Merge "Octavia: set selinux contexts on ansible generated configuration"

playbooks/roles/octavia-controller-config/tasks/certificate.yml

@@ -1,15 +1,22 @@
 ---
   - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
     become: true
-  - name: Copying ca private key to octavia
+  - name: Copying key info to octavia
     become: true
-    copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}"
-  - name: copying ca certificate to octavia
-    become: true
-    copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}"
-  - name: Create pem file with service private key & public certificate
-    become: true
-    copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}"
+    copy:
+      content: "{{ item.content }}"
+      dest: "{{ octavia_confd_prefix }}{{ item.path }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
+    no_log: true
+    loop:
+        - { content: private_key_content, path: ca_private_key_path }
+        - { content: ca_cert_content, path: ca_cert_path }
+        - { content: service_pem_content, path: client_cert_path }
     notify:
       - octavia config updated

playbooks/roles/octavia-controller-config/tasks/main.yml

@@ -10,6 +10,10 @@
   - include_tasks: netport.yml
   - include_tasks: netinterface.yml
   - name: making sure octavia common configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
     become: true
   - include_tasks: octavia.yml

playbooks/roles/octavia-controller-config/tasks/octavia.yml

@@ -1,6 +1,10 @@
 ---
   - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
     become: true
   - name: setting [controller_worker]/amp_boot_network_list
     become: true
@@ -10,6 +14,8 @@
       section: controller_worker
       option: amp_boot_network_list
       value: "{{ lb_mgmt_net_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
   - name: setting [controller_worker]/amp_secgroup_list
     become: true
     become_user: root
@@ -18,8 +24,14 @@
       section: controller_worker
       option: amp_secgroup_list
       value: "{{ lb_mgmt_secgroup_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
   - name: making sure octavia health manager configuration directory exists
-    file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory
+    file:
+      path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
     become: true
   - name: create octavia health manager configuration file
     become: true
@@ -27,3 +39,5 @@
     template:
       dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
       src: "manager-post-deploy.conf.j2"
+      selevel: s0
+      setype: svirt_sandbox_file_t

playbooks/roles/octavia-controller-post-config/tasks/main.yml

@@ -35,6 +35,8 @@
       option: "controller_ip_port_list"
       value: "{{ o_hm_ip_list }}"
       path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
+      selevel: s0
+      setype: svirt_sandbox_file_t
     when: octavia_config_updated
 
   - name: restart octavia containers