diff --git a/defaults/main.yml b/defaults/main.yml index 9ecd6225..28c6e542 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -67,7 +67,7 @@ ironic_services: service_name: ironic-api init_config_overrides: "{{ ironic_api_init_config_overrides }}" wsgi_app: true - wsgi_name: ironic-api-wsgi + wsgi: "ironic.wsgi:application" uwsgi_overrides: "{{ ironic_api_uwsgi_ini_overrides }}" uwsgi_port: "{{ ironic_service_port }}" uwsgi_bind_address: "{{ ironic_uwsgi_bind_address }}" diff --git a/handlers/main.yml b/handlers/main.yml index 3335144c..1b0d3bc0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Reload apparmor + ansible.builtin.service: + name: apparmor + state: reloaded + - name: Restart ironic services ansible.builtin.service: name: "{{ item.service_name }}" diff --git a/tasks/ironic_inspector_apparmor.yml b/tasks/ironic_inspector_apparmor.yml new file mode 100644 index 00000000..fe65877b --- /dev/null +++ b/tasks/ironic_inspector_apparmor.yml @@ -0,0 +1,28 @@ +--- +# Copyright 2025, BBC R&D. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: "Place required apparmor overrides" + ansible.builtin.copy: + content: "{{ item['content'] }}" + dest: "/etc/apparmor.d/local/{{ item['profile'] }}" + mode: "0644" + owner: root + group: root + loop: "{{ ironic_inspector_apparmor_local }}" + loop_control: + label: "{{ item['profile'] }}" + when: + - item.condition | default(true) + notify: Reload apparmor diff --git a/tasks/main.yml b/tasks/main.yml index 40dc05fb..f78a2559 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -115,6 +115,13 @@ tags: - ironic-install +- name: Importing ironic_inspector_apparmor tasks + ansible.builtin.import_tasks: ironic_inspector_apparmor.yml + when: + - ansible_facts['distribution'] | lower == 'ubuntu' + tags: + - ironic-config + - name: Create and install SSL certificates ansible.builtin.include_role: name: pki diff --git a/templates/dnsmasq.conf.j2 b/templates/dnsmasq.conf.j2 index 8628c879..022eee3c 100644 --- a/templates/dnsmasq.conf.j2 +++ b/templates/dnsmasq.conf.j2 @@ -1,3 +1,5 @@ +user=ironic +group=ironic port=15553 bind-interfaces interface={{ ironic_inspector_dhcp_interface }} diff --git a/vars/debian.yml b/vars/debian.yml index 2aa71c33..9328dcc0 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -100,3 +100,13 @@ ironic_nginx_conf_path: "sites-available" ironic_grub_dir: "/tftpboot/grub" _ironic_ssl_truststore_location: /etc/ssl/certs/ca-certificates.crt + +ironic_inspector_apparmor_local: + - profile: "usr.sbin.dnsmasq" + content: | + /etc/ironic-inspector/inspector-dnsmasq.conf r, + /var/lib/ironic-inspector/inspector-dnsmasq.leases wr, + /etc/ironic-inspector/dhcp-hostsdir/* wr, + /etc/ironic-inspector/dhcp-hostsdir/ wr, + /etc/ironic-inspector/dhcp-hostsdir r, + condition: "{{ ironic_services['ironic-inspector']['group'] in group_names }}" diff --git a/vars/main.yml b/vars/main.yml index c7a58ab9..0072103f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -318,7 +318,6 @@ uwsgi_ironic_services: |- and ('wsgi_app' in value and value['wsgi_app']) %} {% set _ = value.update( { - 'wsgi_path': ironic_bin ~ '/' ~ value.wsgi_name, 'wsgi_venv': ironic_bin | dirname, 'uwsgi_uid': ironic_system_user_name, 'uwsgi_guid': ironic_system_group_name, diff --git a/vars/redhat.yml b/vars/redhat.yml index 2581d7f9..ea788752 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -46,7 +46,7 @@ ironic_library_modules_paths: - "/usr/share/syslinux/chain.c32" - "/usr/share/syslinux/linux.c32" - "/usr/share/ipxe/undionly.kpxe" - - "/usr/share/ipxe/ipxe-x86_64.efi" + - "{{ '/usr/share/ipxe/ipxe' ~ (ansible_facts['distribution_major_version'] is version(10, '<')) | ternary('', '-snponly') ~ '-x86_64.efi' }}" ironic_uefi_modules: - name: "bootx64.efi"