Browse Source

Set the dnsmasq aa profile to complain

If a stock aa profile exists for dnsmasq (SUSE, Ubuntu) the nspawn
deployment will fail due to the profile being strict. This change
sets the profile to complain, which allows the deployment to
succeed. The new tasks will detect a stock dnsmasq aa profile and
set it to complain if found.

Change-Id: Ie565b683d2f06e47f7a46497ce3c38d604a0fed6
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
Kevin Carter 2 months ago
parent
commit
2f76119d7a
2 changed files with 16 additions and 1 deletions
  1. 12
    1
      tasks/nspawn_networking.yml
  2. 4
    0
      vars/main.yml

+ 12
- 1
tasks/nspawn_networking.yml View File

@@ -13,7 +13,18 @@
13 13
 # See the License for the specific language governing permissions and
14 14
 # limitations under the License.
15 15
 
16
-- block:
16
+- name: Check for aa-profile
17
+  stat:
18
+    path: /etc/apparmor.d/usr.sbin.dnsmasq
19
+  register: aa_profile
20
+
21
+- name: Set dnsmasq aa profile to complain
22
+  command: "aa-complain /etc/apparmor.d/usr.sbin.dnsmasq"
23
+  when:
24
+    - aa_profile.stat.exists | bool
25
+
26
+- name: Add proxies when needed
27
+  block:
17 28
     - name: Create machined proxy override unit directories
18 29
       file:
19 30
         path: "/etc/systemd/system/{{ item }}"

+ 4
- 0
vars/main.yml View File

@@ -27,12 +27,16 @@ nspawn_network_utils:
27 27
   apt:
28 28
     iptables: /sbin/iptables
29 29
     ip: /sbin/ip
30
+    ethtool: /sbin/ethtool
30 31
   yum:
31 32
     iptables: /usr/sbin/iptables
32 33
     ip: /usr/sbin/ip
34
+    ethtool: /usr/sbin/ethtool
33 35
   zypper:
34 36
     iptables: /usr/sbin/iptables
35 37
     ip: /sbin/ip
38
+    ethtool: /sbin/ethtool
36 39
   emerge:
37 40
     iptables: /usr/sbin/iptables
38 41
     ip: /bin/ip
42
+    ethtool: /usr/sbin/ethtool

Loading…
Cancel
Save