Add SELinux contexts for neutron log directory
The log directory for neutron has the default_t SELinux context and this prevents rsyslog from accessing neutron's logs. This patch ensures that the file contexts are set properly for neutron's logs. This change also makes neutron's log directory configurable using the `neutron_log_dir` variable. Closes-Bug: 1748968 Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab
This commit is contained in:
parent
cd580de2c2
commit
1664cb0009
@ -31,6 +31,8 @@ neutron_package_state: "latest"
|
||||
### Python code details
|
||||
###
|
||||
|
||||
neutron_log_dir: "/var/log/neutron"
|
||||
|
||||
# Set the package install state for pip_package
|
||||
# Options are 'present' and 'latest'
|
||||
neutron_pip_package_state: "latest"
|
||||
@ -100,7 +102,7 @@ neutron_dns_domain: "openstacklocal."
|
||||
# Dnsmasq doesn't work with config_template override, a deployer
|
||||
# should instead configure its own neutron_dhcp_config key/values
|
||||
neutron_dhcp_config:
|
||||
log-facility: "/var/log/neutron/neutron-dnsmasq.log"
|
||||
log-facility: "{{ neutron_log_dir }}/neutron-dnsmasq.log"
|
||||
|
||||
# Set the neutron lbaasv2 user group, defaults from os specific vars
|
||||
neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}"
|
||||
|
@ -51,9 +51,9 @@
|
||||
|
||||
- name: Test for log directory or link
|
||||
shell: |
|
||||
if [ -h "/var/log/neutron" ]; then
|
||||
chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "/var/log/neutron"
|
||||
chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink /var/log/neutron)"
|
||||
if [ -h "{{ neutron_log_dir }}" ]; then
|
||||
chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "{{ neutron_log_dir }}"
|
||||
chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink {{ neutron_log_dir }})"
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
@ -69,7 +69,7 @@
|
||||
group: "{{ item.group|default(neutron_system_group_name) }}"
|
||||
mode: "{{ item.mode|default('0755') }}"
|
||||
with_items:
|
||||
- { path: "/var/log/neutron" }
|
||||
- { path: "{{ neutron_log_dir }}" }
|
||||
when: log_dir.rc != 0
|
||||
|
||||
- name: Drop sudoers file
|
||||
|
@ -56,3 +56,20 @@
|
||||
file:
|
||||
path: "/tmp/osa-neutron-selinux/"
|
||||
state: absent
|
||||
|
||||
- name: Stat neutron's log directory
|
||||
stat:
|
||||
path: "{{ neutron_log_dir }}"
|
||||
register: neutron_log_dir_check
|
||||
|
||||
- name: Set SELinux file contexts for neutron's log directory
|
||||
sefcontext:
|
||||
target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}(/.*)?"
|
||||
setype: neutron_log_t
|
||||
state: present
|
||||
register: selinux_file_context_log_files
|
||||
|
||||
- name: Apply updated SELinux contexts on neutron log directory
|
||||
command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}"
|
||||
when:
|
||||
- selinux_file_context_log_files | changed
|
||||
|
@ -48,7 +48,7 @@ def load_local_logging():
|
||||
|
||||
user = os.getuid()
|
||||
home = os.path.expanduser('~')
|
||||
log_dir = '/var/log/neutron'
|
||||
log_dir = '{{ neutron_log_dir }}'
|
||||
filename = '%s.log' % LOG_NAME
|
||||
|
||||
if user == 0:
|
||||
|
@ -21,7 +21,7 @@
|
||||
use_stderr = False
|
||||
debug = {{ debug }}
|
||||
fatal_deprecations = {{ neutron_fatal_deprecations }}
|
||||
log_file = /var/log/neutron/neutron.log
|
||||
log_file = {{ neutron_log_dir }}/neutron.log
|
||||
|
||||
## Rpc all
|
||||
executor_thread_pool_size = {{ neutron_rpc_thread_pool_size }}
|
||||
|
@ -378,7 +378,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: dhcp_agent.ini
|
||||
service_rootwrap: rootwrap.d/dhcp.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file=/var/log/neutron/neutron-dhcp-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file={{ neutron_log_dir }}/neutron-dhcp-agent.log"
|
||||
config_overrides: "{{ neutron_dhcp_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_dhcp_agent_init_overrides }}"
|
||||
@ -390,7 +390,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: plugins/ml2/openvswitch_agent.ini
|
||||
service_rootwrap: rootwrap.d/openvswitch-plugin.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file=/var/log/neutron/neutron-openvswitch-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file={{ neutron_log_dir }}/neutron-openvswitch-agent.log"
|
||||
config_overrides: "{{ neutron_openvswitch_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_openvswitch_agent_init_overrides }}"
|
||||
@ -402,7 +402,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: plugins/ml2/linuxbridge_agent.ini
|
||||
service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file=/var/log/neutron/neutron-linuxbridge-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file={{ neutron_log_dir }}/neutron-linuxbridge-agent.log"
|
||||
config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_linuxbridge_agent_init_overrides }}"
|
||||
@ -413,7 +413,7 @@ neutron_services:
|
||||
service_en: "{{ neutron_metadata | bool }}"
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: metadata_agent.ini
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file=/var/log/neutron/neutron-metadata-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file={{ neutron_log_dir }}/neutron-metadata-agent.log"
|
||||
config_overrides: "{{ neutron_metadata_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_metadata_agent_init_overrides }}"
|
||||
@ -424,7 +424,7 @@ neutron_services:
|
||||
service_en: "{{ neutron_metering | bool }}"
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: metering_agent.ini
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file=/var/log/neutron/neutron-metering-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file={{ neutron_log_dir }}/neutron-metering-agent.log"
|
||||
config_overrides: "{{ neutron_metering_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_metering_agent_init_overrides }}"
|
||||
@ -444,7 +444,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: l3_agent.ini
|
||||
service_rootwrap: rootwrap.d/l3.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file=/var/log/neutron/neutron-l3-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file={{ neutron_log_dir }}/neutron-l3-agent.log"
|
||||
config_overrides: "{{ neutron_l3_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_l3_agent_init_overrides }}"
|
||||
@ -456,7 +456,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: lbaas_agent.ini
|
||||
service_rootwrap: rootwrap.d/lbaas-haproxy.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file=/var/log/neutron/neutron-lbaasv2-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-lbaasv2-agent.log"
|
||||
config_overrides: "{{ neutron_lbaas_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_lbaas_agent_init_overrides }}"
|
||||
@ -467,7 +467,7 @@ neutron_services:
|
||||
service_en: "{{ neutron_bgp | bool }}"
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: bgp_dragent.ini
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file=/var/log/neutron/neutron-bgp-dragent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file={{ neutron_log_dir }}/neutron-bgp-dragent.log"
|
||||
config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_bgp_dragent_init_overrides }}"
|
||||
@ -479,7 +479,7 @@ neutron_services:
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: vpnaas_agent.ini
|
||||
service_rootwrap: rootwrap.d/vpnaas.filters
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file=/var/log/neutron/neutron-vpn-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-vpn-agent.log"
|
||||
config_overrides: "{{ neutron_vpnaas_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_vpn_agent_init_overrides }}"
|
||||
@ -488,7 +488,7 @@ neutron_services:
|
||||
group: neutron_server
|
||||
service_name: neutron-server
|
||||
service_en: True
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file=/var/log/neutron/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file={{ neutron_log_dir }}/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}"
|
||||
init_config_overrides: "{{ neutron_server_init_overrides }}"
|
||||
start_order: 1
|
||||
calico-felix:
|
||||
@ -523,7 +523,7 @@ neutron_services:
|
||||
service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}"
|
||||
service_conf_path: "{{ neutron_conf_dir }}"
|
||||
service_conf: plugins/ml2/sriov_nic_agent.ini
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file=/var/log/neutron/neutron-sriov-nic-agent.log"
|
||||
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file={{ neutron_log_dir }}/neutron-sriov-nic-agent.log"
|
||||
config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}"
|
||||
config_type: "ini"
|
||||
init_config_overrides: "{{ neutron_sriov_nic_agent_init_overrides }}"
|
||||
|
Loading…
x
Reference in New Issue
Block a user