Switch from wsgi script to wsgi module and add apparmor rules

This patch adds the minimal amount of apparmor rules required to allow the dnsmasq instance for inspector start up. This is necessary because inspector puts the config file in a non-standard directory that is not covered by the default apparmor rules. In addition, fix a permissions error where dnsmasq is not able to read its configuration in /etc/ironic-inspector as it was not configured to drop priviledges from root to a specific user, and instead was running as the "nobody" user. This patch does not excercise the functionality of inspector so it is possible that further apparmor rules are required for runtime in addition to those added for startup. Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/955268 Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/966515 Change-Id: Ib806f95740392dd37e5f0508fc522ac3ce16a7f8 Signed-off-by: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
2025-05-21 10:57:12 +01:00
parent 6a2d1dab7a
commit 95938b77d1
8 changed files with 54 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -67,7 +67,7 @@ ironic_services:
    service_name: ironic-api
    init_config_overrides: "{{ ironic_api_init_config_overrides }}"
    wsgi_app: true
-    wsgi_name: ironic-api-wsgi
+    wsgi: "ironic.wsgi:application"
    uwsgi_overrides: "{{ ironic_api_uwsgi_ini_overrides }}"
    uwsgi_port: "{{ ironic_service_port }}"
    uwsgi_bind_address: "{{ ironic_uwsgi_bind_address }}"
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -13,6 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+- name: Reload apparmor
+  ansible.builtin.service:
+    name: apparmor
+    state: reloaded
+
 - name: Restart ironic services
  ansible.builtin.service:
    name: "{{ item.service_name }}"
--- a/tasks/ironic_inspector_apparmor.yml
+++ b/tasks/ironic_inspector_apparmor.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2025, BBC R&D.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: "Place required apparmor overrides"
+  ansible.builtin.copy:
+    content: "{{ item['content'] }}"
+    dest: "/etc/apparmor.d/local/{{ item['profile'] }}"
+    mode: "0644"
+    owner: root
+    group: root
+  loop: "{{ ironic_inspector_apparmor_local }}"
+  loop_control:
+    label: "{{ item['profile'] }}"
+  when:
+    - item.condition | default(true)
+  notify: Reload apparmor
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -115,6 +115,13 @@
  tags:
    - ironic-install

+- name: Importing ironic_inspector_apparmor tasks
+  ansible.builtin.import_tasks: ironic_inspector_apparmor.yml
+  when:
+    - ansible_facts['distribution'] | lower == 'ubuntu'
+  tags:
+    - ironic-config
+
 - name: Create and install SSL certificates
  ansible.builtin.include_role:
    name: pki
--- a/templates/dnsmasq.conf.j2
+++ b/templates/dnsmasq.conf.j2
@@ -1,3 +1,5 @@
+user=ironic
+group=ironic
 port=15553
 bind-interfaces
 interface={{ ironic_inspector_dhcp_interface }}
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -100,3 +100,13 @@ ironic_nginx_conf_path: "sites-available"
 ironic_grub_dir: "/tftpboot/grub"

 _ironic_ssl_truststore_location: /etc/ssl/certs/ca-certificates.crt
+
+ironic_inspector_apparmor_local:
+  - profile: "usr.sbin.dnsmasq"
+    content: |
+        /etc/ironic-inspector/inspector-dnsmasq.conf r,
+        /var/lib/ironic-inspector/inspector-dnsmasq.leases wr,
+        /etc/ironic-inspector/dhcp-hostsdir/* wr,
+        /etc/ironic-inspector/dhcp-hostsdir/ wr,
+        /etc/ironic-inspector/dhcp-hostsdir r,
+    condition: "{{ ironic_services['ironic-inspector']['group'] in group_names }}"
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -318,7 +318,6 @@ uwsgi_ironic_services: |-
         and ('wsgi_app' in value and value['wsgi_app']) %}
  {%     set _ = value.update(
            {
-             'wsgi_path':  ironic_bin ~ '/' ~ value.wsgi_name,
             'wsgi_venv': ironic_bin | dirname,
             'uwsgi_uid': ironic_system_user_name,
             'uwsgi_guid': ironic_system_group_name,
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@@ -46,7 +46,7 @@ ironic_library_modules_paths:
  - "/usr/share/syslinux/chain.c32"
  - "/usr/share/syslinux/linux.c32"
  - "/usr/share/ipxe/undionly.kpxe"
-  - "/usr/share/ipxe/ipxe-x86_64.efi"
+  - "{{ '/usr/share/ipxe/ipxe' ~ (ansible_facts['distribution_major_version'] is version(10, '<')) | ternary('', '-snponly') ~ '-x86_64.efi' }}"

 ironic_uefi_modules:
  - name: "bootx64.efi"