diff --git a/ansible/host_setup.yml b/ansible/host_setup.yml index 4a54fc6..a2e2735 100644 --- a/ansible/host_setup.yml +++ b/ansible/host_setup.yml @@ -43,7 +43,12 @@ include_role: name: virtualbmc-daemon vars: - vbmcd_virtualenv_path: "{{ virtualenv_path }}" + # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install + # virtualbmc to the system rather than a virtualenv. SELinux + # prevents systemd from accessing files in users' home directories. + selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}" + is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}" + vbmcd_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}" vbmcd_python_upper_constraints_url: >- {{ python_upper_constraints_url }} diff --git a/ansible/node_bmc.yml b/ansible/node_bmc.yml index 0ce97bf..b1e7483 100644 --- a/ansible/node_bmc.yml +++ b/ansible/node_bmc.yml @@ -45,7 +45,12 @@ vbmc_ipmi_username: "{{ ipmi_username }}" vbmc_ipmi_password: "{{ ipmi_password }}" vbmc_ipmi_port: "{{ domain.ipmi_port }}" - vbmc_virtualenv_path: "{{ virtualenv_path }}" + # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install virtualbmc + # to the system rather than a virtualenv. SELinux prevents systemd from + # accessing files in users' home directories. + selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}" + is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}" + vbmc_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}" vbmc_log_directory: "{{ log_directory }}" vbmc_state: "{{ domain.get('state', 'present') }}" loop: "{{ vbmc_nodes | sort(attribute='name') | list }}" diff --git a/ansible/roles/virtualbmc-daemon/README.md b/ansible/roles/virtualbmc-daemon/README.md index e819613..c819b9f 100644 --- a/ansible/roles/virtualbmc-daemon/README.md +++ b/ansible/roles/virtualbmc-daemon/README.md @@ -12,7 +12,7 @@ Role Variables -------------- - `vbmcd_virtualenv_path`: The path to the virtualenv in which to install - Virtual BMC. + Virtual BMC. Optional. - `vbmcd_python_upper_constraints_url`: The URL of the upper constraints file to pass to pip when installing Python packages. - `vbmcd_args`: Arguments to pass to the Virtual BMC daemon. diff --git a/ansible/roles/virtualbmc-daemon/tasks/main.yml b/ansible/roles/virtualbmc-daemon/tasks/main.yml index 465f587..619ce34 100644 --- a/ansible/roles/virtualbmc-daemon/tasks/main.yml +++ b/ansible/roles/virtualbmc-daemon/tasks/main.yml @@ -33,10 +33,11 @@ requirements: "{{ req_file.path }}" extra_args: >- -c {{ vbmcd_python_upper_constraints_url }} - virtualenv: "{{ vbmcd_virtualenv_path }}" + virtualenv: "{{ vbmcd_virtualenv_path or omit }}" register: result until: result is success retries: 3 + become: "{{ not vbmcd_virtualenv_path }}" - name: Ensure Virtual BMC systemd service is configured template: diff --git a/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 b/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 index 253e89f..b7aeca9 100644 --- a/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 +++ b/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 @@ -1,7 +1,12 @@ +{% if vbmcd_virtualenv_path %} +{% set vbmcd_path = vbmcd_virtualenv_path ~ '/bin/vbmcd' %} +{% else %} +{% set vbmcd_path = '/usr/local/bin/vbmcd' %} +{% endif %} [Unit] Description=Virtual BMC daemon [Service] Type=simple Restart=on-failure -ExecStart="{{ vbmcd_virtualenv_path }}/bin/vbmcd" {{ vbmcd_args }} +ExecStart="{{ vbmcd_path }}" {{ vbmcd_args }} diff --git a/ansible/roles/virtualbmc-domain/README.md b/ansible/roles/virtualbmc-domain/README.md index 42006ea..727902c 100644 --- a/ansible/roles/virtualbmc-domain/README.md +++ b/ansible/roles/virtualbmc-domain/README.md @@ -16,7 +16,7 @@ Role Variables - `vbmc_domain`: The name of the Libvirt domain to be added to Virtual BMC. - `vbmc_virtualenv_path`: The path to the virtualenv in which Virtual BMC is - installed. + installed. Optional. - `vbmc_ipmi_address`: The address on which Virtual BMC will listen for IPMI traffic. - `vbmc_ipmi_port`: The port on which Virtual BMC will listen for IPMI traffic. diff --git a/ansible/roles/virtualbmc-domain/tasks/main.yml b/ansible/roles/virtualbmc-domain/tasks/main.yml index d6581fc..b0f210c 100644 --- a/ansible/roles/virtualbmc-domain/tasks/main.yml +++ b/ansible/roles/virtualbmc-domain/tasks/main.yml @@ -1,10 +1,15 @@ --- - name: Set VBMC command string + vars: + vbmc_path: >- + {{ vbmc_virtualenv_path ~ '/bin/vbmc' + if vbmc_virtualenv_path + else '/usr/local/bin/vbmc' }} set_fact: # vbmcd should already be running, so --no-daemon stops vbmc from spawning # another instance of the daemon. vbmc_cmd: >- - '{{ vbmc_virtualenv_path }}/bin/vbmc' + '{{ vbmc_path }}' --no-daemon {% if vbmc_log_directory is not none %} --log-file '{{ vbmc_log_directory }}/vbmc-{{ vbmc_domain }}.log' diff --git a/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml b/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml new file mode 100644 index 0000000..8659784 --- /dev/null +++ b/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes an issue with virtual BMC on systems where SELinux is enabled. In + this case the virtual BMC Python package is installed to the system rather + than the virtual environment. diff --git a/requirements.txt b/requirements.txt index c7393e4..697b757 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,3 +6,4 @@ pbr>=2.0 # Apache-2.0 # NOTE(mgoddard): Ansible 2.8.0 breaks ansible-lint. ansible>=2.6.0,<2.8.0 # GPLv3 os-client-config # Apache-2.0 +selinux;python_version>='3' # MIT