Merge pull request #204 from stackhpc/selinux-state

Backport selinux change from zed
stackhpc · Nov 17, 2023 · 2f265ca · 2f265ca
2 parents d7b3e87 + 52ce15b
commit 2f265ca
Show file tree

Hide file tree

Showing 18 changed files with 110 additions and 91 deletions.
diff --git a/ansible/disable-selinux.yml b/ansible/disable-selinux.yml
diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml
diff --git a/...e/roles/disable-selinux/defaults/main.yml → ansible/roles/selinux/defaults/main.yml b/...e/roles/disable-selinux/defaults/main.yml → ansible/roles/selinux/defaults/main.yml
@@ -1,7 +1,14 @@
 ---
+# Target SELinux policy
+selinux_policy: targeted
+
+# Target SELinux state
+selinux_state: disabled
+
 # Whether to reboot to apply SELinux config changes.
 disable_selinux_do_reboot: true
+selinux_do_reboot: "{{ disable_selinux_do_reboot }}"
 
 # Number of seconds to wait for hosts to become accessible via SSH after being
 # rebooted.
-disable_selinux_reboot_timeout:
+selinux_reboot_timeout:
diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure required packages are installed
+  package:
+    name: python3-libselinux
+    state: present
+    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+  become: True
+
+- name: Check if SELinux configuration file exists
+  stat:
+    path: /etc/selinux/config
+  register: stat_result
+
+- name: Ensure desired SELinux state
+  selinux:
+    policy: "{{ selinux_policy }}"
+    state: "{{ selinux_state }}"
+  register: selinux_result
+  become: True
+  when: stat_result.stat.exists
+
+- block:
+    - name: Abort SELinux configuration because reboot is disabled
+      fail:
+        msg: >
+          SELinux state change requires a reboot, but selinux_do_reboot is
+          false. Please run again with selinux_do_reboot set to true to reboot.
+      when:
+        - not selinux_do_reboot | bool
+
+    - block:
+        - name: Set a fact to determine whether we are running locally
+          set_fact:
+            is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
+
+        - name: Reboot the system to apply SELinux changes (local)
+          command: shutdown -r now "Applying SELinux changes"
+          become: True
+          when:
+            - is_local | bool
+
+        - name: Reboot the machine to apply SELinux
+          reboot:
+            reboot_timeout: "{{ selinux_reboot_timeout }}"
+            msg: Applying SELinux changes
+          become: true
+          when:
+            - not is_local | bool
+      when:
+        - selinux_do_reboot | bool
+  when:
+    - stat_result.stat.exists
+    - selinux_result.reboot_required
diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/selinux.yml b/ansible/selinux.yml
@@ -0,0 +1,9 @@
+---
+- name: Configure SELinux state and reboot if required
+  hosts: seed:overcloud:infra-vms
+  tags:
+    - selinux
+  roles:
+    - role: selinux
+      selinux_reboot_timeout: "{{ disable_selinux_reboot_timeout | default(600 if ansible_facts.virtualization_role == 'host' else 300) }}"
+      when: ansible_facts.os_family == 'RedHat'
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
@@ -479,15 +479,16 @@ package is added to all ``overcloud`` hosts:
 SELinux
 =======
 *tags:*
-  | ``disable-selinux``
+  | ``selinux``
 
 .. note:: SELinux applies to CentOS and Rocky systems only.
 
-SELinux is not supported by Kolla Ansible currently, so it is disabled by
-Kayobe. If necessary, Kayobe will reboot systems in order to apply a change to
+SELinux is not supported by Kolla Ansible currently, so it is set to permissive
+by Kayobe. If necessary, it can be configured to disabled by setting
+``selinux_state`` to ``disabled``. Kayobe will reboot systems when required for
 the SELinux configuration. The timeout for waiting for systems to reboot is
-``disable_selinux_reboot_timeout``. Alternatively, the reboot may be avoided by
-setting ``disable_selinux_do_reboot`` to ``false``.
+``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting
+``selinux_do_reboot`` to ``false``.
 
 Network Configuration
 =====================

diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst
@@ -230,16 +230,16 @@ seen in MAAS):
 
    controller_bootstrap_user: "cloud-user"
 
-By default, on systems with SELinux enabled, Kayobe will disable SELinux and
-reboot the system to apply the change. In a test or development environment
-this can be a bit disruptive, particularly when using ephemeral network
-configuration.  To avoid rebooting the system after disabling SELinux, set
-``disable_selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
+By default, on systems with SELinux disabled, Kayobe will put SELinux in
+permissive mode and reboot the system to apply the change. In a test or
+development environment this can be a bit disruptive, particularly when using
+ephemeral network configuration.  To avoid rebooting the system after enabling
+SELinux, set ``selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
 
 .. code-block:: yaml
    :caption: ``etc/kayobe/globals.yml``
 
-   disable_selinux_do_reboot: false
+   selinux_do_reboot: false
 
 In a development environment, we may wish to tune some Kolla Ansible variables.
 Using QEMU as the virtualisation type will be necessary if KVM is not

diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py
@@ -571,7 +571,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -878,7 +878,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -1126,7 +1126,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.

diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -1,12 +1,4 @@
 ---
-{% if ansible_facts.distribution_release == "jammy" %}
-os_release: "jammy"
-{% endif %}
-
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2
@@ -1,12 +1,4 @@
 ---
-{% if ansible_facts.distribution_release == "jammy" %}
-os_release: "jammy"
-{% endif %}
-
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    Adds functionality to configure desired SELinux state (in addition to
+    disabling SELinux previously).
+upgrade:
+  - |
+    The ``disable-selinux`` role has been renamed to ``selinux`` and so have
+    been the related variables. If you set one of them, adapt your
+    configuration:
+
+    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``
+    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``
+  - |
+     Kayobe still sets SELinux to ``disabled`` by default, unlike in the Zed
+     13.0.0 release. Operators may want to set ``selinux_state`` to
+     ``permissive`` to avoid another reboot in the Zed upgrade.