]> git.apps.os.sepia.ceph.com Git - ceph-cm-ansible.git/commitdiff
Create a module to resolve selinux conflict with grafana-agent 768/head
authorFernando <fernando.alcocer.ochoa@ibm.com>
Wed, 12 Feb 2025 18:49:36 +0000 (12:49 -0600)
committerFernando <fernando.alcocer.ochoa@ibm.com>
Mon, 24 Feb 2025 20:29:27 +0000 (14:29 -0600)
Fixes: https://ibm.monday.com/boards/5591222586/pulses/8269716052
Signed-off-by: Fernando <fernando.alcocer.ochoa@ibm.com>
roles/grafana_agent/defaults/main.yml
roles/grafana_agent/files/grafana/customuseradd.te [new file with mode: 0644]
roles/grafana_agent/tasks/main.yml
roles/grafana_agent/tasks/useradd-selinux.yml [new file with mode: 0644]
testnodes.yml

index bc4d43b5e7fb1617c9ef14c4b71161cb28543d67..2df6f91f2b16eedce2c974126482f8f7407cd6be 100644 (file)
@@ -9,3 +9,8 @@ grafana_rpm_repo_key_url: "https://rpm.grafana.com/gpg.key"
 
 scrape_interval_global: "60s"
 scrape_interval_node: "30s"
+
+# Selinux packages
+useradd_selinux_packages:
+  - policycoreutils
+  - checkpolicy
diff --git a/roles/grafana_agent/files/grafana/customuseradd.te b/roles/grafana_agent/files/grafana/customuseradd.te
new file mode 100644 (file)
index 0000000..bbded82
--- /dev/null
@@ -0,0 +1,12 @@
+module customuseradd 1.0;
+
+require {
+       type useradd_t;
+  type var_lib_t;
+       class file { execute read create write getattr setattr
+open };
+}
+
+#============= useradd_t ==============
+
+allow useradd_t var_lib_t:file { write create open setattr getattr };
index a0ebc626c91f58d5a88660f42609f48447ef098b..ba3d209cf15c0ad08df705450a16d4761f8e55ba 100644 (file)
@@ -8,6 +8,10 @@
 - name: Gather facts on listening ports
   community.general.listen_ports_facts:
 
+# Resolving selinux conflicts
+- import_tasks: useradd-selinux.yml
+  when: ansible_os_family == "RedHat"
+
 - name: Check if prometheus is listening on port 9090
   ansible.builtin.debug:
     msg: The {{ item.name }} service - pid {{ item.pid }} is running on same port as grafana-agent please set {{ item.name }} to listen on a diffrent port than {{ item.port }}
diff --git a/roles/grafana_agent/tasks/useradd-selinux.yml b/roles/grafana_agent/tasks/useradd-selinux.yml
new file mode 100644 (file)
index 0000000..85e57a2
--- /dev/null
@@ -0,0 +1,38 @@
+---
+- name: useradd - Install SELinux dependencies
+  package:
+    name: "{{ useradd_selinux_packages|list }}"
+    state: present
+
+# ignore_errors in case we don't have any repos
+- name: useradd - Ensure SELinux policy is up to date
+  package:
+    name: selinux-policy-targeted
+    state: latest
+  ignore_errors: true
+
+- name: useradd - Copy SELinux type enforcement file
+  copy:
+    src: grafana/customuseradd.te
+    dest: /tmp/customuseradd.te
+
+- name: useradd - Compile SELinux module file
+  command: checkmodule -M -m -o /tmp/customuseradd.mod /tmp/customuseradd.te
+
+- name: useradd - Build SELinux policy package
+  command: semodule_package -o /tmp/customuseradd.pp -m /tmp/customuseradd.mod
+
+- name: useradd - Load SELinux policy package
+  command: semodule -i /tmp/customuseradd.pp
+
+- name: useradd - Remove temporary files
+  file:
+    path: /tmp/customuseradd.*
+    state: absent
+
+- name: Verify SELinux module is installed
+  command: semodule -l
+  register: semodule_list
+  changed_when: false
+  failed_when: "'customuseradd' not in semodule_list.stdout"
+
index 21ba344680c259214ce82948747f59ac1a7b1c7a..ce49a560058822257a06bf1596a38ab7167283bb 100644 (file)
@@ -4,4 +4,5 @@
   roles:
     - common
     - testnode
+    - grafana_agent
   become: true