From b743cfaa25de5f3341de5c39fe11a77dad1af1e1 Mon Sep 17 00:00:00 2001 From: Brent Eagles Date: Thu, 21 Feb 2019 20:12:44 +0000 Subject: [PATCH] Octavia: set selinux contexts on ansible generated configuration The octavia external deploy tasks creates several files and directories and care must be taken to ensure they have the proper selinux context. Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418 Closes-Bug: #1812274 (cherry picked from commit 67a55866b257246551fde8ff774fe68dbc8de628) --- .../tasks/certificate.yml | 23 ++++++++++++------- .../octavia-controller-config/tasks/main.yml | 6 ++++- .../tasks/octavia.yml | 18 +++++++++++++-- .../tasks/main.yml | 2 ++ 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/playbooks/roles/octavia-controller-config/tasks/certificate.yml b/playbooks/roles/octavia-controller-config/tasks/certificate.yml index 093f5701a..80791f3d5 100644 --- a/playbooks/roles/octavia-controller-config/tasks/certificate.yml +++ b/playbooks/roles/octavia-controller-config/tasks/certificate.yml @@ -1,15 +1,22 @@ --- - name: making sure octavia worker configuration directory exists - file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory + file: + path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t become: true - name: Copying key info to octavia if not already there become: true - copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}" - - name: copying ca certificate to octavia - become: true - copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}" - - name: Create pem file with service private key & public certificate - become: true - copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}" + copy: + content: "{{ item.content }}" + dest: "{{ octavia_confd_prefix }}{{ item.path }}" + selevel: s0 + setype: svirt_sandbox_file_t + no_log: true + loop: + - { content: private_key_content, path: ca_private_key_path } + - { content: ca_cert_content, path: ca_cert_path } + - { content: service_pem_content, path: client_cert_path } notify: - octavia config updated diff --git a/playbooks/roles/octavia-controller-config/tasks/main.yml b/playbooks/roles/octavia-controller-config/tasks/main.yml index 53145f5a0..93fa8cd97 100644 --- a/playbooks/roles/octavia-controller-config/tasks/main.yml +++ b/playbooks/roles/octavia-controller-config/tasks/main.yml @@ -13,6 +13,10 @@ - include_tasks: netport.yml - include_tasks: netinterface.yml - name: making sure octavia common configuration directory exists - file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory + file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t become: true - include_tasks: octavia.yml diff --git a/playbooks/roles/octavia-controller-config/tasks/octavia.yml b/playbooks/roles/octavia-controller-config/tasks/octavia.yml index 6ecff82c3..dd510654c 100644 --- a/playbooks/roles/octavia-controller-config/tasks/octavia.yml +++ b/playbooks/roles/octavia-controller-config/tasks/octavia.yml @@ -1,6 +1,10 @@ --- - name: making sure octavia worker configuration directory exists - file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory + file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t become: true - name: setting [controller_worker]/amp_boot_network_list become: true @@ -10,6 +14,8 @@ section: controller_worker option: amp_boot_network_list value: "{{ lb_mgmt_net_id }}" + selevel: s0 + setype: svirt_sandbox_file_t - name: setting [controller_worker]/amp_secgroup_list become: true become_user: root @@ -18,8 +24,14 @@ section: controller_worker option: amp_secgroup_list value: "{{ lb_mgmt_secgroup_id }}" + selevel: s0 + setype: svirt_sandbox_file_t - name: making sure octavia health manager configuration directory exists - file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory + file: + path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" + state: directory + selevel: s0 + setype: svirt_sandbox_file_t become: true - name: create octavia health manager configuration file become: true @@ -27,6 +39,8 @@ template: dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf" src: "manager-post-deploy.conf.j2" + selevel: s0 + setype: svirt_sandbox_file_t - name: gather facts about the service project shell: | openstack project show "{{ auth_project_name }}" -c id -f value diff --git a/playbooks/roles/octavia-controller-post-config/tasks/main.yml b/playbooks/roles/octavia-controller-post-config/tasks/main.yml index 6f148fa6b..6f57f033d 100644 --- a/playbooks/roles/octavia-controller-post-config/tasks/main.yml +++ b/playbooks/roles/octavia-controller-post-config/tasks/main.yml @@ -35,6 +35,8 @@ option: "controller_ip_port_list" value: "{{ o_hm_ip_list }}" path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf" + selevel: s0 + setype: svirt_sandbox_file_t when: octavia_config_updated - name: restart octavia containers