diff --git a/handlers/main.yml b/handlers/main.yml index 7de608aa..3d6dbdc1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Reload apparmor + ansible.builtin.service: + name: apparmor + state: reloaded + - name: Stop services ansible.builtin.service: name: "{{ item.service_name }}" diff --git a/tasks/neutron_apparmor.yml b/tasks/neutron_apparmor.yml index a4388e3b..86230c68 100644 --- a/tasks/neutron_apparmor.yml +++ b/tasks/neutron_apparmor.yml @@ -28,6 +28,21 @@ enabled: true state: "started" +- name: "Place required apparmor overrides" + ansible.builtin.copy: + content: "{{ item['content'] }}" + dest: "/etc/apparmor.d/local/{{ item['profile'] }}" + mode: "0644" + owner: root + group: root + loop: "{{ neutron_apparmor_profile_overrides }}" + loop_control: + label: "{{ item['profile'] }}" + when: + - item.condition | default(true) + notify: + - Reload apparmor + - name: "Disable apparmor profile" ansible.builtin.shell: | # empty line to workaround bug in EnvVarsInCommandRule.py lint test @@ -52,5 +67,3 @@ process: "haproxy" - profile: "bin.ping" process: "ping" - - profile: "usr.sbin.dnsmasq" - process: "dnsmasq" diff --git a/vars/debian.yml b/vars/debian.yml index b948d2b1..0cf3d6ff 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -51,6 +51,19 @@ neutron_apparmor_distro_packages: - apparmor-profiles - apparmor-utils +neutron_apparmor_profile_overrides: + - profile: "usr.sbin.dnsmasq" + content: | + /etc/neutron/dnsmasq-neutron.conf r, + /openstack/venvs/neutron-*/etc/neutron/dnsmasq-neutron.conf r, + /var/lib/neutron/dhcp/*/leases rw, + /var/lib/neutron/dhcp/*/pid rw, + /var/lib/neutron/dhcp/*/host r, + /var/lib/neutron/dhcp/*/addn_hosts r, + /var/lib/neutron/dhcp/*/opts r, + /var/lib/neutron/dhcp/*/leases rw, + condition: "{{ (neutron_dhcp | bool and neutron_services['neutron-dhcp-agent']['group'] in group_names) }}" + neutron_distro_packages: - conntrack - dnsmasq-base