openstack
/
tripleo-common
Code Issues Proposed changes

Octavia: set selinux contexts on ansible generated configuration 

The octavia external deploy tasks creates several files and directories
and care must be taken to ensure they have the proper selinux context.

Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418
Closes-Bug: #1812274
This commit is contained in:
Brent Eagles 2019-02-21 20:12:44 +00:00
parent 1502a5734b
commit 67a55866b2
4 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
playbooks/roles/octavia-controller-config/tasks/certificate.yml
View File

@ -1,15 +1,22 @@
---
- name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory
file:
path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: Copying ca private key to octavia
- name: Copying key info to octavia
become: true
copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}"
- name: copying ca certificate to octavia
become: true
copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}"
- name: Create pem file with service private key & public certificate
become: true
copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}"
copy:
content: "{{ item.content }}"
dest: "{{ octavia_confd_prefix }}{{ item.path }}"
selevel: s0
setype: svirt_sandbox_file_t
no_log: true
loop:
- { content: private_key_content, path: ca_private_key_path }
- { content: ca_cert_content, path: ca_cert_path }
- { content: service_pem_content, path: client_cert_path }
notify:
- octavia config updated

6
playbooks/roles/octavia-controller-config/tasks/main.yml
View File

@ -10,6 +10,10 @@
- include_tasks: netport.yml
- include_tasks: netinterface.yml
- name: making sure octavia common configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory
file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- include_tasks: octavia.yml

18
playbooks/roles/octavia-controller-config/tasks/octavia.yml
View File

@ -1,6 +1,10 @@
---
- name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory
file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: setting [controller_worker]/amp_boot_network_list
become: true
@ -10,6 +14,8 @@
section: controller_worker
option: amp_boot_network_list
value: "{{ lb_mgmt_net_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: setting [controller_worker]/amp_secgroup_list
become: true
become_user: root
@ -18,8 +24,14 @@
section: controller_worker
option: amp_secgroup_list
value: "{{ lb_mgmt_secgroup_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: making sure octavia health manager configuration directory exists
file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory
file:
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: create octavia health manager configuration file
become: true
@ -27,3 +39,5 @@
template:
dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
src: "manager-post-deploy.conf.j2"
selevel: s0
setype: svirt_sandbox_file_t

2
playbooks/roles/octavia-controller-post-config/tasks/main.yml
View File

@ -35,6 +35,8 @@
option: "controller_ip_port_list"
value: "{{ o_hm_ip_list }}"
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
selevel: s0
setype: svirt_sandbox_file_t
when: octavia_config_updated
- name: restart octavia containers