From 7e8d88afa507df89e0a6848e1992021f0fb10f03 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 7 Feb 2022 14:38:29 -0600 Subject: [PATCH] Allow deployments to run when selinux is disabled This change will allow the generated playbooks to run when selinux is disabled. Presently the seboolean module will fail when a systems has selinux disabled. While selinux could be set permissive to avoid an error, the disabled setting is a valid configuration and should be respected. > seboolean will now only run when selinux is enabled. Change-Id: Ifd31adcf27902a8a77de9c68482306ec9da6d250 Signed-off-by: Kevin Carter --- deployment/barbican/barbican-api-container-puppet.yaml | 3 +++ .../ceilometer-agent-compute-container-puppet.yaml | 3 +++ .../ceilometer-agent-notification-container-puppet.yaml | 3 +++ deployment/cinder/cinder-backup-container-puppet.yaml | 3 +++ deployment/cinder/cinder-scheduler-container-puppet.yaml | 3 +++ .../deprecated/nova/nova-libvirt-container-puppet.yaml | 3 +++ deployment/heat/heat-engine-container-puppet.yaml | 3 +++ deployment/logrotate/logrotate-crond-container-puppet.yaml | 3 +++ deployment/manila/manila-scheduler-container-puppet.yaml | 3 +++ deployment/neutron/neutron-dhcp-container-puppet.yaml | 3 +++ deployment/neutron/neutron-l3-container-puppet.yaml | 3 +++ deployment/neutron/neutron-metadata-container-puppet.yaml | 3 +++ deployment/neutron/neutron-ovs-agent-container-puppet.yaml | 3 +++ deployment/neutron/neutron-sriov-agent-container-puppet.yaml | 3 +++ deployment/nova/nova-compute-container-puppet.yaml | 3 +++ deployment/nova/nova-conductor-container-puppet.yaml | 3 +++ deployment/nova/nova-ironic-container-puppet.yaml | 3 +++ deployment/nova/nova-modular-libvirt-container-puppet.yaml | 3 +++ deployment/nova/nova-scheduler-container-puppet.yaml | 3 +++ deployment/octavia/octavia-worker-container-puppet.yaml | 3 +++ deployment/ovn/ovn-controller-container-puppet.yaml | 5 ++++- 21 files changed, 64 insertions(+), 1 deletion(-) diff --git a/deployment/barbican/barbican-api-container-puppet.yaml b/deployment/barbican/barbican-api-container-puppet.yaml index f9d8623b5c..24d0d24755 100644 --- a/deployment/barbican/barbican-api-container-puppet.yaml +++ b/deployment/barbican/barbican-api-container-puppet.yaml @@ -803,6 +803,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" scale_tasks: if: - {get_param: BarbicanPkcs11CryptoLunasaEnabled} diff --git a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml index 618689b2d2..9d67f4e62d 100644 --- a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml @@ -139,3 +139,6 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" diff --git a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml index 7cdc3c007b..0534531dcb 100644 --- a/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml @@ -220,6 +220,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/cinder/cinder-backup-container-puppet.yaml b/deployment/cinder/cinder-backup-container-puppet.yaml index e45075a261..8a3bbb4bfd 100644 --- a/deployment/cinder/cinder-backup-container-puppet.yaml +++ b/deployment/cinder/cinder-backup-container-puppet.yaml @@ -282,6 +282,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" deploy_steps_tasks: - name: Clean up when switching cinder-backup from pcmk to active-active when: diff --git a/deployment/cinder/cinder-scheduler-container-puppet.yaml b/deployment/cinder/cinder-scheduler-container-puppet.yaml index c8d8e5f688..6f5aa652dd 100644 --- a/deployment/cinder/cinder-scheduler-container-puppet.yaml +++ b/deployment/cinder/cinder-scheduler-container-puppet.yaml @@ -163,6 +163,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml index 51f88ab9f2..ac7ee7c6cd 100644 --- a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml @@ -925,6 +925,9 @@ outputs: name: os_enable_vtpm persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" metadata_settings: list_concat: - if: diff --git a/deployment/heat/heat-engine-container-puppet.yaml b/deployment/heat/heat-engine-container-puppet.yaml index dc42b9b160..4d702b840b 100644 --- a/deployment/heat/heat-engine-container-puppet.yaml +++ b/deployment/heat/heat-engine-container-puppet.yaml @@ -305,6 +305,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" upgrade_tasks: [] external_upgrade_tasks: - when: diff --git a/deployment/logrotate/logrotate-crond-container-puppet.yaml b/deployment/logrotate/logrotate-crond-container-puppet.yaml index 2a595d3f18..5e0c8ce175 100644 --- a/deployment/logrotate/logrotate-crond-container-puppet.yaml +++ b/deployment/logrotate/logrotate-crond-container-puppet.yaml @@ -113,6 +113,9 @@ outputs: name: logrotate_read_inside_containers persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" deploy_steps_tasks: - name: configure tmpwatch on the host when: step|int == 2 diff --git a/deployment/manila/manila-scheduler-container-puppet.yaml b/deployment/manila/manila-scheduler-container-puppet.yaml index 29c92c7976..7402e0e94c 100644 --- a/deployment/manila/manila-scheduler-container-puppet.yaml +++ b/deployment/manila/manila-scheduler-container-puppet.yaml @@ -128,6 +128,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" upgrade_tasks: [] external_upgrade_tasks: - when: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index 3b38b53efb..5297d6feb8 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -428,6 +428,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" - name: set conditions set_fact: dnsmasq_wrapper_enabled: {get_param: NeutronEnableDnsmasqDockerWrapper} diff --git a/deployment/neutron/neutron-l3-container-puppet.yaml b/deployment/neutron/neutron-l3-container-puppet.yaml index e07ecf3f1c..9438ddcec2 100644 --- a/deployment/neutron/neutron-l3-container-puppet.yaml +++ b/deployment/neutron/neutron-l3-container-puppet.yaml @@ -355,6 +355,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" - name: set conditions set_fact: keepalived_wrapper_enabled: {get_param: NeutronEnableKeepalivedWrapper} diff --git a/deployment/neutron/neutron-metadata-container-puppet.yaml b/deployment/neutron/neutron-metadata-container-puppet.yaml index 148b9d0d61..e6b2f9f6a7 100644 --- a/deployment/neutron/neutron-metadata-container-puppet.yaml +++ b/deployment/neutron/neutron-metadata-container-puppet.yaml @@ -211,4 +211,7 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" upgrade_tasks: [] diff --git a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml index 9f81efc614..9acd0646d3 100644 --- a/deployment/neutron/neutron-ovs-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-ovs-agent-container-puppet.yaml @@ -418,6 +418,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" update_tasks: # puppetlabs-firewall manages security rules via Puppet but make the rules # consistent by default. Since Neutron also creates some rules, we don't diff --git a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml index 707ce5eb1e..927cb63457 100644 --- a/deployment/neutron/neutron-sriov-agent-container-puppet.yaml +++ b/deployment/neutron/neutron-sriov-agent-container-puppet.yaml @@ -202,6 +202,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" - if: - derive_pci_whitelist_enabled - - name: "creating directory" diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 62a4f4e0ca..29e5e6192d 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -1525,6 +1525,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" - name: install Instance HA recovery script when: instance_ha_enabled|bool block: diff --git a/deployment/nova/nova-conductor-container-puppet.yaml b/deployment/nova/nova-conductor-container-puppet.yaml index b860e5a2e0..bfb784582a 100644 --- a/deployment/nova/nova-conductor-container-puppet.yaml +++ b/deployment/nova/nova-conductor-container-puppet.yaml @@ -242,6 +242,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" external_upgrade_tasks: - when: step|int == 1 block: &nova_online_db_migration diff --git a/deployment/nova/nova-ironic-container-puppet.yaml b/deployment/nova/nova-ironic-container-puppet.yaml index 1ad72b366e..2b09076d8e 100644 --- a/deployment/nova/nova-ironic-container-puppet.yaml +++ b/deployment/nova/nova-ironic-container-puppet.yaml @@ -230,6 +230,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" external_post_deploy_tasks: {get_attr: [NovaComputeCommon, nova_compute_common_deploy_steps_tasks]} external_upgrade_tasks: - when: diff --git a/deployment/nova/nova-modular-libvirt-container-puppet.yaml b/deployment/nova/nova-modular-libvirt-container-puppet.yaml index 53edb0ed97..2e396bd9e9 100644 --- a/deployment/nova/nova-modular-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-modular-libvirt-container-puppet.yaml @@ -963,6 +963,9 @@ outputs: name: os_enable_vtpm persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" metadata_settings: list_concat: - if: diff --git a/deployment/nova/nova-scheduler-container-puppet.yaml b/deployment/nova/nova-scheduler-container-puppet.yaml index 1ba78ee002..6abab19946 100644 --- a/deployment/nova/nova-scheduler-container-puppet.yaml +++ b/deployment/nova/nova-scheduler-container-puppet.yaml @@ -323,6 +323,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" external_upgrade_tasks: - when: - step|int == 1 diff --git a/deployment/octavia/octavia-worker-container-puppet.yaml b/deployment/octavia/octavia-worker-container-puppet.yaml index b9afa3a332..29ce487b70 100644 --- a/deployment/octavia/octavia-worker-container-puppet.yaml +++ b/deployment/octavia/octavia-worker-container-puppet.yaml @@ -179,6 +179,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" update_tasks: {get_attr: [OctaviaBase, role_data, update_tasks]} upgrade_tasks: {get_attr: [OctaviaBase, role_data, upgrade_tasks]} external_upgrade_tasks: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index d0eb1480f4..b23d33e5bb 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -271,7 +271,7 @@ outputs: - 'ssl' vswitch::ovs::vlan_limit: if: - - {get_param: EnableVLANTransparency} + - {get_param: EnableVLANTransparency} - 0 service_config_settings: {} # BEGIN DOCKER SETTINGS @@ -420,6 +420,9 @@ outputs: name: virt_sandbox_use_netlink persistent: true state: true + when: + - ansible_facts.selinux is defined + - ansible_facts.selinux.status == "enabled" - name: Copy in cleanup script copy: content: {get_file: ../neutron/neutron-cleanup}