common: selinux tasks related refactor

This moves some task from the `ceph-nfs` role in `ceph-common` since some of them are needed in `ceph-rgwloadbalancer` role. This avoids duplicated tasks. Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com> (cherry picked from commit d0442d8)
ceph · Apr 6, 2021 · ae452a8 · ae452a8
1 parent b02c5e8
commit ae452a8
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 35 deletions.
diff --git a/roles/ceph-common/tasks/main.yml b/roles/ceph-common/tasks/main.yml
@@ -57,3 +57,10 @@
     - (ceph_tcmalloc_max_total_thread_cache | int) > 0
     - osd_objectstore == 'filestore'
     - (ceph_origin == 'repository' or ceph_origin == 'distro')
+
+- name: include selinux.yml
+  include_tasks: selinux.yml
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - inventory_hostname in groups.get(nfs_group_name, [])
+      or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])
diff --git a/roles/ceph-common/tasks/selinux.yml b/roles/ceph-common/tasks/selinux.yml
@@ -0,0 +1,22 @@
+---
+- name: if selinux is not disabled
+  when: ansible_facts['selinux']['status'] == 'enabled'
+  block:
+    - name: install policycoreutils-python
+      package:
+        name: policycoreutils-python
+        state: present
+      register: result
+      until: result is succeeded
+      when: ansible_facts['distribution_major_version'] == '7'
+
+    - name: install python3-policycoreutils on RHEL 8
+      package:
+        name: python3-policycoreutils
+        state: present
+      register: result
+      until: result is succeeded
+      when:
+        - inventory_hostname in groups.get(nfs_group_name, [])
+          or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])
+        - ansible_facts['distribution_major_version'] == '8'
diff --git a/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml b/roles/ceph-nfs/tasks/ganesha_selinux_fix.yml
diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml
@@ -19,12 +19,28 @@
   import_tasks: create_rgw_nfs_user.yml
   when: groups.get(mon_group_name, []) | length > 0
 
+- name: install nfs-ganesha-selinux on RHEL 8
+  package:
+    name: nfs-ganesha-selinux
+    state: present
+  register: result
+  until: result is succeeded
+  when:
+    - not containerized_deployment | bool
+    - inventory_hostname in groups.get(nfs_group_name, [])
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '8'
+
 # NOTE (leseb): workaround for issues with ganesha and librgw
-- name: include ganesha_selinux_fix.yml
-  import_tasks: ganesha_selinux_fix.yml
+- name: add ganesha_t to permissive domain
+  selinux_permissive:
+    name: ganesha_t
+    permissive: true
+  failed_when: false
   when:
     - not containerized_deployment | bool
     - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['selinux']['status'] == 'enabled'
 
 - name: nfs with external ceph cluster task related
   when:

diff --git a/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml b/roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml
@@ -35,7 +35,9 @@
     - restart keepalived
 
 - name: selinux related tasks
-  when: ansible_facts['os_family'] == 'RedHat'
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['selinux']['status'] == 'enabled'
   block:
     - name: set_fact rgw_ports
       set_fact: