openstack/openstack-ansible-os_nova
Code Issues Proposed changes

Add SELinux contexts for nova log directory

Browse Source 
The log directory for nova has the default_t SELinux context and this
prevents rsyslog from accessing nova's logs. This patch ensures that
the file contexts are set properly for nova's logs.

This change also makes nova's log directory configurable using the
`nova_log_dir` variable.

Closes-Bug: 1748911
Change-Id: Iaac69c5807715f50386624602375c89adeeb48a1
This commit is contained in:
Major Hayden 2018-02-14 11:39:54 -06:00
parent 445ba359da
commit 10fc6d9035
No known key found for this signature in database
GPG Key ID: 737051E0C1011FB1
4 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -60,6 +60,7 @@ nova_system_shell: /bin/bash
nova_system_comment: nova system user nova_system_comment: nova system user
nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}" nova_system_home_folder: "/var/lib/{{ nova_system_user_name }}"
nova_libvirt_save_path: "{{ nova_system_home_folder }}/save" nova_libvirt_save_path: "{{ nova_system_home_folder }}/save"
nova_log_dir: "/var/log/nova"
nova_lock_path: "/var/lock/nova" nova_lock_path: "/var/lock/nova"

8
tasks/nova_pre_install.yml
View File

@ -77,9 +77,9 @@
- name: Test for log directory or link - name: Test for log directory or link
shell: | shell: |
if [ -h "/var/log/nova" ]; then if [ -h "{{ nova_log_dir }}" ]; then
chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "/var/log/nova" chown -h {{ nova_system_user_name }}:{{ nova_system_group_name }} "{{ nova_log_dir }}"
chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink /var/log/nova)" chown -R {{ nova_system_user_name }}:{{ nova_system_group_name }} "$(readlink {{ nova_log_dir }})"
else else
exit 1 exit 1
fi fi
@ -92,7 +92,7 @@
- name: Create nova log dir - name: Create nova log dir
file: file:
path: "/var/log/nova" path: "{{ nova_log_dir }}"
state: directory state: directory
owner: "{{ nova_system_user_name }}" owner: "{{ nova_system_user_name }}"
group: "{{ nova_system_group_name }}" group: "{{ nova_system_group_name }}"

17
tasks/nova_selinux.yml
View File

@ -43,6 +43,23 @@
when: when:
- selinux_equivalence | changed or selinux_file_context_ssh_keys | changed - selinux_equivalence | changed or selinux_file_context_ssh_keys | changed
- name: Stat nova's log directory
stat:
path: "{{ nova_log_dir }}"
register: nova_log_dir_check
- name: Set SELinux file contexts for nova's log directory
sefcontext:
target: "{{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}(/.*)?"
setype: nova_log_t
state: present
register: selinux_file_context_log_files
- name: Apply updated SELinux contexts on nova log directory
command: "restorecon -Rv {{ (nova_log_dir_check.stat.islnk) | ternary(nova_log_dir_check.stat.lnk_target, nova_log_dir) }}"
when:
- selinux_file_context_log_files | changed
- name: Copy OSA SELinux policy - name: Copy OSA SELinux policy
copy: copy:
src: osa-nova.te src: osa-nova.te

2
templates/nova.conf.j2
View File

@ -6,7 +6,7 @@ use_stderr = False
# Logs / State # Logs / State
debug = {{ debug }} debug = {{ debug }}
fatal_deprecations = {{ nova_fatal_deprecations }} fatal_deprecations = {{ nova_fatal_deprecations }}
log_dir = /var/log/nova log_dir = {{ nova_log_dir }}
state_path = {{ nova_system_home_folder }} state_path = {{ nova_system_home_folder }}
rootwrap_config = /etc/nova/rootwrap.conf rootwrap_config = /etc/nova/rootwrap.conf
service_down_time = 120 service_down_time = 120