From d77bbf6d0ab63f5fd9201bbc85c214620929ab88 Mon Sep 17 00:00:00 2001 From: Markos Chandras Date: Wed, 19 Jul 2017 16:34:22 +0100 Subject: [PATCH] tasks: lxc_install_zypper: Relax apparmor restrictions for dnsmasq The default apparmor profile does not allow dnsmasq to read from /etc/neutron or /var/log/neutron as we see from the following entry in the audit.log file: type=AVC msg=audit(1500476274.931:179617): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/etc/neutron/dnsmasq-neutron.conf" pid=27503 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 However, having such access is essential for neutron to work otherwise dnsmasq fails to start and the VMs have all sorts of network problems. As such, we create a local profile with the neutron allowances. Change-Id: I11b1c777fc738f319e0d1c875390522468504050 --- tasks/lxc_install_zypper.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tasks/lxc_install_zypper.yml b/tasks/lxc_install_zypper.yml index c1a36408..ac562ba9 100644 --- a/tasks/lxc_install_zypper.yml +++ b/tasks/lxc_install_zypper.yml @@ -24,6 +24,23 @@ tags: - lxc-packages +# NOTE(hwoarang) default dnsmasq profile is too restrictive so we +# need to adjust it for neutron. +- name: Relax dnsmasq apparmor profile + blockinfile: + path: "/etc/apparmor.d/local/usr.sbin.dnsmasq" + block: |- + /etc/neutron/* r, + /var/log/neutron/* rw, + marker: "# {mark} ANSIBLE MANAGED BLOCK" + notify: + - Start apparmor + - Reload apparmor + tags: + - lxc-files + - lxc-apparmor + - lxc_hosts-config + - name: Drop lxc-openstack apparmor profile template: src: "lxc-openstack.apparmor.j2"