diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index ade238f55e..4a550abb1d 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -7,6 +7,9 @@ resource_registry: # Allows us to control the external VIP for Undercloud SSL OS::TripleO::Network::Ports::ExternalVipPort: ../network/ports/external_from_pool.yaml + # We managed this in instack-undercloud, so we need to manage it here. + OS::TripleO::Services::SELinux: ../puppet/services/selinux.yaml + # services we disable by default on the undercloud OS::TripleO::Services::AodhApi: OS::Heat::None OS::TripleO::Services::AodhEvaluator: OS::Heat::None diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 3bc2655bee..2fe2a9c079 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -187,6 +187,7 @@ resource_registry: OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: puppet/services/tuned.yaml OS::TripleO::Services::Securetty: OS::Heat::None + OS::TripleO::Services::SELinux: OS::Heat::None OS::TripleO::Services::Sshd: docker/services/sshd.yaml OS::TripleO::Services::Redis: docker/services/database/redis.yaml OS::TripleO::Services::MongoDb: puppet/services/disabled/mongodb-disabled.yaml diff --git a/puppet/services/selinux.yaml b/puppet/services/selinux.yaml new file mode 100644 index 0000000000..deff4520b6 --- /dev/null +++ b/puppet/services/selinux.yaml @@ -0,0 +1,48 @@ +heat_template_version: rocky + +description: > + Configure SELinux + +parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + SELinuxMode: + default: 'enforcing' + description: Configures SELinux mode + type: string + constraints: + - allowed_values: [ 'enforcing', 'permissive', 'disabled' ] + +outputs: + role_data: + description: SELinux configuration + value: + service_name: selinux + config_settings: + tripleo::selinux::mode: {get_param: SELinuxMode} + step_config: | + include ::tripleo::selinux diff --git a/releasenotes/notes/undercloud-selinux-37fc6f69a9753109.yaml b/releasenotes/notes/undercloud-selinux-37fc6f69a9753109.yaml new file mode 100644 index 0000000000..2a96cd396d --- /dev/null +++ b/releasenotes/notes/undercloud-selinux-37fc6f69a9753109.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Added support to be able to configure SELinux with the containerized + undercloud. By default it is `enforcing`. To disable SELinux, use + `SELinuxMode: permissive` as part of the deployment extra configuration. diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index 6bad637546..019490b3d6 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -75,6 +75,7 @@ - OS::TripleO::Services::PankoApi - OS::TripleO::Services::Redis - OS::TripleO::Services::Rhsm + - OS::TripleO::Services::SELinux - OS::TripleO::Services::Sshd - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftRingBuilder diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 30bef3e5a3..7f00e8261e 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -78,6 +78,7 @@ - OS::TripleO::Services::PankoApi - OS::TripleO::Services::Redis - OS::TripleO::Services::Rhsm + - OS::TripleO::Services::SELinux - OS::TripleO::Services::Sshd - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftRingBuilder