Octavia: set selinux contexts on ansible generated configuration

The octavia external deploy tasks creates several files and directories and care must be taken to ensure they have the proper selinux context. Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418 Closes-Bug: #1812274 (cherry picked from commit 67a55866b2)
2019-02-21 20:12:44 +00:00 · 2019-02-21 20:12:44 +00:00 · b743cfaa25
parent 68028747f7
commit b743cfaa25
4 changed files with 38 additions and 11 deletions
--- a/playbooks/roles/octavia-controller-config/tasks/certificate.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/certificate.yml
@ -1,15 +1,22 @@
 ---
  - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - name: Copying key info to octavia if not already there
    become: true
-    copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}"
-  - name: copying ca certificate to octavia
-    become: true
-    copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}"
-  - name: Create pem file with service private key & public certificate
-    become: true
-    copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}"
+    copy:
+      content: "{{ item.content }}"
+      dest: "{{ octavia_confd_prefix }}{{ item.path }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
+    no_log: true
+    loop:
+        - { content: private_key_content, path: ca_private_key_path }
+        - { content: ca_cert_content, path: ca_cert_path }
+        - { content: service_pem_content, path: client_cert_path }
    notify:
      - octavia config updated
--- a/playbooks/roles/octavia-controller-config/tasks/main.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/main.yml
@ -13,6 +13,10 @@
  - include_tasks: netport.yml
  - include_tasks: netinterface.yml
  - name: making sure octavia common configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - include_tasks: octavia.yml
--- a/playbooks/roles/octavia-controller-config/tasks/octavia.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/octavia.yml
@ -1,6 +1,10 @@
 ---
  - name: making sure octavia worker configuration directory exists
-    file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory
+    file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - name: setting [controller_worker]/amp_boot_network_list
    become: true
@ -10,6 +14,8 @@
      section: controller_worker
      option: amp_boot_network_list
      value: "{{ lb_mgmt_net_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
  - name: setting [controller_worker]/amp_secgroup_list
    become: true
    become_user: root
@ -18,8 +24,14 @@
      section: controller_worker
      option: amp_secgroup_list
      value: "{{ lb_mgmt_secgroup_id }}"
+      selevel: s0
+      setype: svirt_sandbox_file_t
  - name: making sure octavia health manager configuration directory exists
-    file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory
+    file:
+      path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
+      state: directory
+      selevel: s0
+      setype: svirt_sandbox_file_t
    become: true
  - name: create octavia health manager configuration file
    become: true
@ -27,6 +39,8 @@
    template:
      dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
      src: "manager-post-deploy.conf.j2"
+      selevel: s0
+      setype: svirt_sandbox_file_t
  - name: gather facts about the service project
    shell: |
      openstack project show "{{ auth_project_name }}" -c id -f value
--- a/playbooks/roles/octavia-controller-post-config/tasks/main.yml
+++ b/playbooks/roles/octavia-controller-post-config/tasks/main.yml
@ -35,6 +35,8 @@
      option: "controller_ip_port_list"
      value: "{{ o_hm_ip_list }}"
      path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
+      selevel: s0
+      setype: svirt_sandbox_file_t
    when: octavia_config_updated

  - name: restart octavia containers