From 13de0edd6c4699cf9a3096f4ed2803efdc30a38a Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 26 Feb 2020 17:02:25 +0000
Subject: [PATCH] Install virtualbmc to system when SELinux is enabled

CentOS 8 nodepool images come with SELinux enabled, and prevent systemd
from accessing files in users' home directories. This prevents vbmcd
from starting.

To resolve this, install virtualbmc to the system when SELinux is
enabled.

Change-Id: I5d30aca2b1e1ae897568f6e11fceda39e0b06e17
---
 ansible/host_setup.yml                                     | 7 ++++++-
 ansible/node_bmc.yml                                       | 7 ++++++-
 ansible/roles/virtualbmc-daemon/README.md                  | 2 +-
 ansible/roles/virtualbmc-daemon/tasks/main.yml             | 3 ++-
 ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 | 7 ++++++-
 ansible/roles/virtualbmc-domain/README.md                  | 2 +-
 ansible/roles/virtualbmc-domain/tasks/main.yml             | 7 ++++++-
 .../notes/virtualbmc-selinux-86a667ba27d9a05e.yaml         | 6 ++++++
 requirements.txt                                           | 1 +
 9 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml

diff --git a/ansible/host_setup.yml b/ansible/host_setup.yml
index 4a54fc6..a2e2735 100644
--- a/ansible/host_setup.yml
+++ b/ansible/host_setup.yml
@@ -43,7 +43,12 @@
           include_role:
             name: virtualbmc-daemon
           vars:
-            vbmcd_virtualenv_path: "{{ virtualenv_path }}"
+            # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install
+            # virtualbmc to the system rather than a virtualenv. SELinux
+            # prevents systemd from accessing files in users' home directories.
+            selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}"
+            is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}"
+            vbmcd_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}"
             vbmcd_python_upper_constraints_url: >-
               {{ python_upper_constraints_url }}
 
diff --git a/ansible/node_bmc.yml b/ansible/node_bmc.yml
index 0ce97bf..b1e7483 100644
--- a/ansible/node_bmc.yml
+++ b/ansible/node_bmc.yml
@@ -45,7 +45,12 @@
         vbmc_ipmi_username: "{{ ipmi_username }}"
         vbmc_ipmi_password: "{{ ipmi_password }}"
         vbmc_ipmi_port: "{{ domain.ipmi_port }}"
-        vbmc_virtualenv_path: "{{ virtualenv_path }}"
+        # NOTE(mgoddard): On CentOS 8 if SELinux is enabled, install virtualbmc
+        # to the system rather than a virtualenv. SELinux prevents systemd from
+        # accessing files in users' home directories.
+        selinux_enabled: "{{ ansible_selinux.status | default('disabled') == 'enabled' }}"
+        is_centos8: "{{ ansible_os_family == 'RedHat' and ansible_distribution_major_version | int == 8 }}"
+        vbmc_virtualenv_path: "{{ '' if is_centos8 and selinux_enabled else virtualenv_path }}"
         vbmc_log_directory: "{{ log_directory }}"
         vbmc_state: "{{ domain.get('state', 'present') }}"
       loop: "{{ vbmc_nodes | sort(attribute='name') | list }}"
diff --git a/ansible/roles/virtualbmc-daemon/README.md b/ansible/roles/virtualbmc-daemon/README.md
index e819613..c819b9f 100644
--- a/ansible/roles/virtualbmc-daemon/README.md
+++ b/ansible/roles/virtualbmc-daemon/README.md
@@ -12,7 +12,7 @@ Role Variables
 --------------
 
 - `vbmcd_virtualenv_path`: The path to the virtualenv in which to install
-  Virtual BMC.
+  Virtual BMC. Optional.
 - `vbmcd_python_upper_constraints_url`: The URL of the upper constraints file
   to pass to pip when installing Python packages.
 - `vbmcd_args`: Arguments to pass to the Virtual BMC daemon.
diff --git a/ansible/roles/virtualbmc-daemon/tasks/main.yml b/ansible/roles/virtualbmc-daemon/tasks/main.yml
index 465f587..619ce34 100644
--- a/ansible/roles/virtualbmc-daemon/tasks/main.yml
+++ b/ansible/roles/virtualbmc-daemon/tasks/main.yml
@@ -33,10 +33,11 @@
     requirements: "{{ req_file.path }}"
     extra_args: >-
       -c {{ vbmcd_python_upper_constraints_url }}
-    virtualenv: "{{ vbmcd_virtualenv_path }}"
+    virtualenv: "{{ vbmcd_virtualenv_path or omit }}"
   register: result
   until: result is success
   retries: 3
+  become: "{{ not vbmcd_virtualenv_path }}"
 
 - name: Ensure Virtual BMC systemd service is configured
   template:
diff --git a/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2 b/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2
index 253e89f..b7aeca9 100644
--- a/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2
+++ b/ansible/roles/virtualbmc-daemon/templates/vbmcd.service.j2
@@ -1,7 +1,12 @@
+{% if vbmcd_virtualenv_path %}
+{% set vbmcd_path = vbmcd_virtualenv_path ~ '/bin/vbmcd' %}
+{% else %}
+{% set vbmcd_path = '/usr/local/bin/vbmcd' %}
+{% endif %}
 [Unit]
 Description=Virtual BMC daemon
 
 [Service]
 Type=simple
 Restart=on-failure
-ExecStart="{{ vbmcd_virtualenv_path }}/bin/vbmcd" {{ vbmcd_args }}
+ExecStart="{{ vbmcd_path }}" {{ vbmcd_args }}
diff --git a/ansible/roles/virtualbmc-domain/README.md b/ansible/roles/virtualbmc-domain/README.md
index 42006ea..727902c 100644
--- a/ansible/roles/virtualbmc-domain/README.md
+++ b/ansible/roles/virtualbmc-domain/README.md
@@ -16,7 +16,7 @@ Role Variables
 
 - `vbmc_domain`: The name of the Libvirt domain to be added to Virtual BMC.
 - `vbmc_virtualenv_path`: The path to the virtualenv in which Virtual BMC is
-  installed.
+  installed. Optional.
 - `vbmc_ipmi_address`: The address on which Virtual BMC will listen for IPMI
   traffic.
 - `vbmc_ipmi_port`: The port on which Virtual BMC will listen for IPMI traffic.
diff --git a/ansible/roles/virtualbmc-domain/tasks/main.yml b/ansible/roles/virtualbmc-domain/tasks/main.yml
index d6581fc..b0f210c 100644
--- a/ansible/roles/virtualbmc-domain/tasks/main.yml
+++ b/ansible/roles/virtualbmc-domain/tasks/main.yml
@@ -1,10 +1,15 @@
 ---
 - name: Set VBMC command string
+  vars:
+    vbmc_path: >-
+      {{ vbmc_virtualenv_path ~ '/bin/vbmc'
+         if vbmc_virtualenv_path
+         else '/usr/local/bin/vbmc' }}
   set_fact:
     # vbmcd should already be running, so --no-daemon stops vbmc from spawning
     # another instance of the daemon.
     vbmc_cmd: >-
-      '{{ vbmc_virtualenv_path }}/bin/vbmc'
+      '{{ vbmc_path }}'
         --no-daemon
         {% if vbmc_log_directory is not none %}
         --log-file '{{ vbmc_log_directory }}/vbmc-{{ vbmc_domain }}.log'
diff --git a/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml b/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml
new file mode 100644
index 0000000..8659784
--- /dev/null
+++ b/releasenotes/notes/virtualbmc-selinux-86a667ba27d9a05e.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixes an issue with virtual BMC on systems where SELinux is enabled. In
+    this case the virtual BMC Python package is installed to the system rather
+    than the virtual environment.
diff --git a/requirements.txt b/requirements.txt
index c7393e4..697b757 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,3 +6,4 @@ pbr>=2.0 # Apache-2.0
 # NOTE(mgoddard): Ansible 2.8.0 breaks ansible-lint.
 ansible>=2.6.0,<2.8.0 # GPLv3
 os-client-config # Apache-2.0
+selinux;python_version>='3' # MIT