From ffb701f8a3a325e0c321fb2d3e37eea25e66a8af Mon Sep 17 00:00:00 2001 From: kevin Date: Mon, 24 Aug 2015 16:24:02 +0100 Subject: [PATCH] Removed default lxc profile on container create Having the lxc container create role drop the lxc-openstack apparmor profile on all containers anytime its executed leads to the possibility of the lxc container create task overwriting the running profile on a given container. If this happens its likley to cause service interruption until the correct profile is loaded for all containers its effected by the action. To fix this issue the default "lxc-openstack" profile has been removed from the lxc contianer create task and added to all plays that are known to be executed within an lxc container. This will ensure that the profile is untouched on subsequent runs of the lxc-container-create.yml play. Change-Id: Ifa4640be60c18f1232cc7c8b281fb1dfc0119e56 Closes-Bug: 1487130 --- playbooks/galera-install.yml | 11 +++++++- playbooks/memcached-install.yml | 10 +++++++ playbooks/os-ceilometer-install.yml | 13 +++++++-- playbooks/os-cinder-install.yml | 28 +++++++++---------- playbooks/os-glance-install.yml | 15 ++++++++-- playbooks/os-heat-install.yml | 13 +++++++-- playbooks/os-horizon-install.yml | 13 +++++++-- playbooks/os-keystone-install.yml | 13 +++++++-- playbooks/os-neutron-install.yml | 20 ++++++++++--- playbooks/os-nova-install.yml | 17 ++++++++--- playbooks/os-swift-setup.yml | 13 +++++++-- playbooks/rabbitmq-install.yml | 10 +++++++ playbooks/repo-server.yml | 11 +++++++- .../tasks/container_create.yml | 1 - playbooks/rsyslog-install.yml | 13 +++++++-- playbooks/utility-install.yml | 10 +++++++ 16 files changed, 171 insertions(+), 40 deletions(-) diff --git a/playbooks/galera-install.yml b/playbooks/galera-install.yml index 0db115e610..6ed61b5ba1 100644 --- a/playbooks/galera-install.yml +++ b/playbooks/galera-install.yml @@ -67,6 +67,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Galera extra lxc config lxc_container: name: "{{ container_name }}" @@ -75,7 +84,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/lib/mysql none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - galera-mysql-dir - name: Flush net cache diff --git a/playbooks/memcached-install.yml b/playbooks/memcached-install.yml index f0b51b4ba2..1140da160e 100644 --- a/playbooks/memcached-install.yml +++ b/playbooks/memcached-install.yml @@ -17,6 +17,16 @@ hosts: memcached max_fail_percentage: 20 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - { role: "memcached_server", tags: [ "memcached-server" ] } - role: "system_crontab_coordination" diff --git a/playbooks/os-ceilometer-install.yml b/playbooks/os-ceilometer-install.yml index c355bd930f..16cf317e41 100644 --- a/playbooks/os-ceilometer-install.yml +++ b/playbooks/os-ceilometer-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Flush net cache command: /usr/local/bin/lxc-system-manage flush-net-cache delegate_to: "{{ physical_host }}" @@ -47,7 +56,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-ceilometer" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - ceilometer-logs - ceilometer-log-dirs @@ -59,7 +68,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-ceilometer", dest: "/var/log/ceilometer", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - ceilometer-logs roles: diff --git a/playbooks/os-cinder-install.yml b/playbooks/os-cinder-install.yml index f6709c4c7a..262a9992e6 100644 --- a/playbooks/os-cinder-install.yml +++ b/playbooks/os-cinder-install.yml @@ -18,6 +18,17 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=unconfined" + delegate_to: "{{ physical_host }}" + when: > + not is_metal | bool and + inventory_hostname in groups['cinder_volume'] + tags: + - lxc-aa-profile - name: Add volume group block device to cinder shell: | {% if item.1.volume_group is defined %} @@ -36,27 +47,16 @@ delegate_to: "{{ physical_host }}" tags: - cinder-lxc-devices - - name: Cinder extra lxc config - lxc_container: - name: "{{ container_name }}" - container_config: - - "lxc.aa_profile=unconfined" - - "lxc.cgroup.devices.allow=a *:* rmw" - delegate_to: "{{ physical_host }}" - when: (is_metal == false or is_metal == "False") and inventory_hostname not in groups['cinder_volume'] - tags: - - cinder-container-setup - name: Cinder volume extra lxc config lxc_container: name: "{{ container_name }}" container_config: - "lxc.autodev=0" - - "lxc.aa_profile=unconfined" - "lxc.cgroup.devices.allow=a *:* rmw" - "lxc.mount.entry=udev dev devtmpfs defaults 0 0" delegate_to: "{{ physical_host }}" when: > - (is_metal == false or is_metal == "False") and + not is_metal | bool and inventory_hostname in groups['cinder_volume'] and cinder_backend_lvm_inuse tags: @@ -97,7 +97,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-cinder" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - cinder-logs - cinder-log-dirs @@ -109,7 +109,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-cinder", dest: "/var/log/cinder", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - cinder-logs roles: diff --git a/playbooks/os-glance-install.yml b/playbooks/os-glance-install.yml index a4614eae27..6767ae4fab 100644 --- a/playbooks/os-glance-install.yml +++ b/playbooks/os-glance-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Glance extra lxc config lxc_container: name: "{{ container_name }}" @@ -26,7 +35,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/lib/glance/images none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - glance-cache-dir - name: Flush net cache @@ -58,7 +67,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-glance" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - glance-logs - glance-log-dirs @@ -70,7 +79,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-glance", dest: "/var/log/glance", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - glance-logs roles: diff --git a/playbooks/os-heat-install.yml b/playbooks/os-heat-install.yml index 641be0e9d0..ec3f3da5ab 100644 --- a/playbooks/os-heat-install.yml +++ b/playbooks/os-heat-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-heat" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - heat-logs - heat-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-heat", dest: "/var/log/heat", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - heat-logs roles: diff --git a/playbooks/os-horizon-install.yml b/playbooks/os-horizon-install.yml index 295c9afe67..da71cd2276 100644 --- a/playbooks/os-horizon-install.yml +++ b/playbooks/os-horizon-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-horizon" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - horizon-logs - horizon-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-horizon", dest: "/var/log/horizon", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - horizon-logs roles: diff --git a/playbooks/os-keystone-install.yml b/playbooks/os-keystone-install.yml index 3911dab8f1..23925700a9 100644 --- a/playbooks/os-keystone-install.yml +++ b/playbooks/os-keystone-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -33,7 +42,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-keystone" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - keystone-logs - keystone-log-dirs @@ -45,7 +54,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-keystone", dest: "/var/log/keystone", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - keystone-logs roles: diff --git a/playbooks/os-neutron-install.yml b/playbooks/os-neutron-install.yml index 7cc15eccfe..7b1eb47b78 100644 --- a/playbooks/os-neutron-install.yml +++ b/playbooks/os-neutron-install.yml @@ -18,17 +18,29 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=unconfined" + delegate_to: "{{ physical_host }}" + when: > + not is_metal | bool and + inventory_hostname in groups['neutron_agent'] + tags: + - lxc-aa-profile - name: Neutron extra lxc config lxc_container: name: "{{ container_name }}" container_command: | [[ ! -d "/lib/modules" ]] && mkdir -p "/lib/modules" container_config: - - "lxc.aa_profile=unconfined" - "lxc.cgroup.devices.allow=a *:* rmw" - "lxc.mount.entry=/lib/modules lib/modules none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: > + not is_metal | bool and + inventory_hostname in groups['neutron_agent'] tags: - neutron-container-setup - name: Flush net cache @@ -60,7 +72,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-neutron" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - neutron-logs - neutron-log-dirs @@ -72,7 +84,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-neutron", dest: "/var/log/neutron", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - neutron-logs - name: Create the neutron provider networks facts diff --git a/playbooks/os-nova-install.yml b/playbooks/os-nova-install.yml index e394544c36..2c21fbea93 100644 --- a/playbooks/os-nova-install.yml +++ b/playbooks/os-nova-install.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Sort the rabbitmq servers dist_sort: value_to_lookup: "{{ container_name }}" @@ -49,7 +58,7 @@ delegate_to: "{{ physical_host }}" when: > inventory_hostname in groups['nova_compute'] and - (is_metal == false or is_metal == "False") + not is_metal | bool tags: - nova-kvm - nova-kvm-container-devices @@ -63,7 +72,7 @@ 'added' in device_add.stdout.lower() when: > inventory_hostname in groups['nova_compute'] and - (is_metal == false or is_metal == "False") and + not is_metal | bool and nova_virt_type == 'kvm' tags: - nova-kvm @@ -74,7 +83,7 @@ state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-nova" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - nova-logs - nova-log-dirs @@ -86,7 +95,7 @@ force: "yes" with_items: - { src: "/openstack/log/{{ inventory_hostname }}-nova", dest: "/var/log/nova", state: "link" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - nova-logs roles: diff --git a/playbooks/os-swift-setup.yml b/playbooks/os-swift-setup.yml index 8546f6c0c9..215d4eece7 100644 --- a/playbooks/os-swift-setup.yml +++ b/playbooks/os-swift-setup.yml @@ -20,13 +20,22 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Create log dir file: path: "{{ item.path }}" state: directory with_items: - { path: "/openstack/log/{{ inventory_hostname }}-swift" } - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - swift-logs - swift-log-dirs @@ -44,7 +53,7 @@ owner: "syslog" group: "syslog" state: "link" - when: is_metal == true or is_metal == "True" + when: is_metal | bool tags: - swift-logs roles: diff --git a/playbooks/rabbitmq-install.yml b/playbooks/rabbitmq-install.yml index c8370e5767..45adad9701 100644 --- a/playbooks/rabbitmq-install.yml +++ b/playbooks/rabbitmq-install.yml @@ -17,6 +17,16 @@ hosts: rabbitmq_all max_fail_percentage: 0 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - role: "rabbitmq_server" tags: diff --git a/playbooks/repo-server.yml b/playbooks/repo-server.yml index fa1c5c630f..2903ac0640 100644 --- a/playbooks/repo-server.yml +++ b/playbooks/repo-server.yml @@ -18,6 +18,15 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Package repo extra lxc config lxc_container: name: "{{ container_name }}" @@ -26,7 +35,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }} var/www none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - repo-dirs - name: Flush net cache diff --git a/playbooks/roles/lxc_container_create/tasks/container_create.yml b/playbooks/roles/lxc_container_create/tasks/container_create.yml index 45cfc74e27..19354ea0ad 100644 --- a/playbooks/roles/lxc_container_create/tasks/container_create.yml +++ b/playbooks/roles/lxc_container_create/tasks/container_create.yml @@ -101,7 +101,6 @@ container_config: - "lxc.mount.entry=/openstack/backup/{{ inventory_hostname }} var/backup none defaults,bind,rw 0 0" - "lxc.mount.entry=/openstack/log/{{ inventory_hostname }} var/log/{{ properties.log_directory | default(properties.service_name) }} none defaults,bind,rw 0 0" - - "lxc.aa_profile=lxc-openstack" when: properties.service_name is defined delegate_to: "{{ physical_host }}" tags: diff --git a/playbooks/rsyslog-install.yml b/playbooks/rsyslog-install.yml index 9ab4d2918a..639f445eb2 100644 --- a/playbooks/rsyslog-install.yml +++ b/playbooks/rsyslog-install.yml @@ -18,12 +18,21 @@ max_fail_percentage: 20 user: root pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile - name: Ensure log stroage directory exists file: path: "/openstack/{{ container_name }}/log-storage" state: "directory" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - rsyslog-storage-dirs - name: Rsyslog server extra lxc config @@ -34,7 +43,7 @@ container_config: - "lxc.mount.entry=/openstack/{{ container_name }}/log-storage {{ storage_directory.lstrip('/') }} none bind 0 0" delegate_to: "{{ physical_host }}" - when: is_metal == false or is_metal == "False" + when: not is_metal | bool tags: - rsyslog-storage-dirs - name: Flush net cache diff --git a/playbooks/utility-install.yml b/playbooks/utility-install.yml index 53555a2f9e..c160d89435 100644 --- a/playbooks/utility-install.yml +++ b/playbooks/utility-install.yml @@ -17,6 +17,16 @@ hosts: utility_all max_fail_percentage: 20 user: root + pre_tasks: + - name: Use the lxc-openstack aa profile + lxc_container: + name: "{{ container_name }}" + container_config: + - "lxc.aa_profile=lxc-openstack" + delegate_to: "{{ physical_host }}" + when: not is_metal | bool + tags: + - lxc-aa-profile roles: - { role: "galera_client", tags: [ "utility-galera-client" ] } - { role: "pip_lock_down", tags: [ "utility-pip-lock-down" ] }