Merge "Service parameter config for auditd grub parameter"

sysinv/sysinv/sysinv/sysinv/common/constants.py

@@ -1195,6 +1195,13 @@ SERVICE_PARAM_NAME_ENDPOINT_DOMAIN = "endpoint_domain"
 SERVICE_PARAM_SECTION_COLLECTD = 'collectd'
 SERVICE_PARAM_COLLECTD_NETWORK_SERVERS = 'network_servers'
 
+# platform kernel parameter auditd
+# enables and disables auditd
+SERVICE_PARAM_SECTION_PLATFORM_KERNEL = 'kernel'
+SERVICE_PARAM_NAME_PLATFORM_AUDITD = 'audit'
+SERVICE_PARAM_PLATFORM_AUDITD_DISABLED = '0'
+SERVICE_PARAM_PLATFORM_AUDITD_ENABLED = '1'
+
 # TIS part number, CPE = combined load, STD = standard load
 TIS_STD_BUILD = 'Standard'
 TIS_AIO_BUILD = 'All-in-one'

sysinv/sysinv/sysinv/sysinv/common/service_parameter.py

@@ -396,6 +396,21 @@ def _validate_pod_max_pids(name, value):
                     constants.SERVICE_PARAM_KUBERNETES_POD_MAX_PIDS_MAX)
 
 
+def _validate_kernel_audit(name, value):
+    """Check if specified value is supported"""
+    try:
+        if str(value) in [constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+                          constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED]:
+            return
+    except ValueError:
+        pass
+
+    raise wsme.exc.ClientSideError(_(
+        "Parameter '%s' value must be either '%s' or '%s'" %
+        (name, constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+         constants.SERVICE_PARAM_PLATFORM_AUDITD_ENABLED)))
+
+
 PLATFORM_CONFIG_PARAMETER_OPTIONAL = [
     constants.SERVICE_PARAM_NAME_PLAT_CONFIG_VIRTUAL,
 ]
@@ -524,6 +539,19 @@ PLATFORM_MTCE_PARAMETER_RESOURCE = {
     constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT: 'platform::mtce::params::mnfa_timeout',
 }
 
+PLATFORM_KERNEL_PARAMETER_OPTIONAL = [
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
+]
+
+PLATFORM_KERNEL_PARAMETER_VALIDATOR = {
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD: _validate_kernel_audit,
+}
+
+PLATFORM_KERNEL_PARAMETER_RESOURCE = {
+    constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD:
+        'platform::compute::grub::params::g_audit',
+}
+
 RADOSGW_CONFIG_PARAMETER_MANDATORY = [
     constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
 ]
@@ -797,6 +825,11 @@ SERVICE_PARAMETER_SCHEMA = {
             SERVICE_PARAM_RESOURCE: COLLECTD_PARAMETER_RESOURCE,
             SERVICE_PARAM_DATA_FORMAT: COLLECTD_NETWORK_SERVERS_PARAMETER_DATA_FORMAT,
         },
+        constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL: {
+            SERVICE_PARAM_OPTIONAL: PLATFORM_KERNEL_PARAMETER_OPTIONAL,
+            SERVICE_PARAM_VALIDATOR: PLATFORM_KERNEL_PARAMETER_VALIDATOR,
+            SERVICE_PARAM_RESOURCE: PLATFORM_KERNEL_PARAMETER_RESOURCE,
+        },
     },
     constants.SERVICE_TYPE_HORIZON: {
         constants.SERVICE_PARAM_SECTION_HORIZON_AUTH: {

sysinv/sysinv/sysinv/sysinv/conductor/manager.py

@@ -673,6 +673,11 @@ class ConductorManager(service.PeriodicService):
          'name': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT,
          'value': constants.SERVICE_PARAM_PLAT_MTCE_MNFA_TIMEOUT_DEFAULT,
          },
+        {'service': constants.SERVICE_TYPE_PLATFORM,
+         'section': constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL,
+         'name': constants.SERVICE_PARAM_NAME_PLATFORM_AUDITD,
+         'value': constants.SERVICE_PARAM_PLATFORM_AUDITD_DISABLED,
+         },
         {'service': constants.SERVICE_TYPE_RADOSGW,
          'section': constants.SERVICE_PARAM_SECTION_RADOSGW_CONFIG,
          'name': constants.SERVICE_PARAM_NAME_RADOSGW_SERVICE_ENABLED,
@@ -9233,6 +9238,21 @@ class ConductorManager(service.PeriodicService):
                 personalities = [constants.CONTROLLER,
                                  constants.WORKER,
                                  constants.STORAGE]
+            elif section == constants.SERVICE_PARAM_SECTION_PLATFORM_KERNEL:
+                reboot = True
+                personalities = [constants.CONTROLLER,
+                                 constants.WORKER]
+                config_uuid = self._config_update_hosts(context, personalities, reboot=True)
+
+                config_dict = {
+                    'personalities': personalities,
+                    "classes": ['platform::compute::grub::runtime']
+                }
+
+                # Apply runtime config but keep reboot required flag set in
+                # _config_update_hosts() above. Node needs a reboot to clear it.
+                config_uuid = self._config_clear_reboot_required(config_uuid)
+                self._config_apply_runtime_manifest(context, config_uuid, config_dict, force=True)
 
         # we should not set the reboot flag on operations that are not
         # reboot required. An apply of a service parameter is not reboot