Merge "Configure SELinux state in kolla ansible"

2018-05-11 18:46:47 +00:00 · 2018-05-11 18:46:47 +00:00 · 7b2519bbfa
parent f28d59cd9f 7451f55080
commit 7b2519bbfa
3 changed files with 17 additions and 0 deletions
--- a/ansible/kolla-ansible.yml
+++ b/ansible/kolla-ansible.yml
@ -223,3 +223,10 @@
    - role: kolla-ansible
      kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
      kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
+      # NOTE: This differs from the default SELinux mode in kolla ansible,
+      # which is permissive. The justification for using this mode is twofold:
+      # 1. it avoids filling up the audit log
+      # 2. it avoids an issue seen when using diskimage-builder in the bifrost
+      # container.
+      # We could look at making the SELinux mode configurable in future.
+      kolla_selinux_state: disabled
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@ -255,3 +255,9 @@ kolla_ansible_custom_passwords: {}
 # When set, this will copy the contents of this variable into place for
 # use by HAProxy.
 kolla_tls_cert:
+
+###############################################################################
+# SELinux
+
+# Desired SELinux state.
+kolla_selinux_state:
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@ -398,6 +398,10 @@ bifrost_install_type: source
 grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 {% endif %}

+{% if kolla_selinux_state is not none %}
+selinux_state: {{ kolla_selinux_state }}
+{% endif %}
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration