Corrects SELinux enablement

- corrects SELinux enablement for Keystone, as RHEL comes with SELinux
  enabled by default.
- removes executable bit from metadata.rb

Change-Id: I97e73bcc0d4721283067e41b988bccb1ddf6c031
This commit is contained in:
Samuel Cassiba 2017-03-06 16:02:57 -08:00 committed by Jens Rosenboom
parent f83bc81674
commit 36d484e301
5 changed files with 24 additions and 3 deletions

View File

@ -168,7 +168,7 @@ when 'fedora', 'rhel' # :pragma-foodcritic: ~FC024 - won't fix this
# platform specific package and service name options
default['openstack']['identity']['platform'] = {
'memcache_python_packages' => ['python-memcached'],
'keystone_packages' => ['openstack-keystone'],
'keystone_packages' => ['openstack-keystone', 'openstack-selinux'],
'keystone_service' => 'openstack-keystone',
'keystone_process_name' => 'keystone-all',
'package_options' => ''

0
metadata.rb Executable file → Normal file
View File

View File

@ -28,6 +28,19 @@ class ::Chef::Recipe
include ::Openstack
end
# Workaround lifted from openstack-dashboard::apache2-server to install apache2
# on a RHEL-ish machine with SELinux set to enforcing.
#
# TODO(sc): once apache2 is in a place to allow for subscribes to web_app,
# this workaround should go away
#
execute 'set-selinux-permissive' do
command '/sbin/setenforce Permissive'
action :run
only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
end
# include the logging recipe from openstack-common if syslog usage is enbaled
if node['openstack']['identity']['syslog']['use']
include_recipe 'openstack-common::logging'
@ -314,5 +327,12 @@ end
# restart apache2 after keystone if completely configured
execute 'Keystone apache restart' do
command 'uname'
notifies :run, 'execute[restore-selinux-context]', :immediately
notifies :restart, 'service[apache2]', :immediately
end
execute 'restore-selinux-context' do
command 'restorecon -Rv /etc/httpd /etc/pki || :'
action :nothing
only_if { platform_family?('rhel') }
end

View File

@ -109,7 +109,7 @@ describe 'openstack-identity::server-apache' do
end
it 'has default transport_url/AMQP options set' do
[%r{^transport_url = rabbit://guest:mypass@127.0.0.1:5672$}].each do |line|
[%r{^transport_url = rabbit://openstack:mypass@127.0.0.1:5672$}].each do |line|
expect(chef_run).to render_file(path).with_content(line)
end
end

View File

@ -72,6 +72,7 @@ shared_context 'identity_stubs' do
.and_return('thisisfernetkey1')
allow_any_instance_of(Chef::Recipe).to receive(:rabbit_transport_url)
.with('identity')
.and_return('rabbit://guest:mypass@127.0.0.1:5672')
.and_return('rabbit://openstack:mypass@127.0.0.1:5672')
stub_command("[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]").and_return(true)
end
end