*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Commit 2bdb7313 authored by entlein's avatar entlein
Browse files

adding iptables exception SE Linux policies

parent 83fbc717
Branches
No related tags found
1 merge request!1Restore main as the default branch
Hide whitespace changes
Inline Side-by-side
roles/rke2/selinux/my-iptables.te 0 → 100644
+ 10
0
View file @ 2bdb7313
module my-iptables 1.0;
require {
type iptables_t;
type cgroup_t;
class dir ioctl;
}
#============= iptables_t ==============
allow iptables_t cgroup_t:dir ioctl;
\ No newline at end of file
roles/rke2/tasks/main.yml
+ 1
1
View file @ 2bdb7313
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
- block: - block:
- include_tasks: setup_host.yml - include_tasks: setup_host.yml
- include_tasks: install_rke2.yml - include_tasks: install_rke2.yml
# when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' ) when: ( not rke2_installed.stat.exists and state != 'absent' ) or (upgrade and state != 'absent' )
- include_tasks: templates.yml - include_tasks: templates.yml
when: "state != 'absent' and 'master' in group_names " when: "state != 'absent' and 'master' in group_names "
......
roles/rke2/tasks/setup_host.yml
+ 21
10
View file @ 2bdb7313
...@@ -71,21 +71,26 @@ ...@@ -71,21 +71,26 @@
name: etcd name: etcd
group: etcd group: etcd
- name: Reboot but not on upgrades, so kernel updates only install at initial runs
ansible.builtin.reboot:
reboot_timeout: 3600
when: ( not upgrade )
- name: Download root CA - name: Download root CA
get_url: get_url:
url: https://curl.se/ca/cacert.pem url: https://curl.se/ca/cacert.pem
dest: /etc/ssl/certs dest: /etc/ssl/certs
- name: Update CA trust
shell: update-ca-trust
- name: Disable SELinux - name: Disable SELinux
selinux: selinux:
policy: targeted policy: targeted
state: permissive state: permissive
when: ( 'control-plane' in group_names ) when: ( 'control-plane' in group_names )
- name: Update CA trust
shell: update-ca-trust
- name: Copy SELinux Policies - name: Copy SELinux Policies
template: template:
src: ../selinux/my-openstack.te src: ../selinux/my-openstack.te
...@@ -99,6 +104,19 @@ ...@@ -99,6 +104,19 @@
semodule -i /etc/selinux/targeted/policy/my-openstack.pp semodule -i /etc/selinux/targeted/policy/my-openstack.pp
when: ( 'control-plane' in group_names ) when: ( 'control-plane' in group_names )
- name: Copy SELinux Policies for new Kernel ()
template:
src: ../selinux/my-iptables.te
dest: /etc/selinux/targeted/policy/my-iptables.te
#when: ( 'control-plane' in group_names )
- name: Build SELinux exception module & allow xtables-nft-multi ioctl access on the cgroup directory
shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-iptables.mod /etc/selinux/targeted/policy/my-iptables.te
semodule_package -o /etc/selinux/targeted/policy/my-iptables.pp -m /etc/selinux/targeted/policy/my-iptables.mod
semodule -i /etc/selinux/targeted/policy/my-iptables.pp
#when: ( 'control-plane' in group_names )
- name: Ensure /var/lib/rancher/rke2/server/manifests - name: Ensure /var/lib/rancher/rke2/server/manifests
file: file:
path: /var/lib/rancher/rke2/server/manifests path: /var/lib/rancher/rke2/server/manifests
...@@ -111,10 +129,3 @@ ...@@ -111,10 +129,3 @@
state: directory state: directory
recurse: yes recurse: yes
#- name: reboot (make sure SELinux is off)
# shell: |
# systemctl reboot
- name: Reboot but not on upgrades, so kernel updates only install at initial runs
ansible.builtin.reboot:
reboot_timeout: 3600
when: ( not upgrade )
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

[ 9.Nov 23h : 4,522 users | 1,074 groups | 6,332 projects ]