From 7e8d88afa507df89e0a6848e1992021f0fb10f03 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kecarter@redhat.com>
Date: Mon, 7 Feb 2022 14:38:29 -0600
Subject: [PATCH] Allow deployments to run when selinux is disabled

This change will allow the generated playbooks to run when selinux is
disabled. Presently the seboolean module will fail when a systems has
selinux disabled. While selinux could be set permissive to avoid an
error, the disabled setting is a valid configuration and should be
respected.

> seboolean will now only run when selinux is enabled.

Change-Id: Ifd31adcf27902a8a77de9c68482306ec9da6d250
Signed-off-by: Kevin Carter <kecarter@redhat.com>
---
 deployment/barbican/barbican-api-container-puppet.yaml       | 3 +++
 .../ceilometer-agent-compute-container-puppet.yaml           | 3 +++
 .../ceilometer-agent-notification-container-puppet.yaml      | 3 +++
 deployment/cinder/cinder-backup-container-puppet.yaml        | 3 +++
 deployment/cinder/cinder-scheduler-container-puppet.yaml     | 3 +++
 .../deprecated/nova/nova-libvirt-container-puppet.yaml       | 3 +++
 deployment/heat/heat-engine-container-puppet.yaml            | 3 +++
 deployment/logrotate/logrotate-crond-container-puppet.yaml   | 3 +++
 deployment/manila/manila-scheduler-container-puppet.yaml     | 3 +++
 deployment/neutron/neutron-dhcp-container-puppet.yaml        | 3 +++
 deployment/neutron/neutron-l3-container-puppet.yaml          | 3 +++
 deployment/neutron/neutron-metadata-container-puppet.yaml    | 3 +++
 deployment/neutron/neutron-ovs-agent-container-puppet.yaml   | 3 +++
 deployment/neutron/neutron-sriov-agent-container-puppet.yaml | 3 +++
 deployment/nova/nova-compute-container-puppet.yaml           | 3 +++
 deployment/nova/nova-conductor-container-puppet.yaml         | 3 +++
 deployment/nova/nova-ironic-container-puppet.yaml            | 3 +++
 deployment/nova/nova-modular-libvirt-container-puppet.yaml   | 3 +++
 deployment/nova/nova-scheduler-container-puppet.yaml         | 3 +++
 deployment/octavia/octavia-worker-container-puppet.yaml      | 3 +++
 deployment/ovn/ovn-controller-container-puppet.yaml          | 5 ++++-
 21 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml
index f9d8623b5c..24d0d24755 100644
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@@ -803,6 +803,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       scale_tasks:
         if:
         - {get_param: BarbicanPkcs11CryptoLunasaEnabled}
diff --git a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
index 618689b2d2..9d67f4e62d 100644
--- a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
+++ b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
@@ -139,3 +139,6 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
diff --git a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
index 7cdc3c007b..0534531dcb 100644
--- a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
+++ b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
@@ -220,6 +220,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/cinder/cinder-backup-container-puppet.yaml b/deployment/cinder/cinder-backup-container-puppet.yaml
index e45075a261..8a3bbb4bfd 100644
--- a/deployment/cinder/cinder-backup-container-puppet.yaml
+++ b/deployment/cinder/cinder-backup-container-puppet.yaml
@@ -282,6 +282,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       deploy_steps_tasks:
         - name: Clean up when switching cinder-backup from pcmk to active-active
           when:
diff --git a/deployment/cinder/cinder-scheduler-container-puppet.yaml b/deployment/cinder/cinder-scheduler-container-puppet.yaml
index c8d8e5f688..6f5aa652dd 100644
--- a/deployment/cinder/cinder-scheduler-container-puppet.yaml
+++ b/deployment/cinder/cinder-scheduler-container-puppet.yaml
@@ -163,6 +163,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
index 51f88ab9f2..ac7ee7c6cd 100644
--- a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml
@@ -925,6 +925,9 @@ outputs:
                 name: os_enable_vtpm
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       metadata_settings:
         list_concat:
           - if:
diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml
index dc42b9b160..4d702b840b 100644
--- a/deployment/heat/heat-engine-container-puppet.yaml
+++ b/deployment/heat/heat-engine-container-puppet.yaml
@@ -305,6 +305,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
       external_upgrade_tasks:
         - when:
diff --git a/deployment/logrotate/logrotate-crond-container-puppet.yaml b/deployment/logrotate/logrotate-crond-container-puppet.yaml
index 2a595d3f18..5e0c8ce175 100644
--- a/deployment/logrotate/logrotate-crond-container-puppet.yaml
+++ b/deployment/logrotate/logrotate-crond-container-puppet.yaml
@@ -113,6 +113,9 @@ outputs:
             name: logrotate_read_inside_containers
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       deploy_steps_tasks:
         - name: configure tmpwatch on the host
           when: step|int == 2
diff --git a/deployment/manila/manila-scheduler-container-puppet.yaml b/deployment/manila/manila-scheduler-container-puppet.yaml
index 29c92c7976..7402e0e94c 100644
--- a/deployment/manila/manila-scheduler-container-puppet.yaml
+++ b/deployment/manila/manila-scheduler-container-puppet.yaml
@@ -128,6 +128,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
       external_upgrade_tasks:
         - when:
diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml
index 3b38b53efb..5297d6feb8 100644
--- a/deployment/neutron/neutron-dhcp-container-puppet.yaml
+++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml
@@ -428,6 +428,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - name: set conditions
               set_fact:
                 dnsmasq_wrapper_enabled: {get_param: NeutronEnableDnsmasqDockerWrapper}
diff --git a/deployment/neutron/neutron-l3-container-puppet.yaml b/deployment/neutron/neutron-l3-container-puppet.yaml
index e07ecf3f1c..9438ddcec2 100644
--- a/deployment/neutron/neutron-l3-container-puppet.yaml
+++ b/deployment/neutron/neutron-l3-container-puppet.yaml
@@ -355,6 +355,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - name: set conditions
               set_fact:
                 keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper}
diff --git a/deployment/neutron/neutron-metadata-container-puppet.yaml b/deployment/neutron/neutron-metadata-container-puppet.yaml
index 148b9d0d61..e6b2f9f6a7 100644
--- a/deployment/neutron/neutron-metadata-container-puppet.yaml
+++ b/deployment/neutron/neutron-metadata-container-puppet.yaml
@@ -211,4 +211,7 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       upgrade_tasks: []
diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
index 9f81efc614..9acd0646d3 100644
--- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml
@@ -418,6 +418,9 @@ outputs:
                   name: virt_sandbox_use_netlink
                   persistent: true
                   state: true
+                when:
+                  - ansible_facts.selinux is defined
+                  - ansible_facts.selinux.status == "enabled"
       update_tasks:
         # puppetlabs-firewall manages security rules via Puppet but make the rules
         # consistent by default. Since Neutron also creates some rules, we don't
diff --git a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
index 707ce5eb1e..927cb63457 100644
--- a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
+++ b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml
@@ -202,6 +202,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
             - if:
                 - derive_pci_whitelist_enabled
                 - - name: "creating directory"
diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml
index 62a4f4e0ca..29e5e6192d 100644
--- a/deployment/nova/nova-compute-container-puppet.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@@ -1525,6 +1525,9 @@ outputs:
               name: virt_sandbox_use_netlink
               persistent: true
               state: true
+            when:
+              - ansible_facts.selinux is defined
+              - ansible_facts.selinux.status == "enabled"
           - name: install Instance HA recovery script
             when: instance_ha_enabled|bool
             block:
diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml
index b860e5a2e0..bfb784582a 100644
--- a/deployment/nova/nova-conductor-container-puppet.yaml
+++ b/deployment/nova/nova-conductor-container-puppet.yaml
@@ -242,6 +242,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when: step|int == 1
           block: &nova_online_db_migration
diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml
index 1ad72b366e..2b09076d8e 100644
--- a/deployment/nova/nova-ironic-container-puppet.yaml
+++ b/deployment/nova/nova-ironic-container-puppet.yaml
@@ -230,6 +230,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       external_post_deploy_tasks: {get_attr: [NovaComputeCommon, nova_compute_common_deploy_steps_tasks]}
       external_upgrade_tasks:
         - when:
diff --git a/deployment/nova/nova-modular-libvirt-container-puppet.yaml b/deployment/nova/nova-modular-libvirt-container-puppet.yaml
index 53edb0ed97..2e396bd9e9 100644
--- a/deployment/nova/nova-modular-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-modular-libvirt-container-puppet.yaml
@@ -963,6 +963,9 @@ outputs:
                 name: os_enable_vtpm
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       metadata_settings:
         list_concat:
           - if:
diff --git a/deployment/nova/nova-scheduler-container-puppet.yaml b/deployment/nova/nova-scheduler-container-puppet.yaml
index 1ba78ee002..6abab19946 100644
--- a/deployment/nova/nova-scheduler-container-puppet.yaml
+++ b/deployment/nova/nova-scheduler-container-puppet.yaml
@@ -323,6 +323,9 @@ outputs:
                 name: virt_sandbox_use_netlink
                 persistent: true
                 state: true
+              when:
+                - ansible_facts.selinux is defined
+                - ansible_facts.selinux.status == "enabled"
       external_upgrade_tasks:
         - when:
             - step|int == 1
diff --git a/deployment/octavia/octavia-worker-container-puppet.yaml b/deployment/octavia/octavia-worker-container-puppet.yaml
index b9afa3a332..29ce487b70 100644
--- a/deployment/octavia/octavia-worker-container-puppet.yaml
+++ b/deployment/octavia/octavia-worker-container-puppet.yaml
@@ -179,6 +179,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
       update_tasks: {get_attr: [OctaviaBase, role_data, update_tasks]}
       upgrade_tasks: {get_attr: [OctaviaBase, role_data, upgrade_tasks]}
       external_upgrade_tasks:
diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml
index d0eb1480f4..b23d33e5bb 100644
--- a/deployment/ovn/ovn-controller-container-puppet.yaml
+++ b/deployment/ovn/ovn-controller-container-puppet.yaml
@@ -271,7 +271,7 @@ outputs:
                 - 'ssl'
             vswitch::ovs::vlan_limit:
               if:
-                - {get_param: EnableVLANTransparency} 
+                - {get_param: EnableVLANTransparency}
                 - 0
       service_config_settings: {}
       # BEGIN DOCKER SETTINGS
@@ -420,6 +420,9 @@ outputs:
             name: virt_sandbox_use_netlink
             persistent: true
             state: true
+          when:
+            - ansible_facts.selinux is defined
+            - ansible_facts.selinux.status == "enabled"
         - name: Copy in cleanup script
           copy:
             content: {get_file: ../neutron/neutron-cleanup}