From 1664cb00099b35d4effa54f9192569ad0e549b3e Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 13 Feb 2018 15:57:04 -0600 Subject: [PATCH] Add SELinux contexts for neutron log directory The log directory for neutron has the default_t SELinux context and this prevents rsyslog from accessing neutron's logs. This patch ensures that the file contexts are set properly for neutron's logs. This change also makes neutron's log directory configurable using the `neutron_log_dir` variable. Closes-Bug: 1748968 Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab --- defaults/main.yml | 4 +++- tasks/neutron_pre_install.yml | 8 ++++---- tasks/neutron_selinux.yml | 17 +++++++++++++++++ templates/neutron-ha-tool.py.j2 | 2 +- templates/neutron.conf.j2 | 2 +- vars/main.yml | 22 +++++++++++----------- 6 files changed, 37 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 97960e7d..d9d5c2ab 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -31,6 +31,8 @@ neutron_package_state: "latest" ### Python code details ### +neutron_log_dir: "/var/log/neutron" + # Set the package install state for pip_package # Options are 'present' and 'latest' neutron_pip_package_state: "latest" @@ -100,7 +102,7 @@ neutron_dns_domain: "openstacklocal." # Dnsmasq doesn't work with config_template override, a deployer # should instead configure its own neutron_dhcp_config key/values neutron_dhcp_config: - log-facility: "/var/log/neutron/neutron-dnsmasq.log" + log-facility: "{{ neutron_log_dir }}/neutron-dnsmasq.log" # Set the neutron lbaasv2 user group, defaults from os specific vars neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}" diff --git a/tasks/neutron_pre_install.yml b/tasks/neutron_pre_install.yml index ba79a245..5a65253f 100644 --- a/tasks/neutron_pre_install.yml +++ b/tasks/neutron_pre_install.yml @@ -51,9 +51,9 @@ - name: Test for log directory or link shell: | - if [ -h "/var/log/neutron" ]; then - chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "/var/log/neutron" - chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink /var/log/neutron)" + if [ -h "{{ neutron_log_dir }}" ]; then + chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "{{ neutron_log_dir }}" + chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink {{ neutron_log_dir }})" else exit 1 fi @@ -69,7 +69,7 @@ group: "{{ item.group|default(neutron_system_group_name) }}" mode: "{{ item.mode|default('0755') }}" with_items: - - { path: "/var/log/neutron" } + - { path: "{{ neutron_log_dir }}" } when: log_dir.rc != 0 - name: Drop sudoers file diff --git a/tasks/neutron_selinux.yml b/tasks/neutron_selinux.yml index 615d27f3..783ba326 100644 --- a/tasks/neutron_selinux.yml +++ b/tasks/neutron_selinux.yml @@ -56,3 +56,20 @@ file: path: "/tmp/osa-neutron-selinux/" state: absent + +- name: Stat neutron's log directory + stat: + path: "{{ neutron_log_dir }}" + register: neutron_log_dir_check + +- name: Set SELinux file contexts for neutron's log directory + sefcontext: + target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}(/.*)?" + setype: neutron_log_t + state: present + register: selinux_file_context_log_files + +- name: Apply updated SELinux contexts on neutron log directory + command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}" + when: + - selinux_file_context_log_files | changed diff --git a/templates/neutron-ha-tool.py.j2 b/templates/neutron-ha-tool.py.j2 index ce3ec4ab..56fc09f7 100644 --- a/templates/neutron-ha-tool.py.j2 +++ b/templates/neutron-ha-tool.py.j2 @@ -48,7 +48,7 @@ def load_local_logging(): user = os.getuid() home = os.path.expanduser('~') - log_dir = '/var/log/neutron' + log_dir = '{{ neutron_log_dir }}' filename = '%s.log' % LOG_NAME if user == 0: diff --git a/templates/neutron.conf.j2 b/templates/neutron.conf.j2 index 2cb3bfaf..a4f0e734 100644 --- a/templates/neutron.conf.j2 +++ b/templates/neutron.conf.j2 @@ -21,7 +21,7 @@ use_stderr = False debug = {{ debug }} fatal_deprecations = {{ neutron_fatal_deprecations }} -log_file = /var/log/neutron/neutron.log +log_file = {{ neutron_log_dir }}/neutron.log ## Rpc all executor_thread_pool_size = {{ neutron_rpc_thread_pool_size }} diff --git a/vars/main.yml b/vars/main.yml index 583e1caa..aa204f1c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -378,7 +378,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: dhcp_agent.ini service_rootwrap: rootwrap.d/dhcp.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file=/var/log/neutron/neutron-dhcp-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file={{ neutron_log_dir }}/neutron-dhcp-agent.log" config_overrides: "{{ neutron_dhcp_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_dhcp_agent_init_overrides }}" @@ -390,7 +390,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: plugins/ml2/openvswitch_agent.ini service_rootwrap: rootwrap.d/openvswitch-plugin.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file=/var/log/neutron/neutron-openvswitch-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file={{ neutron_log_dir }}/neutron-openvswitch-agent.log" config_overrides: "{{ neutron_openvswitch_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_openvswitch_agent_init_overrides }}" @@ -402,7 +402,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: plugins/ml2/linuxbridge_agent.ini service_rootwrap: rootwrap.d/linuxbridge-plugin.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file=/var/log/neutron/neutron-linuxbridge-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file={{ neutron_log_dir }}/neutron-linuxbridge-agent.log" config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_linuxbridge_agent_init_overrides }}" @@ -413,7 +413,7 @@ neutron_services: service_en: "{{ neutron_metadata | bool }}" service_conf_path: "{{ neutron_conf_dir }}" service_conf: metadata_agent.ini - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file=/var/log/neutron/neutron-metadata-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file={{ neutron_log_dir }}/neutron-metadata-agent.log" config_overrides: "{{ neutron_metadata_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_metadata_agent_init_overrides }}" @@ -424,7 +424,7 @@ neutron_services: service_en: "{{ neutron_metering | bool }}" service_conf_path: "{{ neutron_conf_dir }}" service_conf: metering_agent.ini - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file=/var/log/neutron/neutron-metering-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file={{ neutron_log_dir }}/neutron-metering-agent.log" config_overrides: "{{ neutron_metering_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_metering_agent_init_overrides }}" @@ -444,7 +444,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: l3_agent.ini service_rootwrap: rootwrap.d/l3.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file=/var/log/neutron/neutron-l3-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file={{ neutron_log_dir }}/neutron-l3-agent.log" config_overrides: "{{ neutron_l3_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_l3_agent_init_overrides }}" @@ -456,7 +456,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: lbaas_agent.ini service_rootwrap: rootwrap.d/lbaas-haproxy.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file=/var/log/neutron/neutron-lbaasv2-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-lbaasv2-agent.log" config_overrides: "{{ neutron_lbaas_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_lbaas_agent_init_overrides }}" @@ -467,7 +467,7 @@ neutron_services: service_en: "{{ neutron_bgp | bool }}" service_conf_path: "{{ neutron_conf_dir }}" service_conf: bgp_dragent.ini - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file=/var/log/neutron/neutron-bgp-dragent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file={{ neutron_log_dir }}/neutron-bgp-dragent.log" config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_bgp_dragent_init_overrides }}" @@ -479,7 +479,7 @@ neutron_services: service_conf_path: "{{ neutron_conf_dir }}" service_conf: vpnaas_agent.ini service_rootwrap: rootwrap.d/vpnaas.filters - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file=/var/log/neutron/neutron-vpn-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-vpn-agent.log" config_overrides: "{{ neutron_vpnaas_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_vpn_agent_init_overrides }}" @@ -488,7 +488,7 @@ neutron_services: group: neutron_server service_name: neutron-server service_en: True - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file=/var/log/neutron/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file={{ neutron_log_dir }}/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}" init_config_overrides: "{{ neutron_server_init_overrides }}" start_order: 1 calico-felix: @@ -523,7 +523,7 @@ neutron_services: service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}" service_conf_path: "{{ neutron_conf_dir }}" service_conf: plugins/ml2/sriov_nic_agent.ini - config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file=/var/log/neutron/neutron-sriov-nic-agent.log" + config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file={{ neutron_log_dir }}/neutron-sriov-nic-agent.log" config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}" config_type: "ini" init_config_overrides: "{{ neutron_sriov_nic_agent_init_overrides }}"