summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMarkos Chandras <mchandras@suse.de>2018-09-17 12:04:29 +0100
committerMarkos Chandras <mchandras@suse.de>2018-09-19 14:22:38 +0100
commit31f0c0a929da3032b7d1eddc79e78fbabfd845a4 (patch)
tree213bf2d26ba5a53f402bfad66fd757436ce58b38
parentbaa46072ea575641a065a9335c42bab43388b88e (diff)
Disable HAProxy apparmor profile if present
openSUSE ships a HAProxy profile which prevents the creation of the /run/haproxy.stat file. profile="/usr/sbin/haproxy" name="/run/haproxy.stat.21697.tmp" pid=21697 comm="haproxy" requested_mask="c" denied_mask="c" fsuid=0 ouid=0 As such, lets follow the common pattern across OSA roles to disable the profile instead of trying to manage it. Change-Id: Iaacb628f4cc78687c95034e81ed924807a3018bd
Notes
Notes (review): Code-Review+2: Logan V <logan2211@gmail.com> Code-Review+2: Amy Marrich (spotz) <amy@demarco.com> Workflow+1: Amy Marrich (spotz) <amy@demarco.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Wed, 19 Sep 2018 17:29:42 +0000 Reviewed-on: https://review.openstack.org/603078 Project: openstack/openstack-ansible-haproxy_server Branch: refs/heads/master
-rw-r--r--tasks/haproxy_apparmor.yml52
-rw-r--r--tasks/haproxy_install.yml3
-rw-r--r--vars/suse.yml4
3 files changed, 58 insertions, 1 deletions
diff --git a/tasks/haproxy_apparmor.yml b/tasks/haproxy_apparmor.yml
new file mode 100644
index 0000000..85e8a8e
--- /dev/null
+++ b/tasks/haproxy_apparmor.yml
@@ -0,0 +1,52 @@
1---
2# Copyright 2018, SUSE Linux GmbH.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16- name: Check for apparmor profile
17 stat:
18 path: "/etc/apparmor.d/usr.sbin.haproxy"
19 register: sbin_haproxy
20
21# NOTE(hwoarang) aa-disable will disable the profile and unload it immediately
22# See https://bugzilla.opensuse.org/show_bug.cgi?id=1108688. For aa-disable to
23# work we need apparmor app and running
24- name: Relax apparmor profile
25 block:
26 - name: Ensure apparmor service is running
27 systemd:
28 name: "apparmor"
29 enabled: yes
30 state: "started"
31
32 - name: Relax haproxy apparmor profile
33 shell: |
34 # empty line to workaround bug in EnvVarsInCommandRule.py lint test
35 # https://github.com/willthames/ansible-lint/issues/275
36 exit_code=0
37 if aa-status | grep -q haproxy; then
38 aa-disable usr.sbin.haproxy
39 exit_code=$?
40 if [[ ${exit_code} == 0 ]]; then
41 exit_code=2
42 fi
43 fi
44 exit ${exit_code}
45 register: _apparmor_profile_disabled
46 changed_when: _apparmor_profile_disabled.rc == 2
47 failed_when: _apparmor_profile_disabled.rc not in [0, 2]
48 args:
49 warn: no
50 executable: /bin/bash
51 when:
52 - sbin_haproxy.stat.exists | bool
diff --git a/tasks/haproxy_install.yml b/tasks/haproxy_install.yml
index a3bdca2..7ada113 100644
--- a/tasks/haproxy_install.yml
+++ b/tasks/haproxy_install.yml
@@ -52,3 +52,6 @@
52 args: 52 args:
53 chdir: "/opt/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}" 53 chdir: "/opt/{{ haproxy_hatop_download_url | basename | replace('.tar.gz', '') }}"
54 creates: "/usr/local/bin/hatop" 54 creates: "/usr/local/bin/hatop"
55
56- include_tasks: haproxy_apparmor.yml
57 when: ansible_pkg_mgr == 'zypper'
diff --git a/vars/suse.yml b/vars/suse.yml
index ec1ed0d..f73735b 100644
--- a/vars/suse.yml
+++ b/vars/suse.yml
@@ -14,9 +14,11 @@
14# limitations under the License. 14# limitations under the License.
15 15
16haproxy_distro_packages: 16haproxy_distro_packages:
17 - apparmor-parser
18 - apparmor-profiles
19 - apparmor-utils
17 - haproxy 20 - haproxy
18 - netcat # Used for the Ansible haproxy module 21 - netcat # Used for the Ansible haproxy module
19 - rsyslog # Used for local logging 22 - rsyslog # Used for local logging
20
21haproxy_distro_packages_remove: 23haproxy_distro_packages_remove:
22 - systemd-logger # conflicts with rsyslog 24 - systemd-logger # conflicts with rsyslog