openstack/openstack-ansible-os_neutron
Code Issues Proposed changes

Add SELinux contexts for neutron log directory

Browse Source 
The log directory for neutron has the default_t SELinux context and this
prevents rsyslog from accessing neutron's logs. This patch ensures that
the file contexts are set properly for neutron's logs.

This change also makes neutron's log directory configurable using the
`neutron_log_dir` variable.

Closes-Bug: 1748968
Change-Id: Ifbcca131435c8963cc9c1b85c000cc040fab27ab
This commit is contained in:
Major Hayden 2018-02-13 15:57:04 -06:00
parent cd580de2c2
commit 1664cb0009
6 changed files with 37 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
defaults/main.yml
View File

@ -31,6 +31,8 @@ neutron_package_state: "latest"
### Python code details ### Python code details
### ###
neutron_log_dir: "/var/log/neutron"
# Set the package install state for pip_package # Set the package install state for pip_package
# Options are 'present' and 'latest' # Options are 'present' and 'latest'
neutron_pip_package_state: "latest" neutron_pip_package_state: "latest"
@ -100,7 +102,7 @@ neutron_dns_domain: "openstacklocal."
# Dnsmasq doesn't work with config_template override, a deployer # Dnsmasq doesn't work with config_template override, a deployer
# should instead configure its own neutron_dhcp_config key/values # should instead configure its own neutron_dhcp_config key/values
neutron_dhcp_config: neutron_dhcp_config:
log-facility: "/var/log/neutron/neutron-dnsmasq.log" log-facility: "{{ neutron_log_dir }}/neutron-dnsmasq.log"
# Set the neutron lbaasv2 user group, defaults from os specific vars # Set the neutron lbaasv2 user group, defaults from os specific vars
neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}" neutron_lbaasv2_user_group: "{{ _neutron_lbaasv2_user_group }}"

8
tasks/neutron_pre_install.yml
View File

@ -51,9 +51,9 @@
- name: Test for log directory or link - name: Test for log directory or link
shell: | shell: |
if [ -h "/var/log/neutron" ]; then if [ -h "{{ neutron_log_dir }}" ]; then
chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "/var/log/neutron" chown -h {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "{{ neutron_log_dir }}"
chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink /var/log/neutron)" chown -R {{ neutron_system_user_name }}:{{ neutron_system_group_name }} "$(readlink {{ neutron_log_dir }})"
else else
exit 1 exit 1
fi fi
@ -69,7 +69,7 @@
group: "{{ item.group|default(neutron_system_group_name) }}" group: "{{ item.group|default(neutron_system_group_name) }}"
mode: "{{ item.mode|default('0755') }}" mode: "{{ item.mode|default('0755') }}"
with_items: with_items:
- { path: "/var/log/neutron" } - { path: "{{ neutron_log_dir }}" }
when: log_dir.rc != 0 when: log_dir.rc != 0
- name: Drop sudoers file - name: Drop sudoers file

17
tasks/neutron_selinux.yml
View File

@ -56,3 +56,20 @@
file: file:
path: "/tmp/osa-neutron-selinux/" path: "/tmp/osa-neutron-selinux/"
state: absent state: absent
- name: Stat neutron's log directory
stat:
path: "{{ neutron_log_dir }}"
register: neutron_log_dir_check
- name: Set SELinux file contexts for neutron's log directory
sefcontext:
target: "{{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}(/.*)?"
setype: neutron_log_t
state: present
register: selinux_file_context_log_files
- name: Apply updated SELinux contexts on neutron log directory
command: "restorecon -Rv {{ (neutron_log_dir_check.stat.islnk) | ternary(neutron_log_dir.stat.lnk_target, neutron_log_dir) }}"
when:
- selinux_file_context_log_files | changed

2
templates/neutron-ha-tool.py.j2
View File

@ -48,7 +48,7 @@ def load_local_logging():
user = os.getuid() user = os.getuid()
home = os.path.expanduser('~') home = os.path.expanduser('~')
log_dir = '/var/log/neutron' log_dir = '{{ neutron_log_dir }}'
filename = '%s.log' % LOG_NAME filename = '%s.log' % LOG_NAME
if user == 0: if user == 0:

2
templates/neutron.conf.j2
View File

@ -21,7 +21,7 @@
use_stderr = False use_stderr = False
debug = {{ debug }} debug = {{ debug }}
fatal_deprecations = {{ neutron_fatal_deprecations }} fatal_deprecations = {{ neutron_fatal_deprecations }}
log_file = /var/log/neutron/neutron.log log_file = {{ neutron_log_dir }}/neutron.log
## Rpc all ## Rpc all
executor_thread_pool_size = {{ neutron_rpc_thread_pool_size }} executor_thread_pool_size = {{ neutron_rpc_thread_pool_size }}

22
vars/main.yml
View File

@ -378,7 +378,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: dhcp_agent.ini service_conf: dhcp_agent.ini
service_rootwrap: rootwrap.d/dhcp.filters service_rootwrap: rootwrap.d/dhcp.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file=/var/log/neutron/neutron-dhcp-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/dhcp_agent.ini --log-file={{ neutron_log_dir }}/neutron-dhcp-agent.log"
config_overrides: "{{ neutron_dhcp_agent_ini_overrides }}" config_overrides: "{{ neutron_dhcp_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_dhcp_agent_init_overrides }}" init_config_overrides: "{{ neutron_dhcp_agent_init_overrides }}"
@ -390,7 +390,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: plugins/ml2/openvswitch_agent.ini service_conf: plugins/ml2/openvswitch_agent.ini
service_rootwrap: rootwrap.d/openvswitch-plugin.filters service_rootwrap: rootwrap.d/openvswitch-plugin.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file=/var/log/neutron/neutron-openvswitch-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/openvswitch_agent.ini --log-file={{ neutron_log_dir }}/neutron-openvswitch-agent.log"
config_overrides: "{{ neutron_openvswitch_agent_ini_overrides }}" config_overrides: "{{ neutron_openvswitch_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_openvswitch_agent_init_overrides }}" init_config_overrides: "{{ neutron_openvswitch_agent_init_overrides }}"
@ -402,7 +402,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: plugins/ml2/linuxbridge_agent.ini service_conf: plugins/ml2/linuxbridge_agent.ini
service_rootwrap: rootwrap.d/linuxbridge-plugin.filters service_rootwrap: rootwrap.d/linuxbridge-plugin.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file=/var/log/neutron/neutron-linuxbridge-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/linuxbridge_agent.ini --log-file={{ neutron_log_dir }}/neutron-linuxbridge-agent.log"
config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}" config_overrides: "{{ neutron_linuxbridge_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_linuxbridge_agent_init_overrides }}" init_config_overrides: "{{ neutron_linuxbridge_agent_init_overrides }}"
@ -413,7 +413,7 @@ neutron_services:
service_en: "{{ neutron_metadata | bool }}" service_en: "{{ neutron_metadata | bool }}"
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: metadata_agent.ini service_conf: metadata_agent.ini
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file=/var/log/neutron/neutron-metadata-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metadata_agent.ini --log-file={{ neutron_log_dir }}/neutron-metadata-agent.log"
config_overrides: "{{ neutron_metadata_agent_ini_overrides }}" config_overrides: "{{ neutron_metadata_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_metadata_agent_init_overrides }}" init_config_overrides: "{{ neutron_metadata_agent_init_overrides }}"
@ -424,7 +424,7 @@ neutron_services:
service_en: "{{ neutron_metering | bool }}" service_en: "{{ neutron_metering | bool }}"
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: metering_agent.ini service_conf: metering_agent.ini
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file=/var/log/neutron/neutron-metering-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/metering_agent.ini --log-file={{ neutron_log_dir }}/neutron-metering-agent.log"
config_overrides: "{{ neutron_metering_agent_ini_overrides }}" config_overrides: "{{ neutron_metering_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_metering_agent_init_overrides }}" init_config_overrides: "{{ neutron_metering_agent_init_overrides }}"
@ -444,7 +444,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: l3_agent.ini service_conf: l3_agent.ini
service_rootwrap: rootwrap.d/l3.filters service_rootwrap: rootwrap.d/l3.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file=/var/log/neutron/neutron-l3-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/l3_agent.ini --log-file={{ neutron_log_dir }}/neutron-l3-agent.log"
config_overrides: "{{ neutron_l3_agent_ini_overrides }}" config_overrides: "{{ neutron_l3_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_l3_agent_init_overrides }}" init_config_overrides: "{{ neutron_l3_agent_init_overrides }}"
@ -456,7 +456,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: lbaas_agent.ini service_conf: lbaas_agent.ini
service_rootwrap: rootwrap.d/lbaas-haproxy.filters service_rootwrap: rootwrap.d/lbaas-haproxy.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file=/var/log/neutron/neutron-lbaasv2-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/lbaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-lbaasv2-agent.log"
config_overrides: "{{ neutron_lbaas_agent_ini_overrides }}" config_overrides: "{{ neutron_lbaas_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_lbaas_agent_init_overrides }}" init_config_overrides: "{{ neutron_lbaas_agent_init_overrides }}"
@ -467,7 +467,7 @@ neutron_services:
service_en: "{{ neutron_bgp | bool }}" service_en: "{{ neutron_bgp | bool }}"
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: bgp_dragent.ini service_conf: bgp_dragent.ini
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file=/var/log/neutron/neutron-bgp-dragent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/bgp_dragent.ini --log-file={{ neutron_log_dir }}/neutron-bgp-dragent.log"
config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}" config_overrides: "{{ neutron_bgp_dragent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_bgp_dragent_init_overrides }}" init_config_overrides: "{{ neutron_bgp_dragent_init_overrides }}"
@ -479,7 +479,7 @@ neutron_services:
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: vpnaas_agent.ini service_conf: vpnaas_agent.ini
service_rootwrap: rootwrap.d/vpnaas.filters service_rootwrap: rootwrap.d/vpnaas.filters
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file=/var/log/neutron/neutron-vpn-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/vpnaas_agent.ini --log-file={{ neutron_log_dir }}/neutron-vpn-agent.log"
config_overrides: "{{ neutron_vpnaas_agent_ini_overrides }}" config_overrides: "{{ neutron_vpnaas_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_vpn_agent_init_overrides }}" init_config_overrides: "{{ neutron_vpn_agent_init_overrides }}"
@ -488,7 +488,7 @@ neutron_services:
group: neutron_server group: neutron_server
service_name: neutron-server service_name: neutron-server
service_en: True service_en: True
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file=/var/log/neutron/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/{{ neutron_plugins[neutron_plugin_type].plugin_ini }} --log-file={{ neutron_log_dir }}/neutron-server.log {% if neutron_plugin_type == 'ml2.dragonflow' %}--config-file {{ neutron_conf_dir }}/dragonflow.ini{% endif %}"
init_config_overrides: "{{ neutron_server_init_overrides }}" init_config_overrides: "{{ neutron_server_init_overrides }}"
start_order: 1 start_order: 1
calico-felix: calico-felix:
@ -523,7 +523,7 @@ neutron_services:
service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}" service_en: "{{ 'ml2.sriov' in neutron_plugin_types }}"
service_conf_path: "{{ neutron_conf_dir }}" service_conf_path: "{{ neutron_conf_dir }}"
service_conf: plugins/ml2/sriov_nic_agent.ini service_conf: plugins/ml2/sriov_nic_agent.ini
config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file=/var/log/neutron/neutron-sriov-nic-agent.log" config_options: "--config-file {{ neutron_conf_dir }}/neutron.conf --config-file {{ neutron_conf_dir }}/plugins/ml2/ml2_conf.ini --config-file {{ neutron_conf_dir }}/plugins/ml2/sriov_nic_agent.ini --log-file={{ neutron_log_dir }}/neutron-sriov-nic-agent.log"
config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}" config_overrides: "{{ neutron_sriov_nic_agent_ini_overrides }}"
config_type: "ini" config_type: "ini"
init_config_overrides: "{{ neutron_sriov_nic_agent_init_overrides }}" init_config_overrides: "{{ neutron_sriov_nic_agent_init_overrides }}"