Configure SELinux state in kolla ansible

Kolla ansible now provides the ability to change the SELinux mode, and does so
by default. The default mode is 'permissive', whereas kayobe sets it to
'disabled' in the disable-selinux role.  This results in a flip-flop effect as
the two fight, and worse - kayobe will reboot the system to apply the change
on subsequent runs of 'kayobe <seed|controller> host configure'.

This change configures the selinux mode for kolla ansible to be 'disabled' to
avoid this issue.

TrivialFix

Change-Id: I53e1d431ecd5ddb602f41b197ac482c3ed89d1d9

ansible/kolla-ansible.yml

@@ -223,3 +223,10 @@
     - role: kolla-ansible
       kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
       kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
+      # NOTE: This differs from the default SELinux mode in kolla ansible,
+      # which is permissive. The justification for using this mode is twofold:
+      # 1. it avoids filling up the audit log
+      # 2. it avoids an issue seen when using diskimage-builder in the bifrost
+      # container.
+      # We could look at making the SELinux mode configurable in future.
+      kolla_selinux_state: disabled

ansible/roles/kolla-ansible/defaults/main.yml

@@ -255,3 +255,9 @@ kolla_ansible_custom_passwords: {}
 # When set, this will copy the contents of this variable into place for
 # use by HAProxy.
 kolla_tls_cert:
+
+###############################################################################
+# SELinux
+
+# Desired SELinux state.
+kolla_selinux_state:

ansible/roles/kolla-ansible/templates/globals.yml.j2

@@ -398,6 +398,10 @@ bifrost_install_type: source
 grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 {% endif %}
 
+{% if kolla_selinux_state is not none %}
+selinux_state: {{ kolla_selinux_state }}
+{% endif %}
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration