Michal Nasiadka caa7cc54ee selinux: default to permissive
The disable-selinux role has been renamed to selinux and now supports
setting desired state.

Previously Kayobe was defaulting to disabling and rebooted the host - to
avoid audit logs filling up. This change allows operators to define
desired SELinux state and defaults to permissive - to adhere to those
site policies that require SELinux to be at least in permissive state.

Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1
2022-06-17 09:24:27 +02:00

48 lines
2.0 KiB
Django/Jinja

---
# NOTE(mgoddard): Don't reboot after disabling SELinux during CI testing, as
# Ansible is run directly on the controller.
# TODO(priteau): This is needed for the deployment of the previous release.
# Remove when previous_release is zed.
disable_selinux_do_reboot: false
# Use the OpenStack infra's Dockerhub mirror.
docker_registry_mirrors:
- "http://{{ zuul_site_mirror_fqdn }}:8082/"
kolla_docker_namespace: "openstack.kolla"
# use the published images from a site mirror of quay.io
kolla_docker_registry: "{{ zuul_site_mirror_fqdn }}:4447"
{% if not is_previous_release | default(false) %}
kolla_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla'].src_dir }}"
kolla_source_version: "{{ zuul.projects['opendev.org/openstack/kolla'].checkout }}"
kolla_ansible_source_url: "{{ ansible_env.PWD ~ '/' ~ zuul.projects['opendev.org/openstack/kolla-ansible'].src_dir }}"
kolla_ansible_source_version: "{{ zuul.projects['opendev.org/openstack/kolla-ansible'].checkout }}"
kolla_ansible_requirements_yml: "/tmp/kolla-ansible-requirements.yml"
pip_upper_constraints_file: "/tmp/upper-constraints.txt"
{% else %}
kolla_ansible_requirements_yml: "/tmp/previous-kolla-ansible-requirements.yml"
{% endif %}
kolla_openstack_logging_debug: true
# Use the CI infra's PyPI mirror.
pip_local_mirror: true
pip_index_url: "http://{{ zuul_site_mirror_fqdn }}/pypi/simple"
pip_trusted_hosts:
- "{{ zuul_site_mirror_fqdn }}"
# NOTE(mgoddard): CentOS 8 removes interfaces from their bridge during ifdown,
# and removes the bridge if there are no interfaces left. When Kayobe bounces
# veth links plugged into the bridge, it causes the bridge which has the IP we
# are using for SSH to be removed. Use a dummy interface.
aio_bridge_ports:
- dummy1
# Generate a password for libvirt SASL authentication.
compute_libvirt_sasl_password: "{% raw %}{{ lookup('password', '/tmp/libvirt-sasl-password') }}{% endraw %}"
# Enable ironic for testing baremetal compute.
kolla_enable_ironic: true
# Disable heat to save disk space.
kolla_enable_heat: false