common: selinux tasks related refactor

This moves some task from the `ceph-nfs` role in `ceph-common` since
some of them are needed in `ceph-rgwloadbalancer` role.
This avoids duplicated tasks.

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
pull/6429/head
Guillaume Abrioux 2021-04-01 14:37:45 +02:00
parent 6bbb90198b
commit d0442d81b9
5 changed files with 50 additions and 35 deletions

View File

@ -57,3 +57,10 @@
- (ceph_tcmalloc_max_total_thread_cache | int) > 0
- osd_objectstore == 'filestore'
- (ceph_origin == 'repository' or ceph_origin == 'distro')
- name: include selinux.yml
include_tasks: selinux.yml
when:
- ansible_facts['os_family'] == 'RedHat'
- inventory_hostname in groups.get(nfs_group_name, [])
or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])

View File

@ -0,0 +1,22 @@
---
- name: if selinux is not disabled
when: ansible_facts['selinux']['status'] == 'enabled'
block:
- name: install policycoreutils-python
package:
name: policycoreutils-python
state: present
register: result
until: result is succeeded
when: ansible_facts['distribution_major_version'] == '7'
- name: install python3-policycoreutils on RHEL 8
package:
name: python3-policycoreutils
state: present
register: result
until: result is succeeded
when:
- inventory_hostname in groups.get(nfs_group_name, [])
or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])
- ansible_facts['distribution_major_version'] == '8'

View File

@ -1,32 +0,0 @@
---
- name: check if selinux is enabled
command: getenforce
register: selinuxstatus
changed_when: false
failed_when: false
check_mode: no
- name: if selinux is not disable
when: selinuxstatus.stdout != 'Disabled'
block:
- name: install policycoreutils-python
package:
name: policycoreutils-python
state: present
register: result
until: result is succeeded
when: ansible_facts['distribution_major_version'] == '7'
- name: install nfs-ganesha-selinux and python3-policycoreutils on RHEL 8
package:
name: ['nfs-ganesha-selinux', 'python3-policycoreutils']
state: present
register: result
until: result is succeeded
when: ansible_facts['distribution_major_version'] == '8'
- name: add ganesha_t to permissive domain
selinux_permissive:
name: ganesha_t
permissive: true
failed_when: false

View File

@ -19,12 +19,28 @@
import_tasks: create_rgw_nfs_user.yml
when: groups.get(mon_group_name, []) | length > 0
- name: install nfs-ganesha-selinux on RHEL 8
package:
name: nfs-ganesha-selinux
state: present
register: result
until: result is succeeded
when:
- not containerized_deployment | bool
- inventory_hostname in groups.get(nfs_group_name, [])
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['distribution_major_version'] == '8'
# NOTE (leseb): workaround for issues with ganesha and librgw
- name: include ganesha_selinux_fix.yml
import_tasks: ganesha_selinux_fix.yml
- name: add ganesha_t to permissive domain
selinux_permissive:
name: ganesha_t
permissive: true
failed_when: false
when:
- not containerized_deployment | bool
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['selinux']['status'] == 'enabled'
- name: nfs with external ceph cluster task related
when:

View File

@ -35,7 +35,9 @@
- restart keepalived
- name: selinux related tasks
when: ansible_facts['os_family'] == 'RedHat'
when:
- ansible_facts['os_family'] == 'RedHat'
- ansible_facts['selinux']['status'] == 'enabled'
block:
- name: set_fact rgw_ports
set_fact: