From 36d484e3011314841c8ac9ccffe1086de0e2ea40 Mon Sep 17 00:00:00 2001 From: Samuel Cassiba Date: Mon, 6 Mar 2017 16:02:57 -0800 Subject: [PATCH] Corrects SELinux enablement - corrects SELinux enablement for Keystone, as RHEL comes with SELinux enabled by default. - removes executable bit from metadata.rb Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031 --- attributes/default.rb | 2 +- metadata.rb | 0 recipes/server-apache.rb | 20 ++++++++++++++++++++ spec/server-apache_spec.rb | 2 +- spec/spec_helper.rb | 3 ++- 5 files changed, 24 insertions(+), 3 deletions(-) mode change 100755 => 100644 metadata.rb diff --git a/attributes/default.rb b/attributes/default.rb index 5fa9115..386b49c 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -168,7 +168,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this # platform specific package and service name options default['openstack']['identity']['platform'] = { 'memcache_python_packages' => ['python-memcached'], - 'keystone_packages' => ['openstack-keystone'], + 'keystone_packages' => ['openstack-keystone', 'openstack-selinux'], 'keystone_service' => 'openstack-keystone', 'keystone_process_name' => 'keystone-all', 'package_options' => '' diff --git a/metadata.rb b/metadata.rb old mode 100755 new mode 100644 diff --git a/recipes/server-apache.rb b/recipes/server-apache.rb index a09d10a..40511b2 100644 --- a/recipes/server-apache.rb +++ b/recipes/server-apache.rb @@ -28,6 +28,19 @@ class ::Chef::Recipe include ::Openstack end +# Workaround lifted from openstack-dashboard::apache2-server to install apache2 +# on a RHEL-ish machine with SELinux set to enforcing. +# +# TODO(sc): once apache2 is in a place to allow for subscribes to web_app, +# this workaround should go away +# +execute 'set-selinux-permissive' do + command '/sbin/setenforce Permissive' + action :run + + only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]" +end + # include the logging recipe from openstack-common if syslog usage is enbaled if node['openstack']['identity']['syslog']['use'] include_recipe 'openstack-common::logging' @@ -314,5 +327,12 @@ end # restart apache2 after keystone if completely configured execute 'Keystone apache restart' do command 'uname' + notifies :run, 'execute[restore-selinux-context]', :immediately notifies :restart, 'service[apache2]', :immediately end + +execute 'restore-selinux-context' do + command 'restorecon -Rv /etc/httpd /etc/pki || :' + action :nothing + only_if { platform_family?('rhel') } +end diff --git a/spec/server-apache_spec.rb b/spec/server-apache_spec.rb index e344223..92862c7 100644 --- a/spec/server-apache_spec.rb +++ b/spec/server-apache_spec.rb @@ -109,7 +109,7 @@ describe 'openstack-identity::server-apache' do end it 'has default transport_url/AMQP options set' do - [%r{^transport_url = rabbit://guest:mypass@127.0.0.1:5672$}].each do |line| + [%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$}].each do |line| expect(chef_run).to render_file(path).with_content(line) end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 74abb61..93f9885 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -72,6 +72,7 @@ shared_context 'identity_stubs' do .and_return('thisisfernetkey1') allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url) .with('identity') - .and_return('rabbit://guest:mypass@127.0.0.1:5672') + .and_return('rabbit://openstack:mypass@127.0.0.1:5672') + stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true) end end