diff --git a/defaults/main.yml b/defaults/main.yml index 4ca31290..e1116265 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,6 +18,8 @@ cinder_package_state: "latest" cinder_pip_package_state: "latest" +cinder_log_dir: /var/log/cinder + cinder_git_repo: https://git.openstack.org/openstack/cinder cinder_git_install_branch: master cinder_developer_mode: false diff --git a/tasks/cinder_post_install.yml b/tasks/cinder_post_install.yml index ecbea02d..7bdfc04c 100644 --- a/tasks/cinder_post_install.yml +++ b/tasks/cinder_post_install.yml @@ -83,3 +83,8 @@ mode: "0440" owner: "root" group: "root" + +- include: cinder_selinux.yml + when: + - ansible_selinux.status is defined + - ansible_selinux.status == "enabled" diff --git a/tasks/cinder_pre_install.yml b/tasks/cinder_pre_install.yml index f9c66cc9..d85ccb38 100644 --- a/tasks/cinder_pre_install.yml +++ b/tasks/cinder_pre_install.yml @@ -48,9 +48,9 @@ - name: Test for log directory or link shell: | - if [ -h "/var/log/cinder" ]; then - chown -h {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "/var/log/cinder" - chown -R {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "$(readlink /var/log/cinder)" + if [ -h "{{ cinder_log_dir }}" ]; then + chown -h {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "{{ cinder_log_dir }}" + chown -R {{ cinder_system_user_name }}:{{ cinder_system_group_name }} "$(readlink {{ cinder_log_dir }})" else exit 1 fi @@ -66,5 +66,5 @@ group: "{{ item.group|default(cinder_system_group_name) }}" mode: "{{ item.mode|default('0755') }}" with_items: - - { path: "/var/log/cinder" } + - { path: "{{ cinder_log_dir }}" } when: log_dir.rc != 0 diff --git a/tasks/cinder_selinux.yml b/tasks/cinder_selinux.yml new file mode 100644 index 00000000..c6d2589b --- /dev/null +++ b/tasks/cinder_selinux.yml @@ -0,0 +1,31 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Stat cinder's log directory + stat: + path: "{{ cinder_log_dir }}" + register: cinder_log_dir_check + +- name: Set SELinux file contexts for cinder's log directory + sefcontext: + target: "{{ (cinder_log_dir_check.stat.islnk) | ternary(cinder_log_dir_check.stat.lnk_target, cinder_log_dir) }}(/.*)?" + setype: cinder_log_t + state: present + register: selinux_file_context_log_files + +- name: Apply updated SELinux contexts on cinder log directory + command: "restorecon -Rv {{ (cinder_log_dir_check.stat.islnk) | ternary(cinder_log_dir_check.stat.lnk_target, cinder_log_dir) }}" + when: + - selinux_file_context_log_files | changed diff --git a/templates/cinder-systemd-init.j2 b/templates/cinder-systemd-init.j2 index 270cb50a..15c7d71e 100644 --- a/templates/cinder-systemd-init.j2 +++ b/templates/cinder-systemd-init.j2 @@ -11,9 +11,9 @@ User={{ cinder_system_user_name }} Group={{ cinder_system_group_name }} {% if item.program_override is defined %} -ExecStart={{ item.program_override }} {{ item.program_config_options|default('') }} {{ item.log_string | default('--log-file=') }}/var/log/cinder/{{ item.service_name }}.log +ExecStart={{ item.program_override }} {{ item.program_config_options|default('') }} {{ item.log_string | default('--log-file=') }}{{ cinder_log_dir }}/{{ item.service_name }}.log {% else %} -ExecStart={{ cinder_bin }}/{{ item.service_name }} {{ item.program_config_options|default('') }} --log-file=/var/log/cinder/{{ item.service_name }}.log +ExecStart={{ cinder_bin }}/{{ item.service_name }} {{ item.program_config_options|default('') }} --log-file={{ cinder_log_dir }}/{{ item.service_name }}.log {% endif %} {% if item.service_name != cinder_services['cinder-api']['service_name'] or item.wsgi_app %} ExecReload={{ (item.wsgi_app is defined and item.wsgi_app) | ternary(cinder_bin + '/uwsgi --reload /var/run/' + item.service_name + '/' + item.service_name +'.pid','/bin/kill -HUP $MAINPID') }}