diff --git a/doc/source/roles/role-nova_svirt.rst b/doc/source/roles/role-nova_svirt.rst
new file mode 100644
index 000000000..1141929ad
--- /dev/null
+++ b/doc/source/roles/role-nova_svirt.rst
@@ -0,0 +1,6 @@
+=================
+nova_svirt
+=================
+
+.. ansibleautoplugin::
+ :role: roles/nova_svirt
diff --git a/playbooks/nova-svirt.yaml b/playbooks/nova-svirt.yaml
new file mode 100644
index 000000000..27f281911
--- /dev/null
+++ b/playbooks/nova-svirt.yaml
@@ -0,0 +1,13 @@
+---
+- hosts: Compute
+ gather_facts: false
+ vars:
+ metadata:
+ name: Check nova sVirt support
+ description: >-
+ Ensures all running VM are correctly protected with sVirt
+ groups:
+ - post-deployment
+ - post-upgrade
+ roles:
+ - nova_svirt
diff --git a/roles/nova_svirt/defaults/main.yml b/roles/nova_svirt/defaults/main.yml
new file mode 100644
index 000000000..94a8e4269
--- /dev/null
+++ b/roles/nova_svirt/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should place placed in this file.
+
+# All variables within this role should have a prefix of "nova_svirt"
+nova_svirt_directory: /run/libvirt/qemu
diff --git a/roles/nova_svirt/molecule/default/Dockerfile b/roles/nova_svirt/molecule/default/Dockerfile
new file mode 100644
index 000000000..417c6c702
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/Dockerfile
@@ -0,0 +1,37 @@
+# Molecule managed
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+{% if item.registry is defined %}
+FROM {{ item.registry.url }}/{{ item.image }}
+{% else %}
+FROM {{ item.image }}
+{% endif %}
+
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
+ elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install sudo python*-devel python*-dnf bash {{ item.pkg_extras | default('') }} && dnf clean all; \
+ elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl python-setuptools bash {{ item.pkg_extras | default('') }} && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
+ elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml {{ item.pkg_extras | default('') }} && zypper clean -a; \
+ elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates {{ item.pkg_extras | default('') }}; \
+ elif [ $(command -v xbps-install) ]; then xbps-install -Syu && xbps-install -y python sudo bash ca-certificates {{ item.pkg_extras | default('') }} && xbps-remove -O; fi
+
+{% for pkg in item.easy_install | default([]) %}
+# install pip for centos where there is no python-pip rpm in default repos
+RUN easy_install {{ pkg }}
+{% endfor %}
+
+
+CMD ["sh", "-c", "while true; do sleep 10000; done"]
\ No newline at end of file
diff --git a/roles/nova_svirt/molecule/default/converge.yml b/roles/nova_svirt/molecule/default/converge.yml
new file mode 100644
index 000000000..4973c374e
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/converge.yml
@@ -0,0 +1,47 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Converge
+ hosts: all
+ tasks:
+ - name: Run against a successful file
+ vars:
+ nova_svirt_directory: /libvirt/success
+ include_role:
+ name: nova_svirt
+
+ - name: Run against failed file
+ vars:
+ nova_svirt_directory: /libvirt/failure
+ block:
+ - name: Run the validation
+ include_role:
+ name: nova_svirt
+ rescue:
+ - name: Clear host errors
+ meta: clear_host_errors
+
+ - name: Success output
+ debug:
+ msg: Validation successfully detected the failure
+
+ - name: End play
+ meta: end_play
+
+ - name: Fail if we reach this point
+ fail:
+ msg: The validation did not detect the error
diff --git a/roles/nova_svirt/molecule/default/molecule.yml b/roles/nova_svirt/molecule/default/molecule.yml
new file mode 100644
index 000000000..8f2b8a064
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/molecule.yml
@@ -0,0 +1,48 @@
+---
+driver:
+ name: docker
+
+log: true
+
+platforms:
+ - name: centos7
+ hostname: centos7
+ image: centos:7
+ dockerfile: Dockerfile
+ pkg_extras: python-setuptools python-lxml
+ volumes:
+ - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
+ easy_install:
+ - pip
+ environment: &env
+ http_proxy: "{{ lookup('env', 'http_proxy') }}"
+ https_proxy: "{{ lookup('env', 'https_proxy') }}"
+
+ - name: centos8
+ hostname: centos8
+ image: centos:8
+ dockerfile: Dockerfile
+ pkg_extras: python*-setuptools python*-lxml
+ volumes:
+ - /etc/ci/mirror_info.sh:/etc/ci/mirror_info.sh:ro
+ environment:
+ <<: *env
+
+provisioner:
+ name: ansible
+ log: true
+ env:
+ ANSIBLE_STDOUT_CALLBACK: yaml
+ ANSIBLE_LIBRARY: "../../../../library"
+
+scenario:
+ test_sequence:
+ - destroy
+ - create
+ - prepare
+ - converge
+ - verify
+ - destroy
+
+verifier:
+ name: testinfra
diff --git a/roles/nova_svirt/molecule/default/prepare.yml b/roles/nova_svirt/molecule/default/prepare.yml
new file mode 100644
index 000000000..0b557b415
--- /dev/null
+++ b/roles/nova_svirt/molecule/default/prepare.yml
@@ -0,0 +1,60 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Prepare
+ hosts: all
+ tasks:
+ - name: Create directory tree
+ file:
+ path: "{{ item }}"
+ state: directory
+ loop:
+ - /libvirt
+ - /libvirt/success
+ - /libvirt/failure
+
+ - name: Push correct xml
+ copy:
+ mode: 0644
+ dest: /libvirt/success/instance-0001.xml
+ content: |
+
+
+
+
+ +107:+107
+
+
+
+ system_u:object_r:svirt_image_t:s0:c687,c775
+
+
+
+
+ - name: Push incorrect xml
+ copy:
+ mode: 0644
+ dest: /libvirt/failure/instance-0002.xml
+ content: |
+
+
+
+
+ +107:+107
+
+
+
diff --git a/roles/nova_svirt/tasks/main.yml b/roles/nova_svirt/tasks/main.yml
new file mode 100644
index 000000000..29148d7da
--- /dev/null
+++ b/roles/nova_svirt/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Get all instance XMLs
+ register: xmls
+ find:
+ paths: "{{ nova_svirt_directory }}"
+ patterns: "*.xml"
+ recurse: true
+ depth: 1
+
+- name: Loop on XMLs and validate sVirt availability
+ loop: "{{ xmls.files }}"
+ loop_control:
+ label: "{{ item.path }}"
+ include_tasks: validate.yml
diff --git a/roles/nova_svirt/tasks/validate.yml b/roles/nova_svirt/tasks/validate.yml
new file mode 100644
index 000000000..ee4a42f34
--- /dev/null
+++ b/roles/nova_svirt/tasks/validate.yml
@@ -0,0 +1,28 @@
+---
+- name: "Parse {{ item.path }}"
+ become: true
+ register: seclabels
+ xml:
+ path: "{{ item.path }}"
+ content: attribute
+ xpath: '/domstatus/domain/seclabel'
+
+- name: Set or reset svirt_enabled
+ set_fact:
+ svirt_enabled: false
+
+- name: Check enabled seclabels
+ loop: "{{ seclabels.matches }}"
+ loop_control:
+ loop_var: seclabel
+ when:
+ - seclabel.seclabel.model == 'selinux'
+ set_fact:
+ svirt_enabled: true
+
+- name: Fail if sVirt is not enabled
+ fail:
+ msg: |
+ sVirt not detected for {{ item.path }}
+ when:
+ - not svirt_enabled
diff --git a/zuul.d/molecule.yaml b/zuul.d/molecule.yaml
index 599018ca4..e8c79de45 100644
--- a/zuul.d/molecule.yaml
+++ b/zuul.d/molecule.yaml
@@ -12,6 +12,7 @@
- tripleo-validations-centos-8-molecule-haproxy
- tripleo-validations-centos-8-molecule-image_serve
- tripleo-validations-centos-8-molecule-nova_status
+ - tripleo-validations-centos-8-molecule-nova_svirt
- tripleo-validations-centos-8-molecule-rabbitmq_limits
- tripleo-validations-centos-8-molecule-repos
- tripleo-validations-centos-8-molecule-stonith_exists
@@ -35,6 +36,7 @@
- tripleo-validations-centos-8-molecule-haproxy
- tripleo-validations-centos-8-molecule-image_serve
- tripleo-validations-centos-8-molecule-nova_status
+ - tripleo-validations-centos-8-molecule-nova_svirt
- tripleo-validations-centos-8-molecule-rabbitmq_limits
- tripleo-validations-centos-8-molecule-repos
- tripleo-validations-centos-8-molecule-stonith_exists
@@ -388,3 +390,17 @@
parent: tripleo-validations-centos-8-base
vars:
tripleo_validations_role_name: ceph
+- job:
+ files:
+ - ^roles/system_encoding/.*
+ name: tripleo-validations-centos-8-molecule-system_encoding
+ parent: tripleo-validations-centos-8-base
+ vars:
+ tripleo_validations_role_name: system_encoding
+- job:
+ files:
+ - ^roles/nova_svirt/.*
+ name: tripleo-validations-centos-8-molecule-nova_svirt
+ parent: tripleo-validations-centos-8-base
+ vars:
+ tripleo_validations_role_name: nova_svirt