diff --git a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml index cfe6e851c..30090e9ce 100644 --- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml +++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/install.yml @@ -31,9 +31,11 @@ - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': container_file_t } - { 'path': /run/libvirt, 'setype': virt_var_run_t } + # TODO(bogdando): use container_logwriter_t as of container-selinux v2.191.0 + - { 'path': /var/log/containers/libvirt/swtpm, 'setype': container_file_t, 'mode': '0770' } + - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' } # NOTE(bogdando): this mostly replicates today t-h-t common/common-container-setup-tasks.yaml # we can tweak it further later, or move to some common tasks later - - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' } - { 'path': /var/lib/kolla/config_files, 'setype': container_file_t, 'selevel': s0, 'recurse': true } - { 'path': /var/lib/tripleo-config, 'setype': container_file_t, 'selevel': s0, 'mode': '0750' } - { 'path': /var/lib/config-data, 'setype': container_file_t, 'selevel': s0, 'mode': '0755' } diff --git a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-install.yml b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-install.yml new file mode 100644 index 000000000..462778874 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-install.yml @@ -0,0 +1,29 @@ + +--- +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +- name: create libvirt persistent data directories + file: + path: "{{ item.path }}" + state: directory + setype: "{{ item.setype | default(omit) }}" + selevel: "{{ item.selevel | default(omit) }}" + recurse: "{{ item.recurse | default(omit) }}" + mode: "{{ item.mode | default(omit) }}" + with_items: + # TODO(bogdando): use container_logwriter_t as of container-selinux v2.191.0 + - { 'path': /var/log/containers/libvirt/swtpm, 'setype': container_file_t, 'mode': '0770' } + - { 'path': /var/log/containers/libvirt, 'setype': container_ro_file_t, 'selevel': s0, 'mode': '0750' } diff --git a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-run.yml b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-run.yml new file mode 100644 index 000000000..66982f494 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/logging-run.yml @@ -0,0 +1,29 @@ +--- +# Copyright 2022 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + + +- name: Ensure /var/lib/container-config-scripts exists + file: + path: /var/lib/container-config-scripts + state: directory + +- name: Manage nova_virtqemud_init_logs container + include_role: + name: tripleo_container_standalone + vars: + tripleo_container_standalone_service: nova_virtqemud_init_logs + tripleo_container_standalone_container_defs: + nova_virtqemud_init_logs: "{{ lookup('template', 'nova_virtqemud_init_logs.yaml.j2') | from_yaml }}" diff --git a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml index daed66e85..19c47f790 100644 --- a/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml +++ b/tripleo_ansible/roles/tripleo_nova_libvirt/tasks/run.yml @@ -22,6 +22,9 @@ name: tripleo_container_manage tasks_from: shutdown.yml + - name: Init logs for nova_virtqemud container + import_tasks: logging-run.yml + - name: Run nova_libvirt containers include_role: name: tripleo_container_standalone diff --git a/tripleo_ansible/roles/tripleo_nova_libvirt/templates/nova_virtqemud_init_logs.yaml.j2 b/tripleo_ansible/roles/tripleo_nova_libvirt/templates/nova_virtqemud_init_logs.yaml.j2 new file mode 100644 index 000000000..cbd8766b7 --- /dev/null +++ b/tripleo_ansible/roles/tripleo_nova_libvirt/templates/nova_virtqemud_init_logs.yaml.j2 @@ -0,0 +1,9 @@ +image: {{ tripleo_nova_libvirt_container_image }} +net: none +privileged: false +user: root +volumes: + - /var/log/containers/libvirt/swtpm:/var/log/swtpm:shared,z +command: ['/bin/bash', '-c', 'chown -R tss:tss /var/log/swtpm'] +environment: + TRIPLEO_DEPLOY_IDENTIFIER: "{{ tripleo_deploy_identifier | default('') }}"