Install virtualbmc to system when SELinux is enabled

CentOS 8 nodepool images come with SELinux enabled, and prevent systemd from accessing files in users' home directories. This prevents vbmcd from starting. To resolve this, install virtualbmc to the system when SELinux is enabled. Change-Id: I5d30aca2b1e1ae897568f6e11fceda39e0b06e17
2020-02-26 17:02:25 +00:00 · 2020-02-26 17:02:25 +00:00 · 13de0edd6c
commit 13de0edd6c
parent 29ce8dd0bd
9 changed files with 35 additions and 7 deletions
--- a/ansible/host_setup.yml
+++ b/ansible/host_setup.yml
@ -43,7 +43,12 @@
          include_role:
            name: virtualbmc-daemon
          vars:
-            vbmcd_virtualenv_path: "{{ virtualenv_path }}"
+            # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install
+            # virtualbmc to the system rather than a virtualenv. SELinux
+            # prevents systemd from accessing files in users' home directories.
+            selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}"
+            is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}"
+            vbmcd_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}"
            vbmcd_python_upper_constraints_url: >-
              {{ python_upper_constraints_url }}

--- a/ansible/node_bmc.yml
+++ b/ansible/node_bmc.yml
@ -45,7 +45,12 @@
        vbmc_ipmi_username: "{{ ipmi_username }}"
        vbmc_ipmi_password: "{{ ipmi_password }}"
        vbmc_ipmi_port: "{{ domain.ipmi_port }}"
-        vbmc_virtualenv_path: "{{ virtualenv_path }}"
+        # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install virtualbmc
+        # to the system rather than a virtualenv. SELinux prevents systemd from
+        # accessing files in users' home directories.
+        selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}"
+        is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}"
+        vbmc_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}"
        vbmc_log_directory: "{{ log_directory }}"
        vbmc_state: "{{ domain.get('state', 'present') }}"
      loop: "{{ vbmc_nodes | sort(attribute='name') | list }}"
--- a/ansible/roles/virtualbmc-daemon/README.md
+++ b/ansible/roles/virtualbmc-daemon/README.md
@ -12,7 +12,7 @@ Role Variables
 --------------

 - `vbmcd_virtualenv_path`: The path to the virtualenv in which to install
-  Virtual BMC.
+  Virtual BMC. Optional.
 - `vbmcd_python_upper_constraints_url`: The URL of the upper constraints file
  to pass to pip when installing Python packages.
 - `vbmcd_args`: Arguments to pass to the Virtual BMC daemon.
--- a/ansible/roles/virtualbmc-daemon/tasks/main.yml
+++ b/ansible/roles/virtualbmc-daemon/tasks/main.yml
@ -33,10 +33,11 @@
    requirements: "{{ req_file.path }}"
    extra_args: >-
      -c {{ vbmcd_python_upper_constraints_url }}
-    virtualenv: "{{ vbmcd_virtualenv_path }}"
+    virtualenv: "{{ vbmcd_virtualenv_path or omit }}"
  register: result
  until: result is success
  retries: 3
+  become: "{{ not vbmcd_virtualenv_path }}"

 - name: Ensure Virtual BMC systemd service is configured
  template:
--- a/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2
+++ b/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2
@ -1,7 +1,12 @@
+{% if vbmcd_virtualenv_path %}
+{% set vbmcd_path = vbmcd_virtualenv_path ~ '/bin/vbmcd' %}
+{% else %}
+{% set vbmcd_path = '/usr/local/bin/vbmcd' %}
+{% endif %}
 [Unit]
 Description=Virtual BMC daemon

 [Service]
 Type=simple
 Restart=on-failure
-ExecStart="{{ vbmcd_virtualenv_path }}/bin/vbmcd" {{ vbmcd_args }}
+ExecStart="{{ vbmcd_path }}" {{ vbmcd_args }}
--- a/ansible/roles/virtualbmc-domain/README.md
+++ b/ansible/roles/virtualbmc-domain/README.md
@ -16,7 +16,7 @@ Role Variables

 - `vbmc_domain`: The name of the Libvirt domain to be added to Virtual BMC.
 - `vbmc_virtualenv_path`: The path to the virtualenv in which Virtual BMC is
-  installed.
+  installed. Optional.
 - `vbmc_ipmi_address`: The address on which Virtual BMC will listen for IPMI
  traffic.
 - `vbmc_ipmi_port`: The port on which Virtual BMC will listen for IPMI traffic.
--- a/ansible/roles/virtualbmc-domain/tasks/main.yml
+++ b/ansible/roles/virtualbmc-domain/tasks/main.yml
@ -1,10 +1,15 @@
 ---
 - name: Set VBMC command string
+  vars:
+    vbmc_path: >-
+      {{ vbmc_virtualenv_path ~ '/bin/vbmc'
+         if vbmc_virtualenv_path
+         else '/usr/local/bin/vbmc' }}
  set_fact:
    # vbmcd should already be running, so --no-daemon stops vbmc from spawning
    # another instance of the daemon.
    vbmc_cmd: >-
-      '{{ vbmc_virtualenv_path }}/bin/vbmc'
+      '{{ vbmc_path }}'
        --no-daemon
        {% if vbmc_log_directory is not none %}
        --log-file '{{ vbmc_log_directory }}/vbmc-{{ vbmc_domain }}.log'
--- a/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml
+++ b/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue with virtual BMC on systems where SELinux is enabled. In
+    this case the virtual BMC Python package is installed to the system rather
+    than the virtual environment.
--- a/requirements.txt
+++ b/requirements.txt
@ -6,3 +6,4 @@ pbr>=2.0 # Apache-2.0
 # NOTE(mgoddard): Ansible 2.8.0 breaks ansible-lint.
 ansible>=2.6.0,<2.8.0 # GPLv3
 os-client-config # Apache-2.0
+selinux;python_version>='3' # MIT