From caa7cc54ee5919b1b74dcdff21850051641eb9b5 Mon Sep 17 00:00:00 2001 From: Michal Nasiadka Date: Tue, 12 Oct 2021 16:35:05 +0200 Subject: [PATCH] selinux: default to permissive The disable-selinux role has been renamed to selinux and now supports setting desired state. Previously Kayobe was defaulting to disabling and rebooted the host - to avoid audit logs filling up. This change allows operators to define desired SELinux state and defaults to permissive - to adhere to those site policies that require SELinux to be at least in permissive state. Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1 --- ansible/disable-selinux.yml | 9 ---- ansible/infra-vm-host-configure.yml | 2 +- ansible/overcloud-host-configure.yml | 2 +- ansible/roles/disable-selinux/tasks/main.yml | 40 -------------- .../defaults/main.yml | 10 +++- ansible/roles/selinux/tasks/main.yml | 54 +++++++++++++++++++ ansible/seed-host-configure.yml | 2 +- ansible/selinux.yml | 9 ++++ doc/source/configuration/reference/hosts.rst | 11 ++-- .../scenarios/all-in-one/overcloud.rst | 12 ++--- kayobe/cli/commands.py | 6 +-- .../kayobe-infra-vm-base/overrides.yml.j2 | 4 -- .../kayobe-overcloud-base/overrides.yml.j2 | 4 -- .../overrides.yml.j2 | 2 + playbooks/kayobe-seed-base/overrides.yml.j2 | 4 -- .../kayobe-seed-upgrade-base/overrides.yml.j2 | 2 + .../kayobe-seed-vm-base/overrides.yml.j2 | 4 -- ...name-disable-selinux-9053ff36792066bc.yaml | 18 +++++++ 18 files changed, 111 insertions(+), 84 deletions(-) delete mode 100644 ansible/disable-selinux.yml delete mode 100644 ansible/roles/disable-selinux/tasks/main.yml rename ansible/roles/{disable-selinux => selinux}/defaults/main.yml (50%) create mode 100644 ansible/roles/selinux/tasks/main.yml create mode 100644 ansible/selinux.yml create mode 100644 releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml diff --git a/ansible/disable-selinux.yml b/ansible/disable-selinux.yml deleted file mode 100644 index 3ce1706c6..000000000 --- a/ansible/disable-selinux.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Disable SELinux and reboot if required - hosts: seed:overcloud:infra-vms - tags: - - disable-selinux - roles: - - role: disable-selinux - disable_selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}" - when: ansible_facts.os_family == 'RedHat' diff --git a/ansible/infra-vm-host-configure.yml b/ansible/infra-vm-host-configure.yml index ce7b25c8e..e175757e5 100644 --- a/ansible/infra-vm-host-configure.yml +++ b/ansible/infra-vm-host-configure.yml @@ -9,7 +9,7 @@ - import_playbook: "wipe-disks.yml" - import_playbook: "users.yml" - import_playbook: "dev-tools.yml" -- import_playbook: "disable-selinux.yml" +- import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" - import_playbook: "tuned.yml" diff --git a/ansible/overcloud-host-configure.yml b/ansible/overcloud-host-configure.yml index 31587891b..d43c711e9 100644 --- a/ansible/overcloud-host-configure.yml +++ b/ansible/overcloud-host-configure.yml @@ -9,7 +9,7 @@ - import_playbook: "wipe-disks.yml" - import_playbook: "users.yml" - import_playbook: "dev-tools.yml" -- import_playbook: "disable-selinux.yml" +- import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" - import_playbook: "tuned.yml" diff --git a/ansible/roles/disable-selinux/tasks/main.yml b/ansible/roles/disable-selinux/tasks/main.yml deleted file mode 100644 index 5b777452b..000000000 --- a/ansible/roles/disable-selinux/tasks/main.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: Ensure required packages are installed - package: - name: python3-libselinux - state: present - cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}" - update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}" - become: True - -- name: Check if SELinux configuration file exists - stat: - path: /etc/selinux/config - register: stat_result - -- name: Ensure SELinux is disabled - selinux: - state: disabled - register: selinux_result - become: True - when: stat_result.stat.exists - -- block: - - name: Set a fact to determine whether we are running locally - set_fact: - is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}" - - - name: Reboot the system to apply SELinux changes (local) - command: shutdown -r now "Applying SELinux changes" - become: True - when: is_local | bool - - - name: Reboot the machine to apply SELinux - reboot: - reboot_timeout: "{{ disable_selinux_reboot_timeout }}" - msg: Applying SELinux changes - become: true - when: not is_local | bool - when: - - disable_selinux_do_reboot | bool - - selinux_result is changed diff --git a/ansible/roles/disable-selinux/defaults/main.yml b/ansible/roles/selinux/defaults/main.yml similarity index 50% rename from ansible/roles/disable-selinux/defaults/main.yml rename to ansible/roles/selinux/defaults/main.yml index 23fd5cd33..80481b39f 100644 --- a/ansible/roles/disable-selinux/defaults/main.yml +++ b/ansible/roles/selinux/defaults/main.yml @@ -1,7 +1,13 @@ --- +# Target SELinux policy +selinux_policy: targeted + +# Target SELinux state +selinux_state: permissive + # Whether to reboot to apply SELinux config changes. -disable_selinux_do_reboot: true +selinux_do_reboot: false # Number of seconds to wait for hosts to become accessible via SSH after being # rebooted. -disable_selinux_reboot_timeout: +selinux_reboot_timeout: diff --git a/ansible/roles/selinux/tasks/main.yml b/ansible/roles/selinux/tasks/main.yml new file mode 100644 index 000000000..54f699303 --- /dev/null +++ b/ansible/roles/selinux/tasks/main.yml @@ -0,0 +1,54 @@ +--- +- name: Ensure required packages are installed + package: + name: python3-libselinux + state: present + cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}" + update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}" + become: True + +- name: Check if SELinux configuration file exists + stat: + path: /etc/selinux/config + register: stat_result + +- name: Ensure desired SELinux state + selinux: + policy: "{{ selinux_policy }}" + state: "{{ selinux_state }}" + register: selinux_result + become: True + when: stat_result.stat.exists + +- block: + - name: Abort SELinux configuration because reboot is disabled + fail: + msg: > + SELinux state change requires a reboot, but selinux_do_reboot is + false. Please run again with selinux_do_reboot set to true to reboot. + when: + - not selinux_do_reboot | bool + + - block: + - name: Set a fact to determine whether we are running locally + set_fact: + is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}" + + - name: Reboot the system to apply SELinux changes (local) + command: shutdown -r now "Applying SELinux changes" + become: True + when: + - is_local | bool + + - name: Reboot the machine to apply SELinux + reboot: + reboot_timeout: "{{ selinux_reboot_timeout }}" + msg: Applying SELinux changes + become: true + when: + - not is_local | bool + when: + - selinux_do_reboot | bool + when: + - stat_result.stat.exists + - selinux_result.reboot_required diff --git a/ansible/seed-host-configure.yml b/ansible/seed-host-configure.yml index 4a89f4f09..b41344eae 100644 --- a/ansible/seed-host-configure.yml +++ b/ansible/seed-host-configure.yml @@ -9,7 +9,7 @@ - import_playbook: "wipe-disks.yml" - import_playbook: "users.yml" - import_playbook: "dev-tools.yml" -- import_playbook: "disable-selinux.yml" +- import_playbook: "selinux.yml" - import_playbook: "network.yml" - import_playbook: "firewall.yml" - import_playbook: "tuned.yml" diff --git a/ansible/selinux.yml b/ansible/selinux.yml new file mode 100644 index 000000000..730da7a5c --- /dev/null +++ b/ansible/selinux.yml @@ -0,0 +1,9 @@ +--- +- name: Configure SELinux state and reboot if required + hosts: seed:overcloud:infra-vms + tags: + - selinux + roles: + - role: selinux + selinux_reboot_timeout: "{{ 600 if ansible_facts.virtualization_role == 'host' else 300 }}" + when: ansible_facts.os_family == 'RedHat' diff --git a/doc/source/configuration/reference/hosts.rst b/doc/source/configuration/reference/hosts.rst index 0451a3838..4cb6e57a0 100644 --- a/doc/source/configuration/reference/hosts.rst +++ b/doc/source/configuration/reference/hosts.rst @@ -445,15 +445,16 @@ that is signed by the key. SELinux ======= *tags:* - | ``disable-selinux`` + | ``selinux`` .. note:: SELinux applies to CentOS and Rocky systems only. -SELinux is not supported by Kolla Ansible currently, so it is disabled by -Kayobe. If necessary, Kayobe will reboot systems in order to apply a change to +SELinux is not supported by Kolla Ansible currently, so it is set to permissive +by Kayobe. If necessary, it can be configured to disabled by setting +``selinux_state`` to ``disabled``. Kayobe will reboot systems when required for the SELinux configuration. The timeout for waiting for systems to reboot is -``disable_selinux_reboot_timeout``. Alternatively, the reboot may be avoided by -setting ``disable_selinux_do_reboot`` to ``false``. +``selinux_reboot_timeout``. Alternatively, the reboot may be avoided by setting +``selinux_do_reboot`` to ``false``. Network Configuration ===================== diff --git a/doc/source/configuration/scenarios/all-in-one/overcloud.rst b/doc/source/configuration/scenarios/all-in-one/overcloud.rst index 5e3b68eca..2992877ab 100644 --- a/doc/source/configuration/scenarios/all-in-one/overcloud.rst +++ b/doc/source/configuration/scenarios/all-in-one/overcloud.rst @@ -230,16 +230,16 @@ seen in MAAS): controller_bootstrap_user: "cloud-user" -By default, on systems with SELinux enabled, Kayobe will disable SELinux and -reboot the system to apply the change. In a test or development environment -this can be a bit disruptive, particularly when using ephemeral network -configuration. To avoid rebooting the system after disabling SELinux, set -``disable_selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``. +By default, on systems with SELinux disabled, Kayobe will put SELinux in +permissive mode and reboot the system to apply the change. In a test or +development environment this can be a bit disruptive, particularly when using +ephemeral network configuration. To avoid rebooting the system after enabling +SELinux, set ``selinux_do_reboot`` to ``false`` in ``etc/kayobe/globals.yml``. .. code-block:: yaml :caption: ``etc/kayobe/globals.yml`` - disable_selinux_do_reboot: false + selinux_do_reboot: false In a development environment, we may wish to tune some Kolla Ansible variables. Using QEMU as the virtualisation type will be necessary if KVM is not diff --git a/kayobe/cli/commands.py b/kayobe/cli/commands.py index 325a67aea..9d5c8ab2d 100644 --- a/kayobe/cli/commands.py +++ b/kayobe/cli/commands.py @@ -561,7 +561,7 @@ class SeedHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Optionally, create a virtualenv for remote target hosts. * Optionally, wipe unmounted disk partitions (--wipe-disks). * Configure user accounts, group associations, and authorised SSH keys. - * Disable SELinux. + * Configure SELinux. * Configure the host's network interfaces. * Configure a firewall. * Configure tuned profile. @@ -866,7 +866,7 @@ class InfraVMHostConfigure(KayobeAnsibleMixin, VaultMixin, * Optionally, create a virtualenv for remote target hosts. * Optionally, wipe unmounted disk partitions (--wipe-disks). * Configure user accounts, group associations, and authorised SSH keys. - * Disable SELinux. + * Configure SELinux. * Configure the host's network interfaces. * Configure a firewall. * Configure tuned profile. @@ -1112,7 +1112,7 @@ class OvercloudHostConfigure(KollaAnsibleMixin, KayobeAnsibleMixin, VaultMixin, * Optionally, create a virtualenv for remote target hosts. * Optionally, wipe unmounted disk partitions (--wipe-disks). * Configure user accounts, group associations, and authorised SSH keys. - * Disable SELinux. + * Configure SELinux. * Configure the host's network interfaces. * Configure a firewall. * Configure tuned profile. diff --git a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 index 1a72eb8f6..061d7589c 100644 --- a/playbooks/kayobe-infra-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-infra-vm-base/overrides.yml.j2 @@ -1,8 +1,4 @@ --- -# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as -# Ansible is run directly on the controller. -disable_selinux_do_reboot: false - # Use the OpenStack infra's Dockerhub mirror. docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" diff --git a/playbooks/kayobe-overcloud-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-base/overrides.yml.j2 index 0c674193c..2f488c04e 100644 --- a/playbooks/kayobe-overcloud-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-base/overrides.yml.j2 @@ -1,8 +1,4 @@ --- -# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as -# Ansible is run directly on the controller. -disable_selinux_do_reboot: false - # Use the OpenStack infra's Dockerhub mirror. docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" diff --git a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 index 5972bdfd6..a4dd3a892 100644 --- a/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-overcloud-upgrade-base/overrides.yml.j2 @@ -1,6 +1,8 @@ --- # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as # Ansible is run directly on the controller. +# TODO(priteau): This is needed for the deployment of the previous release. +# Remove when previous_release is zed. disable_selinux_do_reboot: false # Use the OpenStack infra's Dockerhub mirror. diff --git a/playbooks/kayobe-seed-base/overrides.yml.j2 b/playbooks/kayobe-seed-base/overrides.yml.j2 index b2a094020..dc1e54e5e 100644 --- a/playbooks/kayobe-seed-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-base/overrides.yml.j2 @@ -1,8 +1,4 @@ --- -# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as -# Ansible is run directly on the controller. -disable_selinux_do_reboot: false - # Use the OpenStack infra's Dockerhub mirror. docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" diff --git a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 index 5b13be360..93d6c4245 100644 --- a/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-upgrade-base/overrides.yml.j2 @@ -1,6 +1,8 @@ --- # NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as # Ansible is run directly on the controller. +# TODO(priteau): This is needed for the deployment of the previous release. +# Remove when previous_release is zed. disable_selinux_do_reboot: false # Use the OpenStack infra's Dockerhub mirror. diff --git a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 index 9c5462c73..108efb74f 100644 --- a/playbooks/kayobe-seed-vm-base/overrides.yml.j2 +++ b/playbooks/kayobe-seed-vm-base/overrides.yml.j2 @@ -1,8 +1,4 @@ --- -# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as -# Ansible is run directly on the controller. -disable_selinux_do_reboot: false - # Use the OpenStack infra's Dockerhub mirror. docker_registry_mirrors: - "http://{{ zuul_site_mirror_fqdn }}:8082/" diff --git a/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml new file mode 100644 index 000000000..f0be18ea7 --- /dev/null +++ b/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Adds functionality to configure desired SELinux state (in addition to + disabling SELinux previously). +upgrade: + - | + The ``disable-selinux`` role has been renamed to ``selinux`` and so have + been the related variables. If you set one of them, adapt your + configuration: + + * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot`` + * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout`` + - | + Kayobe now sets SELinux to ``permissive`` by default (compared to + ``disabled`` previously). This may require a reboot, which will only be + triggered if ``selinux_do_reboot`` is set to ``true``. If you want to + retain previous behaviour, set ``selinux_state`` to ``disabled``.