d3fb3a5e9e
In case arbitrary folder is being used for Nova, more folders needs to be allowed in apparmor. With that, we don't need to have any overrides by default, as they all are already present in default aa-helper profile. Change-Id: Ib7a03434dae9f838289fbb16bfeb6c640eeccfc2 Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
210 lines
5.2 KiB
YAML
210 lines
5.2 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Including nova_compute_kvm_install tasks
|
|
ansible.builtin.include_tasks: nova_compute_kvm_install.yml
|
|
args:
|
|
apply:
|
|
tags:
|
|
- nova-install
|
|
tags:
|
|
- always
|
|
|
|
- name: Set nested kvm virt
|
|
ansible.builtin.copy:
|
|
src: kvm.conf
|
|
dest: /etc/modprobe.d/kvm.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
when:
|
|
- nova_nested_virt_enabled | bool
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
|
|
- name: Add nova user to libvirtd group
|
|
ansible.builtin.user:
|
|
name: "{{ nova_system_user_name }}"
|
|
groups: "{{ libvirt_group }}"
|
|
append: "yes"
|
|
tags:
|
|
- nova-install
|
|
- nova-libvirt
|
|
|
|
- name: Ensure kvm permissions
|
|
ansible.builtin.command: "udevadm trigger"
|
|
changed_when: false
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
|
|
- name: Set kernel permissions to enable libguestfs features (Ubuntu)
|
|
ansible.builtin.include_tasks: nova_kernel_permissions.yml
|
|
when:
|
|
- ansible_facts['distribution'] == 'Ubuntu'
|
|
- nova_libvirt_inject_key | bool or nova_libvirt_inject_password | bool
|
|
args:
|
|
apply:
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
tags:
|
|
- always
|
|
|
|
- name: Set libvirtd config
|
|
ansible.builtin.template:
|
|
src: libvirtd.conf.j2
|
|
dest: /etc/libvirt/libvirtd.conf
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
notify: Restart libvirt-bin
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Set qemu config
|
|
ansible.builtin.template:
|
|
src: "qemu.conf.j2"
|
|
dest: "/etc/libvirt/qemu.conf"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0600"
|
|
notify: Restart libvirt-bin
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Unset libvirt runtime options (Ubuntu)
|
|
ansible.builtin.lineinfile:
|
|
dest: "/etc/default/libvirtd"
|
|
line: 'libvirtd_opts=""'
|
|
regexp: "^libvirtd_opts="
|
|
backup: "yes"
|
|
when:
|
|
- ansible_facts['pkg_mgr'] == 'apt'
|
|
notify: Restart libvirt-bin
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Unset libvirt runtime options (RPM)
|
|
ansible.builtin.lineinfile:
|
|
dest: "/etc/sysconfig/libvirtd"
|
|
line: 'LIBVIRTD_ARGS=""'
|
|
regexp: "^(#)?LIBVIRTD_ARGS=*"
|
|
backup: "yes"
|
|
when:
|
|
- ansible_facts['pkg_mgr'] == 'dnf'
|
|
- ansible_facts['distribution_version'] is version('9', '<')
|
|
notify: Restart libvirt-bin
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Set qemu-kvm KSM config (Ubuntu)
|
|
ansible.builtin.lineinfile:
|
|
dest: "/etc/default/qemu-kvm"
|
|
line: "KSM_ENABLED={{ nova_compute_ksm_enabled | ternary('1', '0') }}"
|
|
regexp: "^KSM_ENABLED=*"
|
|
backup: true
|
|
when:
|
|
- ansible_facts['distribution'] == 'Ubuntu'
|
|
notify: Restart libvirt-bin
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
# TODO(noonedeadpunk): Clean up in 2026.2 cycle
|
|
- name: Clean up old apparmor config (Ubuntu/Debian)
|
|
ansible.builtin.lineinfile:
|
|
dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
|
|
line: " {{ nova_system_home_folder }}/instances/_base/* r,"
|
|
create: true
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
state: absent
|
|
when:
|
|
- ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
|
|
notify: Reload apparmor profile
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Set apparmor overrides (Ubuntu/Debian)
|
|
ansible.builtin.blockinfile:
|
|
dest: "/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
|
|
block: |
|
|
# arbitrary path to nova home folder
|
|
{{ nova_system_home_folder }}/images/** r,
|
|
{{ nova_system_home_folder }}/instances/_base/** r,
|
|
{{ nova_system_home_folder }}/instances/snapshots/** r,
|
|
create: true
|
|
owner: "root"
|
|
group: "root"
|
|
mode: "0644"
|
|
marker: "# {mark} OPENSTACK-ANSIBLE MANAGED BLOCK"
|
|
when:
|
|
- ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
|
|
- nova_system_home_folder != '/var/lib/nova'
|
|
notify: Reload apparmor profile
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
|
|
- name: Including nova_disable_smt tasks
|
|
ansible.builtin.include_tasks: nova_disable_smt.yml
|
|
when:
|
|
- ansible_facts['architecture'] == 'ppc64le'
|
|
args:
|
|
apply:
|
|
tags:
|
|
- nova-config
|
|
tags:
|
|
- always
|
|
|
|
- name: Including nova_enable_ksm tasks
|
|
ansible.builtin.include_tasks: nova_enable_ksm.yml
|
|
when:
|
|
- nova_compute_ksm_enabled | bool
|
|
args:
|
|
apply:
|
|
tags:
|
|
- nova-config
|
|
tags:
|
|
- always
|
|
|
|
- name: Including nova_compute_kvm_virsh_net_remove tasks
|
|
ansible.builtin.include_tasks: nova_compute_kvm_virsh_net_remove.yml
|
|
args:
|
|
apply:
|
|
tags:
|
|
- nova-config
|
|
- nova-kvm
|
|
- nova-libvirt
|
|
- nova-kvm-virsh-net
|
|
tags:
|
|
- always
|