openstack
/
tripleo-common
Code Issues Proposed changes

Octavia: set selinux contexts on ansible generated configuration 

The octavia external deploy tasks creates several files and directories
and care must be taken to ensure they have the proper selinux context.

Change-Id: I08be6722a68ce17b7fefc0f9ca3eb8bf9c585418
Closes-Bug: #1812274
(cherry picked from commit 67a55866b2)
This commit is contained in:
Brent Eagles 2019-02-21 20:12:44 +00:00 committed by Carlos Goncalves
parent 68028747f7
commit b743cfaa25
4 changed files with 38 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
playbooks/roles/octavia-controller-config/tasks/certificate.yml
View File

@ -1,15 +1,22 @@
--- ---
- name: making sure octavia worker configuration directory exists - name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}" state=directory file:
path: "{{ octavia_confd_prefix }}{{ ca_private_key_path | dirname }}"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true become: true
- name: Copying key info to octavia if not already there - name: Copying key info to octavia if not already there
become: true become: true
copy: content="{{ private_key_content }}" dest="{{ octavia_confd_prefix }}{{ ca_private_key_path }}" copy:
- name: copying ca certificate to octavia content: "{{ item.content }}"
become: true dest: "{{ octavia_confd_prefix }}{{ item.path }}"
copy: content="{{ ca_cert_content }}" dest="{{ octavia_confd_prefix }}{{ ca_cert_path }}" selevel: s0
- name: Create pem file with service private key & public certificate setype: svirt_sandbox_file_t
become: true no_log: true
copy: content="{{ service_pem_content }}" dest="{{ octavia_confd_prefix }}{{ client_cert_path }}" loop:
- { content: private_key_content, path: ca_private_key_path }
- { content: ca_cert_content, path: ca_cert_path }
- { content: service_pem_content, path: client_cert_path }
notify: notify:
- octavia config updated - octavia config updated

6
playbooks/roles/octavia-controller-config/tasks/main.yml
View File

@ -13,6 +13,10 @@
- include_tasks: netport.yml - include_tasks: netport.yml
- include_tasks: netinterface.yml - include_tasks: netinterface.yml
- name: making sure octavia common configuration directory exists - name: making sure octavia common configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/common" state=directory file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true become: true
- include_tasks: octavia.yml - include_tasks: octavia.yml

18
playbooks/roles/octavia-controller-config/tasks/octavia.yml
View File

@ -1,6 +1,10 @@
--- ---
- name: making sure octavia worker configuration directory exists - name: making sure octavia worker configuration directory exists
file: path="{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker" state=directory file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/octavia-worker"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true become: true
- name: setting [controller_worker]/amp_boot_network_list - name: setting [controller_worker]/amp_boot_network_list
become: true become: true
@ -10,6 +14,8 @@
section: controller_worker section: controller_worker
option: amp_boot_network_list option: amp_boot_network_list
value: "{{ lb_mgmt_net_id }}" value: "{{ lb_mgmt_net_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: setting [controller_worker]/amp_secgroup_list - name: setting [controller_worker]/amp_secgroup_list
become: true become: true
become_user: root become_user: root
@ -18,8 +24,14 @@
section: controller_worker section: controller_worker
option: amp_secgroup_list option: amp_secgroup_list
value: "{{ lb_mgmt_secgroup_id }}" value: "{{ lb_mgmt_secgroup_id }}"
selevel: s0
setype: svirt_sandbox_file_t
- name: making sure octavia health manager configuration directory exists - name: making sure octavia health manager configuration directory exists
file: path="{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager" state=directory file:
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager"
state: directory
selevel: s0
setype: svirt_sandbox_file_t
become: true become: true
- name: create octavia health manager configuration file - name: create octavia health manager configuration file
become: true become: true
@ -27,6 +39,8 @@
template: template:
dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf" dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
src: "manager-post-deploy.conf.j2" src: "manager-post-deploy.conf.j2"
selevel: s0
setype: svirt_sandbox_file_t
- name: gather facts about the service project - name: gather facts about the service project
shell: | shell: |
openstack project show "{{ auth_project_name }}" -c id -f value openstack project show "{{ auth_project_name }}" -c id -f value

2
playbooks/roles/octavia-controller-post-config/tasks/main.yml
View File

@ -35,6 +35,8 @@
option: "controller_ip_port_list" option: "controller_ip_port_list"
value: "{{ o_hm_ip_list }}" value: "{{ o_hm_ip_list }}"
path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf" path: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-worker/worker-post-deploy.conf"
selevel: s0
setype: svirt_sandbox_file_t
when: octavia_config_updated when: octavia_config_updated
- name: restart octavia containers - name: restart octavia containers