From 3d747b720051ed053f2e36b5679862b92265443b Mon Sep 17 00:00:00 2001 From: Michal Arbet Date: Mon, 8 Jun 2020 11:12:19 +0200 Subject: [PATCH] Remove chrony package if containerized chrony is enabled This patch is removing chrony package from docker host when containerized chrony is enabled. It is also fixing issue with chrony container running under Ubuntu docker host as noted below. + exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf 2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG) 2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied Added also removal apparmor profile for ubuntu when containerized chrony is enabled, as chrony's package is not removing apparmor profile, and therefore containerized chrony is not working. Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836 Closes-Bug: #1882513 --- ansible/roles/baremetal/defaults/main.yml | 2 ++ ansible/roles/baremetal/tasks/post-install.yml | 16 ++++++++++++++++ ...hrony-permission-denied-917b3bffc5cdb38d.yaml | 6 ++++++ 3 files changed, 24 insertions(+) create mode 100644 releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml index 6fa555bbb2..f74ae19f7d 100644 --- a/ansible/roles/baremetal/defaults/main.yml +++ b/ansible/roles/baremetal/defaults/main.yml @@ -60,11 +60,13 @@ ubuntu_pkg_removals: - lxc - libvirt-bin - open-iscsi + - "{% if enable_chrony | bool %}chrony{% endif %}" redhat_pkg_removals: - libvirt - libvirt-daemon - iscsi-initiator-utils + - "{% if enable_chrony | bool %}chrony{% endif %}" # Path to a virtualenv in which to install python packages. If None, a # virtualenv will not be used. diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml index 6b2d2a0f19..2616a97344 100644 --- a/ansible/roles/baremetal/tasks/post-install.yml +++ b/ansible/roles/baremetal/tasks/post-install.yml @@ -146,6 +146,22 @@ - ansible_distribution == "Ubuntu" - apparmor_libvirtd_profile.stat.exists +- name: Get stat of chronyd apparmor profile + stat: + path: /etc/apparmor.d/usr.sbin.chronyd + register: apparmor_chronyd_profile + when: + - ansible_os_family == "Debian" + - enable_chrony | bool + +- name: Remove apparmor profile for chrony + command: apparmor_parser -R /etc/apparmor.d/usr.sbin.chronyd + become: True + when: + - ansible_os_family == "Debian" + - enable_chrony | bool + - apparmor_chronyd_profile.stat.exists + - name: Create docker group group: name: docker diff --git a/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml b/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml new file mode 100644 index 0000000000..53a62d01d2 --- /dev/null +++ b/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Removing chrony package and AppArmor profile from docker host if + containerized chrony is enabled. + `LP#1882513 `__