Browse Source

Octavia: set selinux contexts on ansible generated configuration

The octavia external deploy tasks creates several files and directories
and care must be taken to ensure they have the proper selinux context.

Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418
Closes-Bug: #1812274
(cherry picked from commit 67a55866b2)
changes/45/701545/1
Brent Eagles 1 year ago
parent
commit
b743cfaa25
4 changed files with 38 additions and 11 deletions
  1. +15
    -8
      playbooks/roles/octavia-controller-config/tasks/certificate.yml
  2. +5
    -1
      playbooks/roles/octavia-controller-config/tasks/main.yml
  3. +16
    -2
      playbooks/roles/octavia-controller-config/tasks/octavia.yml
  4. +2
    -0
      playbooks/roles/octavia-controller-post-config/tasks/main.yml

+ 15
- 8
playbooks/roles/octavia-controller-config/tasks/certificate.yml View File

@@ -1,15 +1,22 @@
---
- name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory
file:
path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: Copying key info to octavia if not already there
become: true
copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}"
- name: copying ca certificate to octavia
become: true
copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}"
- name: Create pem file with service private key & public certificate
become: true
copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}"
copy:
content: "{{ item.content }}"
dest: "{{ octavia_confd_prefix }}{{ item.path }}"
selevel: s0
setype: svirt_sandbox_file_t
no_log: true
loop:
- { content: private_key_content, path: ca_private_key_path }
- { content: ca_cert_content, path: ca_cert_path }
- { content: service_pem_content, path: client_cert_path }
notify:
- octavia config updated

+ 5
- 1
playbooks/roles/octavia-controller-config/tasks/main.yml View File

@@ -13,6 +13,10 @@
- include_tasks: netport.yml
- include_tasks: netinterface.yml
- name: making sure octavia common configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory
file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- include_tasks: octavia.yml

+ 16
- 2
playbooks/roles/octavia-controller-config/tasks/octavia.yml View File

@@ -1,6 +1,10 @@
---
- name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory
file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: setting [controller_worker]/amp_boot_network_list
become: true
@@ -10,6 +14,8 @@
section: controller_worker
option: amp_boot_network_list
value: "{{ lb_mgmt_net_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: setting [controller_worker]/amp_secgroup_list
become: true
become_user: root
@@ -18,8 +24,14 @@
section: controller_worker
option: amp_secgroup_list
value: "{{ lb_mgmt_secgroup_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: making sure octavia health manager configuration directory exists
file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory
file:
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true
- name: create octavia health manager configuration file
become: true
@@ -27,6 +39,8 @@
template:
dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
src: "manager-post-deploy.conf.j2"
selevel: s0
setype: svirt_sandbox_file_t
- name: gather facts about the service project
shell: |
openstack project show "{{ auth_project_name }}" -c id -f value

+ 2
- 0
playbooks/roles/octavia-controller-post-config/tasks/main.yml View File

@@ -35,6 +35,8 @@
option: "controller_ip_port_list"
value: "{{ o_hm_ip_list }}"
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
selevel: s0
setype: svirt_sandbox_file_t
when: octavia_config_updated

- name: restart octavia containers

Loading…
Cancel
Save