Ensure initial apparmor mode set
Due to changes in the hookenv.config charmhelper, the value of aa-profile-mode does not change between the install and config-changed hooks. This results in the ceph-osd apparmor profile always being enabled by default (rather than being disabled). Ensure that an apparmor enforcement mode is correctly set whenever a new profile is installed - this could either be on first install, or if a new profile is added to the charm. Change-Id: I131c9a871ad970b58fa6f41575c240081f653a21
This commit is contained in:
James Page
parent
5ea1973062
commit
dec2f24ad8
|
|
@ -142,12 +142,17 @@ def copy_profile_into_place():
|
|||
Copy the apparmor profiles included with the charm
|
||||
into the /etc/apparmor.d directory.
|
||||
"""
|
||||
new_install = False
|
||||
apparmor_dir = os.path.join(os.sep,
|
||||
'etc',
|
||||
'apparmor.d')
|
||||
|
||||
for x in glob.glob('files/apparmor/*'):
|
||||
if not os.path.exists(os.path.join(apparmor_dir,
|
||||
os.path.basename(x))):
|
||||
new_install = True
|
||||
shutil.copy(x, apparmor_dir)
|
||||
return new_install
|
||||
|
||||
|
||||
class CephOsdAppArmorContext(AppArmorContext):
|
||||
|
|
@ -171,8 +176,8 @@ def install_apparmor_profile():
|
|||
configuration option.
|
||||
"""
|
||||
log('Installing apparmor profile for ceph-osd')
|
||||
copy_profile_into_place()
|
||||
if config().changed('aa-profile-mode'):
|
||||
new_install = copy_profile_into_place()
|
||||
if new_install or config().changed('aa-profile-mode'):
|
||||
aa_context = CephOsdAppArmorContext()
|
||||
aa_context.setup_aa_profile()
|
||||
service_reload('apparmor')
|
||||
|
|
|
|||
|
|
@ -317,6 +317,7 @@ class CephHooksTestCase(unittest.TestCase):
|
|||
m_aa_context = MagicMock()
|
||||
mock_apparmor_context.return_value = m_aa_context
|
||||
mock_ceph.systemd.return_value = False
|
||||
mock_copy_profile_into_place.return_value = False
|
||||
|
||||
ceph_hooks.install_apparmor_profile()
|
||||
|
||||
|
|
@ -346,6 +347,7 @@ class CephHooksTestCase(unittest.TestCase):
|
|||
mock_apparmor_context.return_value = m_aa_context
|
||||
mock_ceph.systemd.return_value = True
|
||||
mock_ceph.get_local_osd_ids.return_value = [0, 1, 2]
|
||||
mock_copy_profile_into_place.return_value = False
|
||||
|
||||
ceph_hooks.install_apparmor_profile()
|
||||
|
||||
|
|
@ -359,6 +361,40 @@ class CephHooksTestCase(unittest.TestCase):
|
|||
call('ceph-osd@2'),
|
||||
])
|
||||
|
||||
@patch.object(ceph_hooks, 'ceph')
|
||||
@patch.object(ceph_hooks, 'service_restart')
|
||||
@patch.object(ceph_hooks, 'service_reload')
|
||||
@patch.object(ceph_hooks, 'copy_profile_into_place')
|
||||
@patch.object(ceph_hooks, 'CephOsdAppArmorContext')
|
||||
@patch.object(ceph_hooks, 'config')
|
||||
def test_install_apparmor_profile_new_install(self, mock_config,
|
||||
mock_apparmor_context,
|
||||
mock_copy_profile_into_place,
|
||||
mock_service_reload,
|
||||
mock_service_restart,
|
||||
mock_ceph):
|
||||
'''Apparmor profile always reloaded on fresh install'''
|
||||
m_config = MagicMock()
|
||||
m_config.changed.return_value = True
|
||||
mock_config.return_value = m_config
|
||||
m_aa_context = MagicMock()
|
||||
mock_apparmor_context.return_value = m_aa_context
|
||||
mock_ceph.systemd.return_value = True
|
||||
mock_ceph.get_local_osd_ids.return_value = [0, 1, 2]
|
||||
mock_copy_profile_into_place.return_value = True
|
||||
|
||||
ceph_hooks.install_apparmor_profile()
|
||||
|
||||
m_aa_context.setup_aa_profile.assert_called()
|
||||
mock_copy_profile_into_place.assert_called()
|
||||
m_config.changed.assert_not_called()
|
||||
mock_service_reload.assert_called_with('apparmor')
|
||||
mock_service_restart.assert_has_calls([
|
||||
call('ceph-osd@0'),
|
||||
call('ceph-osd@1'),
|
||||
call('ceph-osd@2'),
|
||||
])
|
||||
|
||||
@patch.object(ceph_hooks, 'storage_list')
|
||||
@patch.object(ceph_hooks, 'config')
|
||||
def test_get_devices(self, mock_config, mock_storage_list):
|
||||
|
|
|
|||
Loading…
Reference in New Issue