From d0442d81b9e8087ae8ec086798c68382680a7d73 Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Thu, 1 Apr 2021 14:37:45 +0200 Subject: [PATCH] common: selinux tasks related refactor This moves some task from the `ceph-nfs` role in `ceph-common` since some of them are needed in `ceph-rgwloadbalancer` role. This avoids duplicated tasks. Signed-off-by: Guillaume Abrioux --- roles/ceph-common/tasks/main.yml | 7 ++++ roles/ceph-common/tasks/selinux.yml | 22 +++++++++++++ roles/ceph-nfs/tasks/ganesha_selinux_fix.yml | 32 ------------------- roles/ceph-nfs/tasks/main.yml | 20 ++++++++++-- .../tasks/pre_requisite.yml | 4 ++- 5 files changed, 50 insertions(+), 35 deletions(-) create mode 100644 roles/ceph-common/tasks/selinux.yml delete mode 100644 roles/ceph-nfs/tasks/ganesha_selinux_fix.yml diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml index 31ff66a88..7f2bbb55f 100644 --- a/roles/ceph-common/tasks/main.yml +++ b/roles/ceph-common/tasks/main.yml @@ -57,3 +57,10 @@ - (ceph_tcmalloc_max_total_thread_cache | int) > 0 - osd_objectstore == 'filestore' - (ceph_origin == 'repository' or ceph_origin == 'distro') + +- name: include selinux.yml + include_tasks: selinux.yml + when: + - ansible_facts['os_family'] == 'RedHat' + - inventory_hostname in groups.get(nfs_group_name, []) + or inventory_hostname in groups.get(rgwloadbalancer_group_name, []) \ No newline at end of file diff --git a/roles/ceph-common/tasks/selinux.yml b/roles/ceph-common/tasks/selinux.yml new file mode 100644 index 000000000..5166c017c --- /dev/null +++ b/roles/ceph-common/tasks/selinux.yml @@ -0,0 +1,22 @@ +--- +- name: if selinux is not disabled + when: ansible_facts['selinux']['status'] == 'enabled' + block: + - name: install policycoreutils-python + package: + name: policycoreutils-python + state: present + register: result + until: result is succeeded + when: ansible_facts['distribution_major_version'] == '7' + + - name: install python3-policycoreutils on RHEL 8 + package: + name: python3-policycoreutils + state: present + register: result + until: result is succeeded + when: + - inventory_hostname in groups.get(nfs_group_name, []) + or inventory_hostname in groups.get(rgwloadbalancer_group_name, []) + - ansible_facts['distribution_major_version'] == '8' diff --git a/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml b/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml deleted file mode 100644 index eb51e526b..000000000 --- a/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: check if selinux is enabled - command: getenforce - register: selinuxstatus - changed_when: false - failed_when: false - check_mode: no - -- name: if selinux is not disable - when: selinuxstatus.stdout != 'Disabled' - block: - - name: install policycoreutils-python - package: - name: policycoreutils-python - state: present - register: result - until: result is succeeded - when: ansible_facts['distribution_major_version'] == '7' - - - name: install nfs-ganesha-selinux and python3-policycoreutils on RHEL 8 - package: - name: ['nfs-ganesha-selinux', 'python3-policycoreutils'] - state: present - register: result - until: result is succeeded - when: ansible_facts['distribution_major_version'] == '8' - - - name: add ganesha_t to permissive domain - selinux_permissive: - name: ganesha_t - permissive: true - failed_when: false diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml index b4e964236..4917e453f 100644 --- a/roles/ceph-nfs/tasks/main.yml +++ b/roles/ceph-nfs/tasks/main.yml @@ -19,12 +19,28 @@ import_tasks: create_rgw_nfs_user.yml when: groups.get(mon_group_name, []) | length > 0 +- name: install nfs-ganesha-selinux on RHEL 8 + package: + name: nfs-ganesha-selinux + state: present + register: result + until: result is succeeded + when: + - not containerized_deployment | bool + - inventory_hostname in groups.get(nfs_group_name, []) + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['distribution_major_version'] == '8' + # NOTE (leseb): workaround for issues with ganesha and librgw -- name: include ganesha_selinux_fix.yml - import_tasks: ganesha_selinux_fix.yml +- name: add ganesha_t to permissive domain + selinux_permissive: + name: ganesha_t + permissive: true + failed_when: false when: - not containerized_deployment | bool - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['selinux']['status'] == 'enabled' - name: nfs with external ceph cluster task related when: diff --git a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml index 98d7333d8..7844d19fb 100644 --- a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml +++ b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml @@ -35,7 +35,9 @@ - restart keepalived - name: selinux related tasks - when: ansible_facts['os_family'] == 'RedHat' + when: + - ansible_facts['os_family'] == 'RedHat' + - ansible_facts['selinux']['status'] == 'enabled' block: - name: set_fact rgw_ports set_fact: