tasks: apparmor: Disable the HAproxy profile on all hosts.

This mimics https://review.openstack.org/#/c/603078/. We need to disable the HAproxy profile on all hosts which spawn up containers since it's possible for a container to use HAproxy for the OpenStack services that it contains but if the host is not properly configured to allow HAproxy to operate freely then the container operation will be broken. For example, here is a log from a neutron container which tries to use haproxy for the metadata service but it breaks because the host apparmor prevents Haproxy from working properly Running command: ['sudo', '/usr/bin/neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter-e24204c6-698c-44e5-8dfb-dd13dbd734ed', 'haproxy', '-f', '/var/lib/neutron/ns-metadata-proxy/e24204c6-698c-44e5-8dfb-dd13dbd734ed.conf'] [...] ERROR neutron.agent.linux.utils [-] Exit code: 1; Stdin: ; Stdout: ; Stderr: [ALERT] 263/181939 (11200) : Cannot open configuration file/directory /var/lib/neutron/ns-metadata-proxy/e24204c6-698c-44e5-8dfb-dd13dbd734ed.conf : Permission denied and on the host (which did not run the haproxy_server role) we see audit: type=1400 audit(1537547548.513:131): apparmor="DENIED" operation="getattr" info="Failed name lookup - disconnected path error=-13 profile="/usr/sbin/haproxy" name="dev/pts/5" pid=29842 comm="haproxy" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Change-Id: I40bb76ef1e32b5a50345f9c1159667608066870b
2018-09-21 17:39:14 +01:00 · 2018-09-21 17:39:14 +01:00 · fc456f65aa
parent a6dba10bb1
commit fc456f65aa
1 changed files with 42 additions and 0 deletions
--- a/tasks/lxc_apparmor.yml
+++ b/tasks/lxc_apparmor.yml
@ -97,6 +97,48 @@
    - lxc-apparmor
    - lxc_hosts-config

+- name: Check for apparmor profile
+  stat:
+    path: "/etc/apparmor.d/bin.sbin.haproxy"
+  register: sbin_haproxy
+
+# NOTE(hwoarang) aa-disable will disable the profile and unload it immediately
+# See https://bugzilla.opensuse.org/show_bug.cgi?id=1108688. For aa-disable to
+# work we need apparmor app and running
+- name: Relax apparmor profile
+  block:
+    - name: Ensure apparmor service is running
+      systemd:
+        name: "apparmor"
+        enabled: yes
+        state: "started"
+
+    - name: Relax haproxy apparmor profile
+      shell: |
+        # empty line to workaround bug in EnvVarsInCommandRule.py lint test
+        # https://github.com/willthames/ansible-lint/issues/275
+        exit_code=0
+        if aa-status | grep -q haproxy ; then
+          aa-disable usr.sbin.haproxy
+          exit_code=$?
+          if [[ ${exit_code} == 0 ]]; then
+            exit_code=2
+          fi
+        fi
+        exit ${exit_code}
+      register: _apparmor_profile_disabled
+      changed_when: _apparmor_profile_disabled.rc == 2
+      failed_when: _apparmor_profile_disabled.rc not in [0,2]
+      args:
+        warn: no
+        executable: /bin/bash
+  when:
+    - sbin_haproxy.stat.exists | bool
+  tags:
+    - lxc-files
+    - lxc-apparmor
+    - lxc_hosts-config
+
 - name: Drop lxc-openstack apparmor profile
  template:
    src: "lxc-openstack.apparmor.j2"