Set the dnsmasq aa profile to complain

If a stock aa profile exists for dnsmasq (SUSE, Ubuntu) the nspawn
deployment will fail due to the profile being strict. This change
sets the profile to complain, which allows the deployment to
succeed. The new tasks will detect a stock dnsmasq aa profile and
set it to complain if found.

Change-Id: Ie565b683d2f06e47f7a46497ce3c38d604a0fed6
Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This commit is contained in:
Kevin Carter 2019-01-31 11:07:33 -06:00 committed by Kevin Carter
parent ef4aef4802
commit 2f76119d7a
2 changed files with 16 additions and 1 deletions

View File

@ -13,7 +13,18 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- block:
- name: Check for aa-profile
stat:
path: /etc/apparmor.d/usr.sbin.dnsmasq
register: aa_profile
- name: Set dnsmasq aa profile to complain
command: "aa-complain /etc/apparmor.d/usr.sbin.dnsmasq"
when:
- aa_profile.stat.exists | bool
- name: Add proxies when needed
block:
- name: Create machined proxy override unit directories
file:
path: "/etc/systemd/system/{{ item }}"

View File

@ -27,12 +27,16 @@ nspawn_network_utils:
apt:
iptables: /sbin/iptables
ip: /sbin/ip
ethtool: /sbin/ethtool
yum:
iptables: /usr/sbin/iptables
ip: /usr/sbin/ip
ethtool: /usr/sbin/ethtool
zypper:
iptables: /usr/sbin/iptables
ip: /sbin/ip
ethtool: /sbin/ethtool
emerge:
iptables: /usr/sbin/iptables
ip: /bin/ip
ethtool: /usr/sbin/ethtool