baremetal: refactor libvirt apparmor configuration

Change-Id: Ie262d0359be9ad54ef49a519cccffd038fe02646
2022-01-18 15:00:33 +00:00 · 2022-01-18 15:00:33 +00:00 · 47d24a6ca6
commit 47d24a6ca6
parent a8ebf53641
5 changed files with 34 additions and 30 deletions
--- a/roles/apparmor_libvirt/defaults/main.yml
+++ b/roles/apparmor_libvirt/defaults/main.yml
@ -0,0 +1,6 @@
+---
+# Whether the nova_libvirt container is enabled.
+enable_nova_libvirt_container: false
+
+# Whether to remove the AppArmor libvirt profile on Ubuntu hosts.
+apparmor_remove_libvirt_profile: "{{ enable_nova_libvirt_container | bool }}"
--- a/roles/apparmor_libvirt/tasks/main.yml
+++ b/roles/apparmor_libvirt/tasks/main.yml
@ -0,0 +1,5 @@
+---
+- include_tasks: remove-profile.yml
+  when:
+    - ansible_facts.distribution == "Ubuntu"
+    - apparmor_remove_libvirt_profile | bool
--- a/roles/apparmor_libvirt/tasks/remove-profile.yml
+++ b/roles/apparmor_libvirt/tasks/remove-profile.yml
@ -0,0 +1,21 @@
+---
+- name: Get stat of libvirtd apparmor profile
+  stat:
+    path: /etc/apparmor.d/usr.sbin.libvirtd
+  register: apparmor_libvirtd_profile
+
+- name: Get stat of libvirtd apparmor disable profile
+  stat:
+    path: /etc/apparmor.d/disable/usr.sbin.libvirtd
+  register: apparmor_libvirtd_disable_profile
+
+- name: Remove apparmor profile for libvirt
+  shell: |
+    apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
+    ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
+  args:
+    executable: /bin/bash
+  become: True
+  when:
+    - apparmor_libvirtd_profile.stat.exists
+    - not apparmor_libvirtd_disable_profile.stat.exists
--- a/roles/baremetal/defaults/main.yml
+++ b/roles/baremetal/defaults/main.yml
@ -36,9 +36,3 @@ git_http_proxy: ""
 git_https_proxy: ""

 node_config_directory: "/etc/kolla"
-
-# Whether the nova_libvirt container is enabled.
-enable_nova_libvirt_container: false
-
-# Whether to remove the AppArmor libvirt profile on Ubuntu hosts.
-apparmor_remove_libvirt_profile: "{{ enable_nova_libvirt_container | bool }}"
--- a/roles/baremetal/tasks/post-install.yml
+++ b/roles/baremetal/tasks/post-install.yml
@ -15,30 +15,8 @@
    mode: 0755
  become: True

- block:
-    - name: Get stat of libvirtd apparmor profile
-      stat:
-        path: /etc/apparmor.d/usr.sbin.libvirtd
-      register: apparmor_libvirtd_profile
-
-    - name: Get stat of libvirtd apparmor disable profile
-      stat:
-        path: /etc/apparmor.d/disable/usr.sbin.libvirtd
-      register: apparmor_libvirtd_disable_profile
-
-    - name: Remove apparmor profile for libvirt
-      shell: |
-        apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
-        ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
-      args:
-        executable: /bin/bash
-      become: True
-      when:
-        - apparmor_libvirtd_profile.stat.exists
-        - not apparmor_libvirtd_disable_profile.stat.exists
-  when:
-    - ansible_facts.distribution == "Ubuntu"
-    - apparmor_remove_libvirt_profile | bool
+- import_role:
+    name: openstack.kolla.apparmor_libvirt

 - name: Change state of selinux
  selinux: