Merge "Ensure SELinux is permissive on Ceph OSDs"

2015-07-24 16:24:13 +00:00 · 2015-07-24 16:24:13 +00:00 · 386fc60890
commit 386fc60890
parent 1a0f4eefc8 9ab0050e6e
4 changed files with 46 additions and 2 deletions
--- a/puppet/hieradata/ceph.yaml
+++ b/puppet/hieradata/ceph.yaml
@ -12,4 +12,6 @@ ceph_pools:
  - vms
  - images

-ceph_classes: []
+ceph_classes: []
+
+ceph_osd_selinux_permissive: true
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@ -21,7 +21,21 @@ if count(hiera('ntp::servers')) > 0 {
  include ::ntp
 }

+if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+  exec { 'set selinux to permissive on boot':
+    command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+    onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+    path    => ["/usr/bin", "/usr/sbin"],
+  }
+
+  exec { 'set selinux to permissive':
+    command => "setenforce 0",
+    onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+    path    => ["/usr/bin", "/usr/sbin"],
+  } -> Class['ceph::profile::osd']
+}
+
 include ::ceph::profile::client
 include ::ceph::profile::osd

-hiera_include('ceph_classes')
+hiera_include('ceph_classes')
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@ -184,6 +184,20 @@ if hiera('step') >= 2 {
  }

  if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
    include ::ceph::profile::client
    include ::ceph::profile::osd
  }
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@ -492,6 +492,20 @@ MYSQL_HOST=localhost\n",
  }

  if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
    include ::ceph::profile::client
    include ::ceph::profile::osd
  }