Browse Source

Disable HAProxy apparmor profile if present

openSUSE ships a HAProxy profile which prevents the creation of the
/run/haproxy.stat file.

profile="/usr/sbin/haproxy" name="/run/haproxy.stat.21697.tmp" pid=21697 comm="haproxy" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

As such, lets follow the common pattern across OSA roles to disable the
profile instead of trying to manage it.

Change-Id: Iaacb628f4cc78687c95034e81ed924807a3018bd
changes/78/603078/15
Markos Chandras 9 months ago
parent
commit
31f0c0a929
3 changed files with 58 additions and 1 deletions
  1. 52
    0
      tasks/haproxy_apparmor.yml
  2. 3
    0
      tasks/haproxy_install.yml
  3. 3
    1
      vars/suse.yml

+ 52
- 0
tasks/haproxy_apparmor.yml View File

@@ -0,0 +1,52 @@
1
+---
2
+# Copyright 2018, SUSE Linux GmbH.
3
+#
4
+# Licensed under the Apache License, Version 2.0 (the "License");
5
+# you may not use this file except in compliance with the License.
6
+# You may obtain a copy of the License at
7
+#
8
+#     http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+# Unless required by applicable law or agreed to in writing, software
11
+# distributed under the License is distributed on an "AS IS" BASIS,
12
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+# See the License for the specific language governing permissions and
14
+# limitations under the License.
15
+
16
+- name: Check for apparmor profile
17
+  stat:
18
+    path: "/etc/apparmor.d/usr.sbin.haproxy"
19
+  register: sbin_haproxy
20
+
21
+# NOTE(hwoarang) aa-disable will disable the profile and unload it immediately
22
+# See https://bugzilla.opensuse.org/show_bug.cgi?id=1108688. For aa-disable to
23
+# work we need apparmor app and running
24
+- name: Relax apparmor profile
25
+  block:
26
+    - name: Ensure apparmor service is running
27
+      systemd:
28
+        name: "apparmor"
29
+        enabled: yes
30
+        state: "started"
31
+
32
+    - name: Relax haproxy apparmor profile
33
+      shell: |
34
+        # empty line to workaround bug in EnvVarsInCommandRule.py lint test
35
+        # https://github.com/willthames/ansible-lint/issues/275
36
+        exit_code=0
37
+        if aa-status | grep -q haproxy; then
38
+          aa-disable usr.sbin.haproxy
39
+          exit_code=$?
40
+          if [[ ${exit_code} == 0 ]]; then
41
+            exit_code=2
42
+          fi
43
+        fi
44
+        exit ${exit_code}
45
+      register: _apparmor_profile_disabled
46
+      changed_when: _apparmor_profile_disabled.rc == 2
47
+      failed_when: _apparmor_profile_disabled.rc not in [0, 2]
48
+      args:
49
+        warn: no
50
+        executable: /bin/bash
51
+  when:
52
+    - sbin_haproxy.stat.exists | bool

+ 3
- 0
tasks/haproxy_install.yml View File

@@ -52,3 +52,6 @@
52 52
   args:
53 53
     chdir: "/opt/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
54 54
     creates: "/usr/local/bin/hatop"
55
+
56
+- include_tasks: haproxy_apparmor.yml
57
+  when: ansible_pkg_mgr == 'zypper'

+ 3
- 1
vars/suse.yml View File

@@ -14,9 +14,11 @@
14 14
 # limitations under the License.
15 15
 
16 16
 haproxy_distro_packages:
17
+  - apparmor-parser
18
+  - apparmor-profiles
19
+  - apparmor-utils
17 20
   - haproxy
18 21
   - netcat # Used for the Ansible haproxy module
19 22
   - rsyslog  # Used for local logging
20
-
21 23
 haproxy_distro_packages_remove:
22 24
   - systemd-logger # conflicts with rsyslog

Loading…
Cancel
Save