Add SELinux management to containerized undercloud
In instack-undercloud we manage the selinux configuration during the deployment. This change exposes the configuration as a new tripleo service for selinux so we can configure it. Change-Id: I2109bf62e307df92b6bdb57600c58dd61482f46d Partial-Bug: #1779005
This commit is contained in:
parent
c7b10fe834
commit
db181732c6
@ -7,6 +7,9 @@ resource_registry:
|
||||
# Allows us to control the external VIP for Undercloud SSL
|
||||
OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_from_pool.yaml
|
||||
|
||||
# We managed this in instack-undercloud, so we need to manage it here.
|
||||
OS::TripleO::Services::SELinux: ../puppet/services/selinux.yaml
|
||||
|
||||
# services we disable by default on the undercloud
|
||||
OS::TripleO::Services::AodhApi: OS::Heat::None
|
||||
OS::TripleO::Services::AodhEvaluator: OS::Heat::None
|
||||
|
@ -187,6 +187,7 @@ resource_registry:
|
||||
OS::TripleO::Services::TripleoUI: OS::Heat::None
|
||||
OS::TripleO::Services::Tuned: puppet/services/tuned.yaml
|
||||
OS::TripleO::Services::Securetty: OS::Heat::None
|
||||
OS::TripleO::Services::SELinux: OS::Heat::None
|
||||
OS::TripleO::Services::Sshd: docker/services/sshd.yaml
|
||||
OS::TripleO::Services::Redis: docker/services/database/redis.yaml
|
||||
OS::TripleO::Services::MongoDb: puppet/services/disabled/mongodb-disabled.yaml
|
||||
|
48
puppet/services/selinux.yaml
Normal file
48
puppet/services/selinux.yaml
Normal file
@ -0,0 +1,48 @@
|
||||
heat_template_version: rocky
|
||||
|
||||
description: >
|
||||
Configure SELinux
|
||||
|
||||
parameters:
|
||||
ServiceData:
|
||||
default: {}
|
||||
description: Dictionary packing service data
|
||||
type: json
|
||||
ServiceNetMap:
|
||||
default: {}
|
||||
description: Mapping of service_name -> network name. Typically set
|
||||
via parameter_defaults in the resource registry. This
|
||||
mapping overrides those in ServiceNetMapDefaults.
|
||||
type: json
|
||||
DefaultPasswords:
|
||||
default: {}
|
||||
type: json
|
||||
RoleName:
|
||||
default: ''
|
||||
description: Role name on which the service is applied
|
||||
type: string
|
||||
RoleParameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EndpointMap:
|
||||
default: {}
|
||||
description: Mapping of service endpoint -> protocol. Typically set
|
||||
via parameter_defaults in the resource registry.
|
||||
type: json
|
||||
SELinuxMode:
|
||||
default: 'enforcing'
|
||||
description: Configures SELinux mode
|
||||
type: string
|
||||
constraints:
|
||||
- allowed_values: [ 'enforcing', 'permissive', 'disabled' ]
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: SELinux configuration
|
||||
value:
|
||||
service_name: selinux
|
||||
config_settings:
|
||||
tripleo::selinux::mode: {get_param: SELinuxMode}
|
||||
step_config: |
|
||||
include ::tripleo::selinux
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Added support to be able to configure SELinux with the containerized
|
||||
undercloud. By default it is `enforcing`. To disable SELinux, use
|
||||
`SELinuxMode: permissive` as part of the deployment extra configuration.
|
@ -75,6 +75,7 @@
|
||||
- OS::TripleO::Services::PankoApi
|
||||
- OS::TripleO::Services::Redis
|
||||
- OS::TripleO::Services::Rhsm
|
||||
- OS::TripleO::Services::SELinux
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::SwiftProxy
|
||||
- OS::TripleO::Services::SwiftRingBuilder
|
||||
|
@ -78,6 +78,7 @@
|
||||
- OS::TripleO::Services::PankoApi
|
||||
- OS::TripleO::Services::Redis
|
||||
- OS::TripleO::Services::Rhsm
|
||||
- OS::TripleO::Services::SELinux
|
||||
- OS::TripleO::Services::Sshd
|
||||
- OS::TripleO::Services::SwiftProxy
|
||||
- OS::TripleO::Services::SwiftRingBuilder
|
||||
|
Loading…
x
Reference in New Issue
Block a user