tasks: lxc_install_zypper: Relax apparmor restrictions for dnsmasq
The default apparmor profile does not allow dnsmasq to read from /etc/neutron or /var/log/neutron as we see from the following entry in the audit.log file: type=AVC msg=audit(1500476274.931:179617): apparmor="DENIED" operation="open" profile="/usr/sbin/dnsmasq" name="/etc/neutron/dnsmasq-neutron.conf" pid=27503 comm="dnsmasq" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 However, having such access is essential for neutron to work otherwise dnsmasq fails to start and the VMs have all sorts of network problems. As such, we create a local profile with the neutron allowances. Change-Id: I11b1c777fc738f319e0d1c875390522468504050
This commit is contained in:
parent
1e6a6a7540
commit
d77bbf6d0a
@ -24,6 +24,23 @@
|
|||||||
tags:
|
tags:
|
||||||
- lxc-packages
|
- lxc-packages
|
||||||
|
|
||||||
|
# NOTE(hwoarang) default dnsmasq profile is too restrictive so we
|
||||||
|
# need to adjust it for neutron.
|
||||||
|
- name: Relax dnsmasq apparmor profile
|
||||||
|
blockinfile:
|
||||||
|
path: "/etc/apparmor.d/local/usr.sbin.dnsmasq"
|
||||||
|
block: |-
|
||||||
|
/etc/neutron/* r,
|
||||||
|
/var/log/neutron/* rw,
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
notify:
|
||||||
|
- Start apparmor
|
||||||
|
- Reload apparmor
|
||||||
|
tags:
|
||||||
|
- lxc-files
|
||||||
|
- lxc-apparmor
|
||||||
|
- lxc_hosts-config
|
||||||
|
|
||||||
- name: Drop lxc-openstack apparmor profile
|
- name: Drop lxc-openstack apparmor profile
|
||||||
template:
|
template:
|
||||||
src: "lxc-openstack.apparmor.j2"
|
src: "lxc-openstack.apparmor.j2"
|
||||||
|
Loading…
Reference in New Issue
Block a user