Backport selinux change from zed

The disable-selinux role has been renamed to selinux and now supports setting desired state. Previously Kayobe was defaulting to disabling and rebooted the host - to avoid audit logs filling up. This change allows operators to define desired SELinux state and defaults to permissive - to adhere to those site policies that require SELinux to be at least in permissive state. Note that unlike the original patch, this backport keeps the default selinux state as disabled. Co-authored-by: Mark Goddard <[email protected]> Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1 (cherry picked from commit caa7cc5)
stackhpc · Nov 16, 2023 · 8e38bea · 8e38bea
1 parent d7b3e87
commit 8e38bea
Show file tree

Hide file tree

Showing 19 changed files with 113 additions and 97 deletions.
diff --git a/ansible/disable-selinux.yml b/ansible/disable-selinux.yml
diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/roles/disable-selinux/defaults/main.yml b/ansible/roles/disable-selinux/defaults/main.yml
diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml
diff --git a/ansible/roles/selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml
@@ -0,0 +1,15 @@
+---
+# Target SELinux policy
+selinux_policy: targeted
+
+# Target SELinux state
+selinux_state: disabled
+
+# Whether to reboot to apply SELinux config changes.
+# Whether to reboot to apply SELinux config changes.
+disable_selinux_do_reboot: true
+selinux_do_reboot: "{{ disable_selinux_do_reboot }}"
+
+# Number of seconds to wait for hosts to become accessible via SSH after being
+# rebooted.
+selinux_reboot_timeout:
diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure required packages are installed
+  package:
+    name: python3-libselinux
+    state: present
+    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+  become: True
+
+- name: Check if SELinux configuration file exists
+  stat:
+    path: /etc/selinux/config
+  register: stat_result
+
+- name: Ensure desired SELinux state
+  selinux:
+    policy: "{{ selinux_policy }}"
+    state: "{{ selinux_state }}"
+  register: selinux_result
+  become: True
+  when: stat_result.stat.exists
+
+- block:
+    - name: Abort SELinux configuration because reboot is disabled
+      fail:
+        msg: >
+          SELinux state change requires a reboot, but selinux_do_reboot is
+          false. Please run again with selinux_do_reboot set to true to reboot.
+      when:
+        - not selinux_do_reboot | bool
+
+    - block:
+        - name: Set a fact to determine whether we are running locally
+          set_fact:
+            is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"
+
+        - name: Reboot the system to apply SELinux changes (local)
+          command: shutdown -r now "Applying SELinux changes"
+          become: True
+          when:
+            - is_local | bool
+
+        - name: Reboot the machine to apply SELinux
+          reboot:
+            reboot_timeout: "{{ selinux_reboot_timeout }}"
+            msg: Applying SELinux changes
+          become: true
+          when:
+            - not is_local | bool
+      when:
+        - selinux_do_reboot | bool
+  when:
+    - stat_result.stat.exists
+    - selinux_result.reboot_required
diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml
@@ -9,7 +9,7 @@
 - import_playbook: "wipe-disks.yml"
 - import_playbook: "users.yml"
 - import_playbook: "dev-tools.yml"
-- import_playbook: "disable-selinux.yml"
+- import_playbook: "selinux.yml"
 - import_playbook: "network.yml"
 - import_playbook: "firewall.yml"
 - import_playbook: "tuned.yml"

diff --git a/ansible/selinux.yml b/ansible/selinux.yml
@@ -0,0 +1,9 @@
+---
+- name: Configure SELinux state and reboot if required
+  hosts: seed:overcloud:infra-vms
+  tags:
+    - selinux
+  roles:
+    - role: selinux
+      selinux_reboot_timeout: "{{ disable_selinux_reboot_timeout | default(600 if ansible_facts.virtualization_role == 'host' else 300) }}"
+      when: ansible_facts.os_family == 'RedHat'
diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst
@@ -479,15 +479,16 @@ package is added to all ``overcloud`` hosts:
 SELinux
 =======
 *tags:*
-  | ``disable-selinux``
+  | ``selinux``
 
 .. note:: SELinux applies to CentOS and Rocky systems only.
 
-SELinux is not supported by Kolla Ansible currently, so it is disabled by
-Kayobe. If necessary, Kayobe will reboot systems in order to apply a change to
+SELinux is not supported by Kolla Ansible currently, so it is set to permissive
+by Kayobe. If necessary, it can be configured to disabled by setting
+``selinux_state`` to ``disabled``. Kayobe will reboot systems when required for
 the SELinux configuration. The timeout for waiting for systems to reboot is
-``disable_selinux_reboot_timeout``. Alternatively, the reboot may be avoided by
-setting ``disable_selinux_do_reboot`` to ``false``.
+``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting
+``selinux_do_reboot`` to ``false``.
 
 Network Configuration
 =====================

diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst
@@ -230,16 +230,16 @@ seen in MAAS):
 
    controller_bootstrap_user: "cloud-user"
 
-By default, on systems with SELinux enabled, Kayobe will disable SELinux and
-reboot the system to apply the change. In a test or development environment
-this can be a bit disruptive, particularly when using ephemeral network
-configuration.  To avoid rebooting the system after disabling SELinux, set
-``disable_selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
+By default, on systems with SELinux disabled, Kayobe will put SELinux in
+permissive mode and reboot the system to apply the change. In a test or
+development environment this can be a bit disruptive, particularly when using
+ephemeral network configuration.  To avoid rebooting the system after enabling
+SELinux, set ``selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``.
 
 .. code-block:: yaml
    :caption: ``etc/kayobe/globals.yml``
 
-   disable_selinux_do_reboot: false
+   selinux_do_reboot: false
 
 In a development environment, we may wish to tune some Kolla Ansible variables.
 Using QEMU as the virtualisation type will be necessary if KVM is not

diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py
@@ -571,7 +571,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -878,7 +878,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.
@@ -1126,7 +1126,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin,
     * Optionally, create a virtualenv for remote target hosts.
     * Optionally, wipe unmounted disk partitions (--wipe-disks).
     * Configure user accounts, group associations, and authorised SSH keys.
-    * Disable SELinux.
+    * Configure SELinux.
     * Configure the host's network interfaces.
     * Configure a firewall.
     * Configure tuned profile.

diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2
@@ -1,12 +1,4 @@
 ---
-{% if ansible_facts.distribution_release == "jammy" %}
-os_release: "jammy"
-{% endif %}
-
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2
@@ -1,12 +1,4 @@
 ---
-{% if ansible_facts.distribution_release == "jammy" %}
-os_release: "jammy"
-{% endif %}
-
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2
@@ -1,6 +1,8 @@
 ---
 # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
 # Ansible is run directly on the controller.
+# TODO(priteau): This is needed for the deployment of the previous release.
+# Remove when previous_release is zed.
 disable_selinux_do_reboot: false
 
 # Use the OpenStack infra's Dockerhub mirror.

diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2
@@ -1,8 +1,4 @@
 ---
-# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
-# Ansible is run directly on the controller.
-disable_selinux_do_reboot: false
-
 # Use the OpenStack infra's Dockerhub mirror.
 docker_registry_mirrors:
   - "http://{{ zuul_site_mirror_fqdn }}:8082/"

diff --git a/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml
@@ -0,0 +1,13 @@
+---
+features:
+  - |
+    Adds functionality to configure desired SELinux state (in addition to
+    disabling SELinux previously).
+upgrade:
+  - |
+    The ``disable-selinux`` role has been renamed to ``selinux`` and so have
+    been the related variables. If you set one of them, adapt your
+    configuration:
+
+    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``
+    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``