From e7dee7bd2ec342b9902ef8a30349aa9cee5f0a41 Mon Sep 17 00:00:00 2001 From: Alex Schultz Date: Wed, 17 Apr 2019 17:09:36 -0600 Subject: [PATCH] Remove puppet selinux management We've switched the selinux mode management to ansible as part of the deploy-steps and it's always included now so the service is not necessary. Change-Id: I562053ba6767bd9ab7af3cf06b93906568bec5cd --- .../selinux/selinux-baremetal-puppet.yaml | 48 ------------------- environments/standalone.yaml | 2 - .../standalone/standalone-overcloud.yaml | 1 - .../standalone/standalone-tripleo.yaml | 1 - environments/undercloud.yaml | 2 - overcloud-resource-registry-puppet.j2.yaml | 1 + ...uppet-selinux-config-cc8d2788c534d628.yaml | 5 ++ roles/Standalone.yaml | 1 - roles/Undercloud.yaml | 1 - roles_data_undercloud.yaml | 1 - sample-env-generator/standalone.yaml | 6 --- 11 files changed, 6 insertions(+), 63 deletions(-) delete mode 100644 deployment/selinux/selinux-baremetal-puppet.yaml create mode 100644 releasenotes/notes/deprecate-puppet-selinux-config-cc8d2788c534d628.yaml diff --git a/deployment/selinux/selinux-baremetal-puppet.yaml b/deployment/selinux/selinux-baremetal-puppet.yaml deleted file mode 100644 index deff4520b6..0000000000 --- a/deployment/selinux/selinux-baremetal-puppet.yaml +++ /dev/null @@ -1,48 +0,0 @@ -heat_template_version: rocky - -description: > - Configure SELinux - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - SELinuxMode: - default: 'enforcing' - description: Configures SELinux mode - type: string - constraints: - - allowed_values: [ 'enforcing', 'permissive', 'disabled' ] - -outputs: - role_data: - description: SELinux configuration - value: - service_name: selinux - config_settings: - tripleo::selinux::mode: {get_param: SELinuxMode} - step_config: | - include ::tripleo::selinux diff --git a/environments/standalone.yaml b/environments/standalone.yaml index bc4948613d..8477183b89 100644 --- a/environments/standalone.yaml +++ b/environments/standalone.yaml @@ -7,8 +7,6 @@ resource_registry: OS::TripleO::Standalone::Net::SoftwareConfig: ../net-config-standalone.yaml OS::TripleO::NodeExtraConfigPost: ../extraconfig/post_deploy/standalone_post.yaml - # Manage SELinux - OS::TripleO::Services::SELinux: ../deployment/selinux/selinux-baremetal-puppet.yaml OS::TripleO::Services::OpenStackClients: ../deployment/clients/openstack-clients-baremetal-puppet.yaml # Disable non-openstack services that are enabled by default diff --git a/environments/standalone/standalone-overcloud.yaml b/environments/standalone/standalone-overcloud.yaml index 9a8d9590a3..324aea02b4 100644 --- a/environments/standalone/standalone-overcloud.yaml +++ b/environments/standalone/standalone-overcloud.yaml @@ -94,7 +94,6 @@ resource_registry: OS::TripleO::Services::MistralExecutor: OS::Heat::None OS::TripleO::Services::OpenStackClients: ../../deployment/clients/openstack-clients-baremetal-puppet.yaml OS::TripleO::Services::PankoApi: OS::Heat::None - OS::TripleO::Services::SELinux: ../../deployment/selinux/selinux-baremetal-puppet.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None OS::TripleO::Services::Tacker: OS::Heat::None diff --git a/environments/standalone/standalone-tripleo.yaml b/environments/standalone/standalone-tripleo.yaml index cd1bdac51c..af1363e1fe 100644 --- a/environments/standalone/standalone-tripleo.yaml +++ b/environments/standalone/standalone-tripleo.yaml @@ -115,7 +115,6 @@ resource_registry: OS::TripleO::Services::PankoApi: OS::Heat::None OS::TripleO::Services::Podman: ../../deployment/podman/podman-baremetal-ansible.yaml OS::TripleO::Services::Redis: OS::Heat::None - OS::TripleO::Services::SELinux: ../../deployment/selinux/selinux-baremetal-puppet.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None OS::TripleO::Services::Tacker: OS::Heat::None diff --git a/environments/undercloud.yaml b/environments/undercloud.yaml index 77d8fefd31..81cf6a851b 100644 --- a/environments/undercloud.yaml +++ b/environments/undercloud.yaml @@ -21,8 +21,6 @@ resource_registry: OS::TripleO::Services::NeutronCorePlugin: ../deployment/neutron/neutron-plugin-ml2-container-puppet.yaml OS::TripleO::Docker::NeutronMl2PluginBase: ../puppet/services/neutron-plugin-ml2.yaml - # We managed this in instack-undercloud, so we need to manage it here. - OS::TripleO::Services::SELinux: ../deployment/selinux/selinux-baremetal-puppet.yaml OS::TripleO::Services::OpenStackClients: ../deployment/clients/openstack-clients-baremetal-puppet.yaml # services we disable by default on the undercloud diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 6589c39125..d353351e12 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -189,6 +189,7 @@ resource_registry: OS::TripleO::Services::TripleoUI: OS::Heat::None OS::TripleO::Services::Tuned: deployment/tuned/tuned-baremetal-puppet.yaml OS::TripleO::Services::Securetty: OS::Heat::None + # TODO(aschultz): Remove this in U as we switched to a task in the deploy OS::TripleO::Services::SELinux: OS::Heat::None OS::TripleO::Services::Sshd: deployment/sshd/sshd-baremetal-puppet.yaml OS::TripleO::Services::Redis: deployment/database/redis-container-puppet.yaml diff --git a/releasenotes/notes/deprecate-puppet-selinux-config-cc8d2788c534d628.yaml b/releasenotes/notes/deprecate-puppet-selinux-config-cc8d2788c534d628.yaml new file mode 100644 index 0000000000..611708af8f --- /dev/null +++ b/releasenotes/notes/deprecate-puppet-selinux-config-cc8d2788c534d628.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - | + OS::TripleO::Services::SELinux has been deprecated. Management of selinux + configuration is now handled via ansible during the deployment. diff --git a/roles/Standalone.yaml b/roles/Standalone.yaml index f82c3d0021..836b006fa2 100644 --- a/roles/Standalone.yaml +++ b/roles/Standalone.yaml @@ -160,7 +160,6 @@ - OS::TripleO::Services::SaharaApi - OS::TripleO::Services::SaharaEngine - OS::TripleO::Services::Securetty - - OS::TripleO::Services::SELinux - OS::TripleO::Services::SensuClient - OS::TripleO::Services::SkydiveAgent - OS::TripleO::Services::SkydiveAnalyzer diff --git a/roles/Undercloud.yaml b/roles/Undercloud.yaml index cc2498aaac..3d5b25b0f9 100644 --- a/roles/Undercloud.yaml +++ b/roles/Undercloud.yaml @@ -81,7 +81,6 @@ - OS::TripleO::Services::Podman - OS::TripleO::Services::Redis - OS::TripleO::Services::Rhsm - - OS::TripleO::Services::SELinux - OS::TripleO::Services::Sshd - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftRingBuilder diff --git a/roles_data_undercloud.yaml b/roles_data_undercloud.yaml index 52e3895e42..a9273fde54 100644 --- a/roles_data_undercloud.yaml +++ b/roles_data_undercloud.yaml @@ -84,7 +84,6 @@ - OS::TripleO::Services::Podman - OS::TripleO::Services::Redis - OS::TripleO::Services::Rhsm - - OS::TripleO::Services::SELinux - OS::TripleO::Services::Sshd - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftRingBuilder diff --git a/sample-env-generator/standalone.yaml b/sample-env-generator/standalone.yaml index f7cfe90f0e..d39f45b9f3 100644 --- a/sample-env-generator/standalone.yaml +++ b/sample-env-generator/standalone.yaml @@ -65,9 +65,6 @@ environments: # OVN OS::TripleO::Services::OVNDBs: ../../deployment/ovn/ovn-dbs-container-puppet.yaml - # Manage SELinux - OS::TripleO::Services::SELinux: ../../deployment/selinux/selinux-baremetal-puppet.yaml - OS::TripleO::Services::OpenStackClients: ../../deployment/clients/openstack-clients-baremetal-puppet.yaml # Activate container image prepare @@ -192,9 +189,6 @@ environments: resource_registry: OS::TripleO::Standalone::Net::SoftwareConfig: ../../net-config-bridge.yaml - # Manage SELinux - OS::TripleO::Services::SELinux: ../../deployment/selinux/selinux-baremetal-puppet.yaml - OS::TripleO::Services::OpenStackClients: ../../deployment/clients/openstack-clients-baremetal-puppet.yaml # Disable non-openstack services that are enabled by default