Add AppArmor configuration for ceph read/write caching

When Ceph read/write caching uses paths which aren't already covered by the libvirt/qemu apparmor rules then additional configuration is required to ensure VMs don't fail to boot. Change-Id: I2dff4bf54191b763e25625aa7a10bceaa1f6e595
2023-10-05 15:02:28 +01:00 · 2023-10-05 15:02:28 +01:00 · 5351a2a96d
parent d086041842
commit 5351a2a96d
2 changed files with 28 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -132,6 +132,7 @@ ceph_centos_epel_key: >-
 ceph_immutable_object_cache_enabled: False
 ceph_immutable_object_cache_service_name: "ceph-immutable-object-cache@"
 ceph_immutable_object_cache_dir: "/ceph-immutable-object-cache"
+ceph_immutable_object_cache_socket: "/run/ceph/immutable_object_cache_sock"
 ceph_immutable_object_cache_umask: "0002"
 ceph_immutable_object_cache_owner: "ceph"
 ceph_immutable_object_cache_group: "libvirt-qemu"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -113,6 +113,20 @@
  tags:
    - ceph-config

+- name: Write AppArmor configuration for ceph immutable object caching
+  ansible.builtin.blockinfile:
+    path: /etc/apparmor.d/local/abstractions/libvirt-qemu
+    marker: "### {mark} OSA CEPH_CLIENT IMMUTABLE OBJECT CACHE BLOCK ###"
+    block: |
+        {{ ceph_immutable_object_cache_dir }}/** r,
+        {{ ceph_immutable_object_cache_socket }} rw,
+    state: "{{ ceph_immutable_object_cache_enabled | bool | ternary('present', 'absent') }}"
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - "'nova_compute' in group_names"
+  tags:
+    - ceph-config
+
 - name: Set permissions on persistent write log cache directory
  file:
    path: "{{ ceph_persistent_write_log_cache_dir }}"
@ -122,3 +136,16 @@
  when: ceph_persistent_write_log_cache_enabled | bool
  tags:
    - ceph-config
+
+- name: Write AppArmor configuration for ceph write log caching
+  ansible.builtin.blockinfile:
+    path: /etc/apparmor.d/local/abstractions/libvirt-qemu
+    marker: "### {mark} OSA CEPH_CLIENT WRITE LOG CACHE BLOCK ###"
+    block: |
+        {{ ceph_persistent_write_log_cache_dir }}/** rwk,
+    state: "{{ ceph_persistent_write_log_cache_enabled | bool | ternary('present', 'absent') }}"
+  when:
+    - ansible_facts['os_family'] == "Debian"
+    - "'nova_compute' in group_names"
+  tags:
+    - ceph-config