Octavia: set selinux contexts on ansible generated configuration

The octavia external deploy tasks creates several files and directories and care must be taken to ensure they have the proper selinux context. Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418 Closes-Bug: #1812274
2019-02-21 20:12:44 +00:00 · 2019-02-21 20:12:44 +00:00 · 67a55866b2
commit 67a55866b2
parent 1502a5734b
4 changed files with 39 additions and 12 deletions
--- a/playbooks/roles/octavia-controller-config/tasks/certificate.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/certificate.yml
@ -1,15 +1,22 @@
 ---
  - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
-  - name: Copying ca private key to octavia
+  - name: Copying key info to octavia
    become: true
-    copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}"
-  - name: copying ca certificate to octavia
-    become: true
-    copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}"
-  - name: Create pem file with service private key & public certificate
-    become: true
-    copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}"
+    copy:
+      content: "{{ item.content }}"
+      dest: "{{ octavia_confd_prefix }}{{ item.path }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
+    no_log: true
+    loop:
+        - { content: private_key_content, path: ca_private_key_path }
+        - { content: ca_cert_content, path: ca_cert_path }
+        - { content: service_pem_content, path: client_cert_path }
    notify:
      - octavia config updated
--- a/playbooks/roles/octavia-controller-config/tasks/main.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/main.yml
@ -10,6 +10,10 @@
  - include_tasks: netport.yml
  - include_tasks: netinterface.yml
  - name: making sure octavia common configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - include_tasks: octavia.yml
--- a/playbooks/roles/octavia-controller-config/tasks/octavia.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/octavia.yml
@ -1,6 +1,10 @@
 ---
  - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - name: setting [controller_worker]/amp_boot_network_list
    become: true
@ -10,6 +14,8 @@
      section: controller_worker
      option: amp_boot_network_list
      value: "{{ lb_mgmt_net_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
  - name: setting [controller_worker]/amp_secgroup_list
    become: true
    become_user: root
@ -18,8 +24,14 @@
      section: controller_worker
      option: amp_secgroup_list
      value: "{{ lb_mgmt_secgroup_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
  - name: making sure octavia health manager configuration directory exists
-    file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory
+    file:
+      path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - name: create octavia health manager configuration file
    become: true
@ -27,3 +39,5 @@
    template:
      dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
      src: "manager-post-deploy.conf.j2"
+      selevel: s0
+      setype: svirt_sandbox_file_t
--- a/playbooks/roles/octavia-controller-post-config/tasks/main.yml
+++ b/playbooks/roles/octavia-controller-post-config/tasks/main.yml
@ -35,6 +35,8 @@
      option: "controller_ip_port_list"
      value: "{{ o_hm_ip_list }}"
      path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
+      selevel: s0
+      setype: svirt_sandbox_file_t
    when: octavia_config_updated

  - name: restart octavia containers