diff --git a/tasks/neutron_apparmor.yml b/tasks/neutron_apparmor.yml new file mode 100644 index 00000000..22688eb9 --- /dev/null +++ b/tasks/neutron_apparmor.yml @@ -0,0 +1,62 @@ +--- +# Copyright 2018, SUSE LINUX GmbH. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Install required apparmor packages on the physical host + package: + name: "{{ neutron_apparmor_distro_packages }}" + state: present + register: apparmor_packages + until: apparmor_packages is success + retries: 5 + delay: 2 + become: yes + delegate_to: "{{ physical_host | default('localhost') }}" + +- name: Ensure apparmor service is running + systemd: + name: "apparmor" + enabled: yes + state: "started" + become: yes + delegate_to: "{{ physical_host | default('localhost') }}" + +- name: "Disable apparmor profile" + shell: | + # empty line to workaround bug in EnvVarsInCommandRule.py lint test + # https://github.com/willthames/ansible-lint/issues/275 + set -o pipefail + exit_code=0 + if aa-status | grep -q {{ item.process }} ; then + aa-disable {{ item.profile }} + if [[ $? == 0 ]]; then + exit_code=2 + fi + fi + exit ${exit_code} + register: _apparmor_profile_disabled + changed_when: _apparmor_profile_disabled.rc == 2 + failed_when: _apparmor_profile_disabled.rc not in [0,2] + args: + warn: no + executable: /bin/bash + become: yes + delegate_to: "{{ physical_host | default('localhost') }}" + with_items: + - profile: 'usr.sbin.haproxy' + process: 'haproxy' + - profile: 'bin.ping' + process: 'ping' + - profile: 'usr.sbin.dnsmasq' + process: 'dnsmasq' diff --git a/tasks/neutron_install.yml b/tasks/neutron_install.yml index 012f2d9f..e996a10e 100644 --- a/tasks/neutron_install.yml +++ b/tasks/neutron_install.yml @@ -74,3 +74,31 @@ state: started enabled: yes when: neutron_needs_openvswitch | bool + +# NOTE(hwoarang) contains may share the same physical host so we only +# need to execute the apparmor configuration once per physical host. +- name: Record the first container on each physical host + delegate_to: 'localhost' + run_once: True + set_fact: + neutron_apparmor_hosts: | + {%- set apparmor_hosts = [] -%} + {%- set physical_hosts = [] -%} + {%- for host in groups['all'] -%} + {%- if hostvars[host]['physical_host'] is defined -%} + {%- set phost = hostvars[host]['physical_host'] -%} + {%- if phost not in physical_hosts -%} + {%- set _ = apparmor_hosts.append(host) -%} + {%- set _ = physical_hosts.append(phost) -%} + {%- endif -%} + {%- else -%} + {%- set _ = apparmor_hosts.append('localhost') -%} + {%- endif -%} + {%- endfor -%} + {{ apparmor_hosts | unique }} + when: ansible_pkg_mgr in ['apt', 'zypper'] + +- include_tasks: neutron_apparmor.yml + when: + - ansible_pkg_mgr in ['apt', 'zypper'] + - inventory_hostname in neutron_apparmor_hosts diff --git a/vars/suse.yml b/vars/suse.yml index 1bfa7383..9006df8c 100644 --- a/vars/suse.yml +++ b/vars/suse.yml @@ -42,6 +42,11 @@ neutron_repos: auto_import_keys: yes priority: 98 +neutron_apparmor_distro_packages: + - apparmor-parser + - apparmor-profiles + - apparmor-utils + neutron_distro_packages: - conntrack-tools - dnsmasq diff --git a/vars/ubuntu.yml b/vars/ubuntu.yml index bac9422d..623e1513 100644 --- a/vars/ubuntu.yml +++ b/vars/ubuntu.yml @@ -40,6 +40,11 @@ neutron_ovs_nsh_required_packages: ## APT Cache options cache_timeout: 600 +neutron_apparmor_distro_packages: + - apparmor + - apparmor-profiles + - apparmor-utils + neutron_distro_packages: - conntrack - dnsmasq-base