From 641f141c0fd070cdf982401f4529da41614d237e Mon Sep 17 00:00:00 2001 From: =?utf8?q?S=C3=A9bastien=20Han?= Date: Tue, 17 Apr 2018 15:32:53 +0200 Subject: [PATCH] selinux: remove chcon calls MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We know bindmount with the :z option at the end of the -v command so this will basically run the exact same command as we used to run. So to speak: chcon -Rt svirt_sandbox_file_t /var/lib/ceph Signed-off-by: Sébastien Han --- ...inerized-to-containerized-ceph-daemons.yml | 16 ----- roles/ceph-client/tasks/create_users_keys.yml | 2 +- roles/ceph-client/tasks/pre_requisite.yml | 12 +--- roles/ceph-defaults/tasks/facts.yml | 14 +---- roles/ceph-mds/tasks/containerized.yml | 49 ++++++++++++--- roles/ceph-mds/templates/ceph-mds.service.j2 | 4 +- roles/ceph-mgr/tasks/docker/copy_configs.yml | 61 +++++++++++++++++++ roles/ceph-mgr/tasks/docker/main.yml | 3 - roles/ceph-mgr/tasks/docker/selinux.yml | 11 ---- roles/ceph-mgr/templates/ceph-mgr.service.j2 | 4 +- roles/ceph-mon/tasks/docker/copy_configs.yml | 13 +--- roles/ceph-mon/templates/ceph-mon.service.j2 | 4 +- .../tasks/pre_requisite_container.yml | 48 ++++++++++++--- roles/ceph-nfs/templates/ceph-nfs.service.j2 | 4 +- roles/ceph-osd/tasks/copy_configs.yml | 46 ++++++++++++++ roles/ceph-osd/tasks/docker/main.yml | 3 - roles/ceph-osd/tasks/docker/selinux.yml | 11 ---- roles/ceph-osd/tasks/scenarios/collocated.yml | 8 +-- .../tasks/scenarios/non-collocated.yml | 8 +-- roles/ceph-osd/templates/ceph-osd-run.sh.j2 | 6 +- .../tasks/docker/copy_configs.yml | 39 ++++++++++++ roles/ceph-rbd-mirror/tasks/docker/main.yml | 3 - .../ceph-rbd-mirror/tasks/docker/selinux.yml | 11 ---- .../templates/ceph-rbd-mirror.service.j2 | 4 +- .../tasks/docker/copy_configs.yml | 13 +--- roles/ceph-rgw/tasks/docker/copy_configs.yml | 43 +++++++++++++ roles/ceph-rgw/tasks/docker/main.yml | 3 - roles/ceph-rgw/tasks/docker/selinux.yml | 11 ---- .../templates/ceph-radosgw.service.j2 | 4 +- 29 files changed, 299 insertions(+), 159 deletions(-) create mode 100644 roles/ceph-mgr/tasks/docker/copy_configs.yml delete mode 100644 roles/ceph-mgr/tasks/docker/selinux.yml create mode 100644 roles/ceph-osd/tasks/copy_configs.yml delete mode 100644 roles/ceph-osd/tasks/docker/selinux.yml create mode 100644 roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml delete mode 100644 roles/ceph-rbd-mirror/tasks/docker/selinux.yml create mode 100644 roles/ceph-rgw/tasks/docker/copy_configs.yml delete mode 100644 roles/ceph-rgw/tasks/docker/selinux.yml diff --git a/infrastructure-playbooks/switch-from-non-containerized-to-containerized-ceph-daemons.yml b/infrastructure-playbooks/switch-from-non-containerized-to-containerized-ceph-daemons.yml index adaf4165f..b7e73b77d 100644 --- a/infrastructure-playbooks/switch-from-non-containerized-to-containerized-ceph-daemons.yml +++ b/infrastructure-playbooks/switch-from-non-containerized-to-containerized-ceph-daemons.yml @@ -40,22 +40,6 @@ become: true tasks: - - name: check if selinux is enabled - command: getenforce - register: sestatus - changed_when: false - when: ansible_os_family == 'RedHat' - - - name: set selinux permissions - command: chcon -Rt svirt_sandbox_file_t "{{ item }}" - with_items: - - /etc/ceph - - /var/lib/ceph - changed_when: false - when: - - sestatus.stdout != 'Disabled' - - ansible_os_family == 'RedHat' - - name: gather and delegate facts setup: delegate_to: "{{ item }}" diff --git a/roles/ceph-client/tasks/create_users_keys.yml b/roles/ceph-client/tasks/create_users_keys.yml index 65dac47cb..f31610621 100644 --- a/roles/ceph-client/tasks/create_users_keys.yml +++ b/roles/ceph-client/tasks/create_users_keys.yml @@ -17,7 +17,7 @@ docker run \ --rm \ -d \ - -v {{ ceph_conf_key_directory }}:{{ ceph_conf_key_directory }} \ + -v {{ ceph_conf_key_directory }}:{{ ceph_conf_key_directory }}:z \ --name ceph-create-keys \ --entrypoint=sleep \ {{ ceph_docker_registry}}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }} \ diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml index a02fa03b7..3a426893a 100644 --- a/roles/ceph-client/tasks/pre_requisite.yml +++ b/roles/ceph-client/tasks/pre_requisite.yml @@ -1,15 +1,5 @@ --- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t /etc/ceph - changed_when: false - when: - - containerized_deployment - - ansible_os_family == 'RedHat' - - sestatus is defined - - sestatus.stdout != 'Disabled' - -- name: copy ceph admin keyring if needed +- name: copy ceph admin keyring when non containerized deployment copy: src: "{{ fetch_directory }}/{{ fsid }}/etc/ceph/{{ cluster }}.client.admin.keyring" dest: "/etc/ceph/" diff --git a/roles/ceph-defaults/tasks/facts.yml b/roles/ceph-defaults/tasks/facts.yml index b2c9561ad..b029b6ceb 100644 --- a/roles/ceph-defaults/tasks/facts.yml +++ b/roles/ceph-defaults/tasks/facts.yml @@ -180,31 +180,23 @@ - not osd_auto_discovery|default(False) - osd_scenario|default('dummy') != 'lvm' -- name: set_fact ceph_uid for Debian based system +- name: set_fact ceph_uid for debian based system set_fact: ceph_uid: 64045 when: - containerized_deployment - ceph_docker_image_tag | search("ubuntu") -- name: set_fact ceph_uid for Red Hat based system +- name: set_fact ceph_uid for red hat based system set_fact: ceph_uid: 167 when: - containerized_deployment - ceph_docker_image_tag | search("latest") or ceph_docker_image_tag | search("centos") or ceph_docker_image_tag | search("fedora") -- name: set_fact ceph_uid for Red Hat +- name: set_fact ceph_uid for red hat set_fact: ceph_uid: 167 when: - containerized_deployment - ceph_docker_image | search("rhceph") - -- name: check if selinux is enabled - command: getenforce - register: sestatus - changed_when: false - check_mode: no - when: - - ansible_os_family == 'RedHat' diff --git a/roles/ceph-mds/tasks/containerized.yml b/roles/ceph-mds/tasks/containerized.yml index d34348299..8bce26957 100644 --- a/roles/ceph-mds/tasks/containerized.yml +++ b/roles/ceph-mds/tasks/containerized.yml @@ -3,16 +3,47 @@ set_fact: docker_exec_cmd: "docker exec ceph-mds-{{ ansible_hostname }}" -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false +- name: set_fact admin_keyring + set_fact: + admin_keyring: + - "/etc/ceph/{{ cluster }}.client.admin.keyring" when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' + - copy_admin_key + +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /var/lib/ceph/bootstrap-mds/{{ cluster }}.keyring + +- name: merge ceph_config_keys and admin_keyring + set_fact: + ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" + when: + - copy_admin_key + +- name: stat for ceph config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + failed_when: false + check_mode: no + register: statconfig + +- name: try to fetch ceph config and keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: root + group: root + mode: 0644 + changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" + when: item.1.stat.exists == true - name: generate systemd unit file become: true diff --git a/roles/ceph-mds/templates/ceph-mds.service.j2 b/roles/ceph-mds/templates/ceph-mds.service.j2 index a7adea5b4..ce20f45b0 100644 --- a/roles/ceph-mds/templates/ceph-mds.service.j2 +++ b/roles/ceph-mds/templates/ceph-mds.service.j2 @@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run --rm --net=host \ --cpu-quota={{ ceph_mds_docker_cpu_limit * 100000 }} \ {% endif -%} {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ {% else -%} -e KV_TYPE={{kv_type}} \ -e KV_IP={{kv_endpoint}} \ diff --git a/roles/ceph-mgr/tasks/docker/copy_configs.yml b/roles/ceph-mgr/tasks/docker/copy_configs.yml new file mode 100644 index 000000000..c1387cb27 --- /dev/null +++ b/roles/ceph-mgr/tasks/docker/copy_configs.yml @@ -0,0 +1,61 @@ +--- +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring + - /etc/ceph/{{ cluster }}.client.admin.keyring + +- name: stat for ceph config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + failed_when: false + check_mode: no + register: statconfig + +- name: try to fetch ceph keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: "{{ ceph_uid }}" + mode: 0600 + changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" + when: + - item.1.stat.exists == true + - item.0 | search("keyring") + +- name: try to fetch ceph config + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: root + group: root + mode: 0644 + changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" + when: + - item.1.stat.exists == true + - not (item.0 | search("keyring")) + +- name: "copy mgr key to /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring" + command: cp /etc/ceph/{{ cluster }}.mgr.{{ ansible_hostname }}.keyring /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring + changed_when: false + check_mode: no + with_items: "{{ statconfig.results }}" + when: item.stat.exists == true + +- name: set ceph mgr key permission + file: + path: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring" + owner: "{{ bootstrap_dirs_owner }}" + group: "{{ bootstrap_dirs_group }}" + mode: "0600" + when: cephx \ No newline at end of file diff --git a/roles/ceph-mgr/tasks/docker/main.yml b/roles/ceph-mgr/tasks/docker/main.yml index d7c56c6a7..257c62c1d 100644 --- a/roles/ceph-mgr/tasks/docker/main.yml +++ b/roles/ceph-mgr/tasks/docker/main.yml @@ -1,6 +1,3 @@ --- -- name: include selinux.yml - include: selinux.yml - - name: include start_docker_mgr.yml include: start_docker_mgr.yml diff --git a/roles/ceph-mgr/tasks/docker/selinux.yml b/roles/ceph-mgr/tasks/docker/selinux.yml deleted file mode 100644 index 9461fff93..000000000 --- a/roles/ceph-mgr/tasks/docker/selinux.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' diff --git a/roles/ceph-mgr/templates/ceph-mgr.service.j2 b/roles/ceph-mgr/templates/ceph-mgr.service.j2 index 7dcd9cc87..9970190f5 100644 --- a/roles/ceph-mgr/templates/ceph-mgr.service.j2 +++ b/roles/ceph-mgr/templates/ceph-mgr.service.j2 @@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run --rm --net=host \ --cpu-quota={{ ceph_mgr_docker_cpu_limit * 100000 }} \ {% endif -%} {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ {% else -%} -e KV_TYPE={{kv_type}} \ -e KV_IP={{kv_endpoint}} \ diff --git a/roles/ceph-mon/tasks/docker/copy_configs.yml b/roles/ceph-mon/tasks/docker/copy_configs.yml index c8485f2fe..ab45c78be 100644 --- a/roles/ceph-mon/tasks/docker/copy_configs.yml +++ b/roles/ceph-mon/tasks/docker/copy_configs.yml @@ -78,15 +78,4 @@ - "{{ statconfig.results }}" when: - item.1.stat.exists == true - - not (item.0 | search("keyring")) - -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' + - not (item.0 | search("keyring")) \ No newline at end of file diff --git a/roles/ceph-mon/templates/ceph-mon.service.j2 b/roles/ceph-mon/templates/ceph-mon.service.j2 index 9fe9d6774..958b327da 100644 --- a/roles/ceph-mon/templates/ceph-mon.service.j2 +++ b/roles/ceph-mon/templates/ceph-mon.service.j2 @@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run --rm --name ceph-mon-%i --net=host \ --cpu-quota={{ ceph_mon_docker_cpu_limit * 100000 }} \ {% endif -%} {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ {% else -%} -e KV_TYPE={{kv_type}} \ -e KV_IP={{kv_endpoint}}\ diff --git a/roles/ceph-nfs/tasks/pre_requisite_container.yml b/roles/ceph-nfs/tasks/pre_requisite_container.yml index 792b0b8e5..ab4d27f6e 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml @@ -1,14 +1,46 @@ --- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph +- name: set_fact admin_keyring + set_fact: + admin_keyring: + - "/etc/ceph/{{ cluster }}.client.admin.keyring" + when: + - copy_admin_key + +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring + +- name: merge ceph_config_keys and admin_keyring + set_fact: + ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" + when: + - copy_admin_key + +- name: stat for config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + failed_when: false + check_mode: no + register: statconfig + +- name: try to fetch config and keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: "64045" + group: "64045" + mode: 0644 changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' + - item.1.stat.exists == true - name: create dbus service file become: true diff --git a/roles/ceph-nfs/templates/ceph-nfs.service.j2 b/roles/ceph-nfs/templates/ceph-nfs.service.j2 index 9f7cbcf1e..2131a694f 100644 --- a/roles/ceph-nfs/templates/ceph-nfs.service.j2 +++ b/roles/ceph-nfs/templates/ceph-nfs.service.j2 @@ -9,8 +9,8 @@ ExecStartPre=-/usr/bin/docker rm ceph-nfs-%i ExecStartPre=/usr/bin/mkdir -p /etc/ceph /etc/ganesha /var/lib/nfs/ganesha ExecStart=/usr/bin/docker run --rm --net=host \ {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ -v /var/lib/nfs/ganesha:/var/lib/nfs/ganesha \ -v /etc/ganesha:/etc/ganesha \ {% if ceph_nfs_dynamic_exports %} diff --git a/roles/ceph-osd/tasks/copy_configs.yml b/roles/ceph-osd/tasks/copy_configs.yml new file mode 100644 index 000000000..98f511a0d --- /dev/null +++ b/roles/ceph-osd/tasks/copy_configs.yml @@ -0,0 +1,46 @@ +--- +- name: set_fact admin_keyring + set_fact: + admin_keyring: + - "/etc/ceph/{{ cluster }}.client.admin.keyring" + when: + - copy_admin_key + +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /var/lib/ceph/bootstrap-osd/{{ cluster }}.keyring + +- name: merge ceph_config_keys and admin_keyring + set_fact: + ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" + when: + - copy_admin_key + +- name: wait for ceph.conf and keys + local_action: + module: wait_for + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + become: false + with_items: "{{ ceph_config_keys }}" + +- name: stat for ceph config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + failed_when: false + check_mode: no + register: statconfig + +- name: try to copy ceph config and keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + dest: "{{ item }}" + owner: root + group: root + mode: 0644 + changed_when: false + with_items: "{{ ceph_config_keys }}" \ No newline at end of file diff --git a/roles/ceph-osd/tasks/docker/main.yml b/roles/ceph-osd/tasks/docker/main.yml index 24976553c..fde59c2d8 100644 --- a/roles/ceph-osd/tasks/docker/main.yml +++ b/roles/ceph-osd/tasks/docker/main.yml @@ -1,6 +1,3 @@ --- -- name: include selinux.yml - include: selinux.yml - - name: include start_docker_osd.yml include: start_docker_osd.yml diff --git a/roles/ceph-osd/tasks/docker/selinux.yml b/roles/ceph-osd/tasks/docker/selinux.yml deleted file mode 100644 index 9461fff93..000000000 --- a/roles/ceph-osd/tasks/docker/selinux.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' diff --git a/roles/ceph-osd/tasks/scenarios/collocated.yml b/roles/ceph-osd/tasks/scenarios/collocated.yml index 82cde9da5..51354c3ee 100644 --- a/roles/ceph-osd/tasks/scenarios/collocated.yml +++ b/roles/ceph-osd/tasks/scenarios/collocated.yml @@ -8,8 +8,8 @@ --pid=host \ --privileged=true \ --name=ceph-osd-prepare-{{ ansible_hostname }}-{{ item.1 | regex_replace('/dev/', '') }} \ - -v /etc/ceph:/etc/ceph \ - -v /var/lib/ceph/:/var/lib/ceph/ \ + -v /etc/ceph:/etc/ceph:z \ + -v /var/lib/ceph/:/var/lib/ceph/:z \ -v /dev:/dev \ -v /etc/localtime:/etc/localtime:ro \ -e DEBUG=verbose \ @@ -33,8 +33,8 @@ --pid=host \ --privileged=true \ --name=ceph-osd-prepare-{{ ansible_hostname }}-{{ item.split('/')[-1] }} \ - -v /etc/ceph:/etc/ceph \ - -v /var/lib/ceph/:/var/lib/ceph/ \ + -v /etc/ceph:/etc/ceph:z \ + -v /var/lib/ceph/:/var/lib/ceph/:z \ -v /dev:/dev \ -v /etc/localtime:/etc/localtime:ro \ -e DEBUG=verbose \ diff --git a/roles/ceph-osd/tasks/scenarios/non-collocated.yml b/roles/ceph-osd/tasks/scenarios/non-collocated.yml index ac4f91454..92b09d3ce 100644 --- a/roles/ceph-osd/tasks/scenarios/non-collocated.yml +++ b/roles/ceph-osd/tasks/scenarios/non-collocated.yml @@ -8,8 +8,8 @@ --pid=host \ --privileged=true \ --name=ceph-osd-prepare-{{ ansible_hostname }}-{{ item.1 | regex_replace('/dev/', '') }} \ - -v /etc/ceph:/etc/ceph \ - -v /var/lib/ceph/:/var/lib/ceph/ \ + -v /etc/ceph:/etc/ceph:z \ + -v /var/lib/ceph/:/var/lib/ceph/:z \ -v /dev:/dev \ -v /etc/localtime:/etc/localtime:ro \ -e DEBUG=verbose \ @@ -35,8 +35,8 @@ --pid=host \ --privileged=true \ --name=ceph-osd-prepare-{{ ansible_hostname }}-{{ item.1 | regex_replace('/dev/', '') }} \ - -v /etc/ceph:/etc/ceph \ - -v /var/lib/ceph/:/var/lib/ceph/ \ + -v /etc/ceph:/etc/ceph:z \ + -v /var/lib/ceph/:/var/lib/ceph/:z \ -v /dev:/dev \ -v /etc/localtime:/etc/localtime:ro \ -e DEBUG=verbose \ diff --git a/roles/ceph-osd/templates/ceph-osd-run.sh.j2 b/roles/ceph-osd/templates/ceph-osd-run.sh.j2 index b54b0ac57..19d2bf9fb 100644 --- a/roles/ceph-osd/templates/ceph-osd-run.sh.j2 +++ b/roles/ceph-osd/templates/ceph-osd-run.sh.j2 @@ -8,7 +8,7 @@ DOCKER_ENV="" ############# {% if disk_list.get('rc') == 0 -%} function expose_partitions () { -DOCKER_ENV=$(docker run --rm --net=host --name expose_partitions_${1} --privileged=true -v /dev/:/dev/ -v /etc/ceph:/etc/ceph -e CLUSTER={{ cluster }} -e OSD_DEVICE=/dev/${1} {{ ceph_docker_registry }}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }} disk_list) +DOCKER_ENV=$(docker run --rm --net=host --name expose_partitions_${1} --privileged=true -v /dev/:/dev/ -v /etc/ceph:/etc/ceph:z -e CLUSTER={{ cluster }} -e OSD_DEVICE=/dev/${1} {{ ceph_docker_registry }}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }} disk_list) docker rm -f expose_partitions_${1} } {% else -%} @@ -75,8 +75,8 @@ expose_partitions "$1" {% endif -%} -v /dev:/dev \ -v /etc/localtime:/etc/localtime:ro \ - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ $DOCKER_ENV \ {% if ansible_distribution == 'Ubuntu' -%} --security-opt apparmor:unconfined \ diff --git a/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml b/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml new file mode 100644 index 000000000..f9479757f --- /dev/null +++ b/roles/ceph-rbd-mirror/tasks/docker/copy_configs.yml @@ -0,0 +1,39 @@ +--- +- name: set_fact bootstrap_rbd_keyring + set_fact: + bootstrap_rbd_keyring: "/var/lib/ceph/bootstrap-rbd/{{ cluster }}.keyring" + when: + - ceph_release_num[ceph_release] >= ceph_release_num.luminous + +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /etc/ceph/{{ cluster }}.client.admin.keyring + - "{{ bootstrap_rbd_keyring | default('') }}" + +- name: stat for ceph config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + failed_when: false + check_mode: no + register: statconfig + when: "item | length > 0" + +- name: try to fetch ceph config and keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: root + group: root + mode: 0644 + changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" + when: + - not item.1.get('skipped') + - item.1.stat.exists == true \ No newline at end of file diff --git a/roles/ceph-rbd-mirror/tasks/docker/main.yml b/roles/ceph-rbd-mirror/tasks/docker/main.yml index d98d3ca47..8368f9ff2 100644 --- a/roles/ceph-rbd-mirror/tasks/docker/main.yml +++ b/roles/ceph-rbd-mirror/tasks/docker/main.yml @@ -1,6 +1,3 @@ --- -- name: include selinux.yml - include: selinux.yml - - name: include start_docker_rbd_mirror.yml include: start_docker_rbd_mirror.yml diff --git a/roles/ceph-rbd-mirror/tasks/docker/selinux.yml b/roles/ceph-rbd-mirror/tasks/docker/selinux.yml deleted file mode 100644 index 9461fff93..000000000 --- a/roles/ceph-rbd-mirror/tasks/docker/selinux.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' diff --git a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 index 902acab18..ac7bacc6c 100644 --- a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 +++ b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 @@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run --rm --net=host \ --cpu-quota={{ ceph_rbd_mirror_docker_cpu_limit * 100000 }} \ {% endif -%} {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ {% else -%} -e KV_TYPE={{kv_type}} \ -e KV_IP={{kv_endpoint}} \ diff --git a/roles/ceph-restapi/tasks/docker/copy_configs.yml b/roles/ceph-restapi/tasks/docker/copy_configs.yml index f3da4fce3..d0ae87ed5 100644 --- a/roles/ceph-restapi/tasks/docker/copy_configs.yml +++ b/roles/ceph-restapi/tasks/docker/copy_configs.yml @@ -27,15 +27,4 @@ - "{{ ceph_config_keys }}" - "{{ statconfig.results }}" when: - - item.1.stat.exists == true - -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' + - item.1.stat.exists == true \ No newline at end of file diff --git a/roles/ceph-rgw/tasks/docker/copy_configs.yml b/roles/ceph-rgw/tasks/docker/copy_configs.yml new file mode 100644 index 000000000..3a0ce913c --- /dev/null +++ b/roles/ceph-rgw/tasks/docker/copy_configs.yml @@ -0,0 +1,43 @@ +--- +- name: set_fact admin_keyring + set_fact: + admin_keyring: + - "/etc/ceph/{{ cluster }}.client.admin.keyring" + when: + - copy_admin_key + +- name: set_fact ceph_config_keys + set_fact: + ceph_config_keys: + - /var/lib/ceph/bootstrap-rgw/{{ cluster }}.keyring + +- name: merge ceph_config_keys and admin_keyring + set_fact: + ceph_config_keys: "{{ ceph_config_keys + admin_keyring }}" + when: + - copy_admin_key + +- name: stat for ceph config and keys + local_action: + module: stat + path: "{{ fetch_directory }}/{{ fsid }}/{{ item }}" + with_items: "{{ ceph_config_keys }}" + changed_when: false + become: false + ignore_errors: true + check_mode: no + register: statconfig + +- name: try to fetch ceph config and keys + copy: + src: "{{ fetch_directory }}/{{ fsid }}/{{ item.0 }}" + dest: "{{ item.0 }}" + owner: root + group: root + mode: 0644 + changed_when: false + with_together: + - "{{ ceph_config_keys }}" + - "{{ statconfig.results }}" + when: + - item.1.stat.exists == true \ No newline at end of file diff --git a/roles/ceph-rgw/tasks/docker/main.yml b/roles/ceph-rgw/tasks/docker/main.yml index 2f7ff9b26..0928e5739 100644 --- a/roles/ceph-rgw/tasks/docker/main.yml +++ b/roles/ceph-rgw/tasks/docker/main.yml @@ -1,6 +1,3 @@ --- -- name: include selinux.yml - include: selinux.yml - - name: include start_docker_rgw.yml include: start_docker_rgw.yml diff --git a/roles/ceph-rgw/tasks/docker/selinux.yml b/roles/ceph-rgw/tasks/docker/selinux.yml deleted file mode 100644 index 9461fff93..000000000 --- a/roles/ceph-rgw/tasks/docker/selinux.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: set selinux permissions - shell: | - chcon -Rt svirt_sandbox_file_t {{ item }} - with_items: - - "{{ ceph_conf_key_directory }}" - - /var/lib/ceph - changed_when: false - when: - - ansible_os_family == 'RedHat' - - sestatus.stdout != 'Disabled' diff --git a/roles/ceph-rgw/templates/ceph-radosgw.service.j2 b/roles/ceph-rgw/templates/ceph-radosgw.service.j2 index a8ccead79..bd23284ac 100644 --- a/roles/ceph-rgw/templates/ceph-radosgw.service.j2 +++ b/roles/ceph-rgw/templates/ceph-radosgw.service.j2 @@ -14,8 +14,8 @@ ExecStart=/usr/bin/docker run --rm --net=host \ --cpu-quota={{ ceph_rgw_docker_cpu_limit * 100000 }} \ {% endif -%} {% if not containerized_deployment_with_kv -%} - -v /var/lib/ceph:/var/lib/ceph \ - -v /etc/ceph:/etc/ceph \ + -v /var/lib/ceph:/var/lib/ceph:z \ + -v /etc/ceph:/etc/ceph:z \ {% else -%} -e KV_TYPE={{ kv_type }} \ -e KV_IP={{ kv_endpoint }} \ -- 2.39.5