Merge "Sync t-h-t: Fix logs permissions for swtpm"

2023-01-06 14:49:17 +00:00 · 2023-01-06 14:49:17 +00:00 · 1e53ead559
parent b88008dd64 2f16f64753
commit 1e53ead559
5 changed files with 73 additions and 1 deletions
--- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml
+++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml
@ -31,9 +31,11 @@
    - { 'path': /var/cache/libvirt }
    - { 'path': /var/lib/nova, 'setype': container_file_t }
    - { 'path': /run/libvirt, 'setype': virt_var_run_t }
+    # TODO(bogdando): use container_logwriter_t as of container-selinux v2.191.0
+    - { 'path': /var/log/containers/libvirt/swtpm, 'setype': container_file_t, 'mode': '0770' }
+    - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' }
    # NOTE(bogdando): this mostly replicates today t-h-t common/common-container-setup-tasks.yaml
    # we can tweak it further later, or move to some common tasks later
-    - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' }
    - { 'path': /var/lib/kolla/config_files, 'setype': container_file_t, 'selevel': s0, 'recurse': true }
    - { 'path': /var/lib/tripleo-config, 'setype': container_file_t, 'selevel': s0, 'mode': '0750' }
    - { 'path': /var/lib/config-data, 'setype': container_file_t, 'selevel': s0, 'mode': '0755' }
--- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-install.yml
+++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-install.yml
@ -0,0 +1,29 @@
+
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+- name: create libvirt persistent data directories
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    setype: "{{ item.setype | default(omit) }}"
+    selevel: "{{ item.selevel | default(omit) }}"
+    recurse: "{{ item.recurse | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  with_items:
+    # TODO(bogdando): use container_logwriter_t as of container-selinux v2.191.0
+    - { 'path': /var/log/containers/libvirt/swtpm, 'setype': container_file_t, 'mode': '0770' }
+    - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' }
--- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-run.yml
+++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-run.yml
@ -0,0 +1,29 @@
+---
+# Copyright 2022 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+- name: Ensure /var/lib/container-config-scripts exists
+  file:
+    path: /var/lib/container-config-scripts
+    state: directory
+
+- name: Manage nova_virtqemud_init_logs container
+  include_role:
+    name: tripleo_container_standalone
+  vars:
+    tripleo_container_standalone_service: nova_virtqemud_init_logs
+    tripleo_container_standalone_container_defs:
+      nova_virtqemud_init_logs: "{{ lookup('template', 'nova_virtqemud_init_logs.yaml.j2') | from_yaml }}"
--- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml
+++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml
@ -22,6 +22,9 @@
        name: tripleo_container_manage
        tasks_from: shutdown.yml

+    - name: Init logs for nova_virtqemud container
+      import_tasks: logging-run.yml
+
    - name: Run nova_libvirt containers
      include_role:
        name: tripleo_container_standalone
--- a/tripleo_ansible/roles/tripleo_nova_libvirt/templates/nova_virtqemud_init_logs.yaml.j2
+++ b/tripleo_ansible/roles/tripleo_nova_libvirt/templates/nova_virtqemud_init_logs.yaml.j2
@ -0,0 +1,9 @@
+image: {{ tripleo_nova_libvirt_container_image }}
+net: none
+privileged: false
+user: root
+volumes:
+  - /var/log/containers/libvirt/swtpm:/var/log/swtpm:shared,z
+command: ['/bin/bash', '-c', 'chown -R tss:tss /var/log/swtpm']
+environment:
+  TRIPLEO_DEPLOY_IDENTIFIER: "{{ tripleo_deploy_identifier | default('') }}"