From 7451f55080a8538b1d7ac676d9a0b1c4236b27bf Mon Sep 17 00:00:00 2001
From: stack <stack@dev-director>
Date: Fri, 4 May 2018 19:06:00 +0100
Subject: [PATCH] Configure SELinux state in kolla ansible

Kolla ansible now provides the ability to change the SELinux mode, and does so
by default. The default mode is 'permissive', whereas kayobe sets it to
'disabled' in the disable-selinux role.  This results in a flip-flop effect as
the two fight, and worse - kayobe will reboot the system to apply the change
on subsequent runs of 'kayobe <seed|controller> host configure'.

This change configures the selinux mode for kolla ansible to be 'disabled' to
avoid this issue.

TrivialFix

Change-Id: I53e1d431ecd5ddb602f41b197ac482c3ed89d1d9
---
 ansible/kolla-ansible.yml                            | 7 +++++++
 ansible/roles/kolla-ansible/defaults/main.yml        | 6 ++++++
 ansible/roles/kolla-ansible/templates/globals.yml.j2 | 4 ++++
 3 files changed, 17 insertions(+)

diff --git a/ansible/kolla-ansible.yml b/ansible/kolla-ansible.yml
index c7dc26d03..0ffb4098e 100644
--- a/ansible/kolla-ansible.yml
+++ b/ansible/kolla-ansible.yml
@@ -223,3 +223,10 @@
     - role: kolla-ansible
       kolla_external_fqdn_cert: "{{ kolla_config_path }}/certificates/haproxy.pem"
       kolla_ansible_passwords_path: "{{ kayobe_config_path }}/kolla/passwords.yml"
+      # NOTE: This differs from the default SELinux mode in kolla ansible,
+      # which is permissive. The justification for using this mode is twofold:
+      # 1. it avoids filling up the audit log
+      # 2. it avoids an issue seen when using diskimage-builder in the bifrost
+      # container.
+      # We could look at making the SELinux mode configurable in future.
+      kolla_selinux_state: disabled
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index a3722ca8d..9384e04fd 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -255,3 +255,9 @@ kolla_ansible_custom_passwords: {}
 # When set, this will copy the contents of this variable into place for
 # use by HAProxy.
 kolla_tls_cert:
+
+###############################################################################
+# SELinux
+
+# Desired SELinux state.
+kolla_selinux_state:
diff --git a/ansible/roles/kolla-ansible/templates/globals.yml.j2 b/ansible/roles/kolla-ansible/templates/globals.yml.j2
index 918639720..97a966e59 100644
--- a/ansible/roles/kolla-ansible/templates/globals.yml.j2
+++ b/ansible/roles/kolla-ansible/templates/globals.yml.j2
@@ -398,6 +398,10 @@ bifrost_install_type: source
 grafana_admin_username: "{{ grafana_local_admin_user_name }}"
 {% endif %}
 
+{% if kolla_selinux_state is not none %}
+selinux_state: {{ kolla_selinux_state }}
+{% endif %}
+
 {% if kolla_extra_globals %}
 #######################
 # Extra configuration