selinux': - path => '/etc/libvirt/qemu.conf', - line => 'security_driver = "selinux"', - require => Package['libvirt'], - notify => Service['libvirt'] + if str2bool("${::selinux}") { + file_line { 'qemu_selinux': + path => '/etc/libvirt/qemu.conf', + line => 'security_driver = "selinux"', + require => Package['libvirt'], + notify => Service['libvirt'] + } + } else { + file_line { 'qemu_selinux_disabled': + ensure => absent, + path => '/etc/libvirt/qemu.conf', + match => '^security_driver', + match_for_absence => true, + require => Package['libvirt'], + notify => Service['libvirt'] + } } } 'Debian': { + service { 'apparmor': + ensure => running, + } + file_line { 'qemu_apparmor': path => '/etc/libvirt/qemu.conf', line => 'security_driver = "apparmor"', - require => Package['libvirt'], + require => [Package['libvirt'], Service['apparmor']], notify => Service['libvirt'] } diff --git a/tests/noop/spec/hosts/roles/compute_spec.rb b/tests/noop/spec/hosts/roles/compute_spec.rb index c2410e37fc..537e76197a 100644 --- a/tests/noop/spec/hosts/roles/compute_spec.rb +++ b/tests/noop/spec/hosts/roles/compute_spec.rb @@ -22,6 +22,7 @@ describe manifest do Noop.ubuntu_facts.merge({ :libvirt_uuid => '0251bf3e0a3f48da8cdf8daad5473a7f', :allocated_hugepages => '{"1G":true,"2M":true}', + :selinux => 'true', }) } @@ -245,14 +246,27 @@ describe manifest do # libvirt/qemu with(out) selinux/apparmor it 'libvirt/qemu config should have proper security_driver and apparmor configuration' do if facts[:osfamily] == 'RedHat' - should contain_file_line('qemu_selinux').with( - 'path' => '/etc/libvirt/qemu.conf', - 'line' => 'security_driver = "selinux"', - ).that_notifies('Service[libvirt]') + if facts[:selinux] == 'true' + should contain_file_line('qemu_selinux').with( + 'path' => '/etc/libvirt/qemu.conf', + 'line' => 'security_driver = "selinux"', + ).that_notifies('Service[libvirt]') + else + should contain_file_line('qemu_selinux_disabled').with( + 'ensure' => 'absent', + 'path' => '/etc/libvirt/qemu.conf', + 'match' => '^security_driver', + 'match_for_absence' => 'true', + ).that_notifies('Service[libvirt]') + end elsif facts[:osfamily] == 'Debian' + should contain_service('apparmor').with( + 'ensure' => 'running', + ) should contain_file_line('qemu_apparmor').with( - 'path' => '/etc/libvirt/qemu.conf', - 'line' => 'security_driver = "apparmor"', + 'path' => '/etc/libvirt/qemu.conf', + 'line' => 'security_driver = "apparmor"', + 'require' => ['Package[libvirt]', 'Service[apparmor]'], ).that_notifies('Service[libvirt]') should contain_file_line('apparmor_libvirtd').with( 'path' => '/etc/apparmor.d/usr.sbin.libvirtd',