Extend apparmor overrides for custom nova folder
In case arbitrary folder is being used for Nova, more folders needs to be allowed in apparmor. With that, we don't need to have any overrides by default, as they all are already present in default aa-helper profile. Change-Id: Ib7a03434dae9f838289fbb16bfeb6c640eeccfc2 Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
This commit is contained in:
1 changed files with 25 additions and 2 deletions
@@ -134,15 +134,16 @@
- nova-kvm
- nova-libvirt
- name:Set apparmor config (Ubuntu/Debian)
# TODO(noonedeadpunk): Clean up in 2026.2 cycle
- name:Clean up old apparmor config (Ubuntu/Debian)
ansible.builtin.lineinfile:
dest:"/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
line:" {{ nova_system_home_folder }}/instances/_base/* r,"
backup:true
create:true
owner:"root"
group:"root"
mode:"0644"
state:absent
when:
- ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
notify:Reload apparmor profile
@@ -151,6 +152,28 @@
- nova-kvm
- nova-libvirt
- name:Set apparmor overrides (Ubuntu/Debian)
ansible.builtin.blockinfile:
dest:"/etc/apparmor.d/local/usr.lib.libvirt.virt-aa-helper"
block:|
# arbitrary path to nova home folder
{{ nova_system_home_folder }}/images/** r,
{{ nova_system_home_folder }}/instances/_base/** r,
{{ nova_system_home_folder }}/instances/snapshots/** r,
create:true
owner:"root"
group:"root"
mode:"0644"
marker:"# {mark} OPENSTACK-ANSIBLE MANAGED BLOCK"
when:
- ansible_facts['distribution'] == 'Ubuntu' or ansible_facts['distribution'] == 'Debian'
- nova_system_home_folder != '/var/lib/nova'
notify:Reload apparmor profile
tags:
- nova-config
- nova-kvm
- nova-libvirt
- name:Including nova_disable_smt tasks
ansible.builtin.include_tasks:nova_disable_smt.yml
when:
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.