summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Walters <walters@verbum.org>2016-10-11 15:17:48 -0400
committerColin Walters <walters@verbum.org>2016-10-12 09:39:13 -0400
commit08c1c8d33d749bb058319b9fce03eb177ae3d6c5 (patch)
treeecfe956d9cbed9d54557fc7aa8aef7ab3f57a491
parent131bcdcd7ee5c3191c748beb7aad8d45c4477b98 (diff)
downloadopenshift-08c1c8d33d749bb058319b9fce03eb177ae3d6c5.tar.gz
openshift-08c1c8d33d749bb058319b9fce03eb177ae3d6c5.tar.bz2
openshift-08c1c8d33d749bb058319b9fce03eb177ae3d6c5.tar.xz
openshift-08c1c8d33d749bb058319b9fce03eb177ae3d6c5.zip
nfs: Handle seboolean aliases not just in Fedora
I'm testing with a bleeding edge RHEL Atomic Host, and it looks like we pulled in a new version of selinux-policy that has `virt_sandbox_use_nfs` aliased to `virt_use_nfs`. In https://github.com/openshift/openshift-ansible/pull/2356 Adam changed this to check for Fedora. This changes things to drop the distribution check, and instead parse the `getsebool` output to determine whether or not the boolean is an alias, and should hence work on all distributions/versions.
-rw-r--r--roles/openshift_node/tasks/main.yml2
-rw-r--r--roles/openshift_node/tasks/storage_plugins/nfs.yml32
2 files changed, 15 insertions, 19 deletions
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 8e9c9f511..64c90db50 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -112,6 +112,8 @@
- name: NFS storage plugin configuration
include: storage_plugins/nfs.yml
+ tags:
+ - nfs
- name: GlusterFS storage plugin configuration
include: storage_plugins/glusterfs.yml
diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
index 22b539d16..5f99f129c 100644
--- a/roles/openshift_node/tasks/storage_plugins/nfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -3,30 +3,24 @@
action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
when: not openshift.common.is_atomic | bool
-- name: Check for existence of virt_use_nfs seboolean
- command: getsebool virt_use_nfs
- register: virt_use_nfs_output
+- name: Check for existence of seboolean
+ command: getsebool {{ item }}
+ register: getsebool_status
when: ansible_selinux and ansible_selinux.status == "enabled"
failed_when: false
changed_when: false
+ with_items:
+ - virt_use_nfs
+ - virt_sandbox_use_nfs
- name: Set seboolean to allow nfs storage plugin access from containers
seboolean:
- name: virt_use_nfs
+ name: "{{ item.item }}"
state: yes
persistent: yes
- when: ansible_selinux and ansible_selinux.status == "enabled" and virt_use_nfs_output.rc == 0
-
-- name: Check for existence of virt_sandbox_use_nfs seboolean (RHEL)
- command: getsebool virt_sandbox_use_nfs
- register: virt_sandbox_use_nfs_output
- when: ansible_distribution != "Fedora" and ansible_selinux and ansible_selinux.status == "enabled"
- failed_when: false
- changed_when: false
-
-- name: Set seboolean to allow nfs storage plugin access from containers(sandbox) (RHEL)
- seboolean:
- name: virt_sandbox_use_nfs
- state: yes
- persistent: yes
- when: ansible_distribution != "Fedora" and ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_nfs_output.rc == 0
+ # We need to detect whether or not the boolean is an alias, since `seboolean`
+ # will error if it is an alias. We do this by inspecting stdout for the boolean name,
+ # since getsebool prints the resolved name. (At some point Ansible's seboolean module
+ # should learn to deal with aliases)
+ when: ansible_selinux and ansible_selinux.status == "enabled" and item.rc == 0 and item.stdout.find(item.item) != -1
+ with_items: "{{ getsebool_status.results }}"