---
# Copyright 2018, SUSE LINUX GmbH.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Install required apparmor packages on the physical host
  package:
    name: "{{ neutron_apparmor_distro_packages }}"
    state: present
  register: apparmor_packages
  until: apparmor_packages is success
  retries: 5
  delay: 2
  become: yes
  delegate_to: "{{ physical_host | default('localhost') }}"

- name: Ensure apparmor service is running
  systemd:
    name: "apparmor"
    enabled: yes
    state: "started"
  become: yes
  delegate_to: "{{ physical_host | default('localhost') }}"

- name: "Disable apparmor profile"
  shell: |
    # empty line to workaround bug in EnvVarsInCommandRule.py lint test
    # https://github.com/willthames/ansible-lint/issues/275
    set -o pipefail
    exit_code=0
    if aa-status | grep -q {{ item.process  }} ; then
       aa-disable {{ item.profile }}
       if [[ $? == 0 ]]; then
         exit_code=2
       fi
    fi
    exit ${exit_code}
  register: _apparmor_profile_disabled
  changed_when: _apparmor_profile_disabled.rc == 2
  failed_when: _apparmor_profile_disabled.rc not in [0,2]
  args:
    executable: /bin/bash
  become: yes
  delegate_to: "{{ physical_host | default('localhost') }}"
  with_items:
    - profile: 'usr.sbin.haproxy'
      process: 'haproxy'
    - profile: 'bin.ping'
      process: 'ping'
    - profile: 'usr.sbin.dnsmasq'
      process: 'dnsmasq'