From 3aae0b7e408505dceb72852c3eadde239809d969 Mon Sep 17 00:00:00 2001
From: entlein <einentlein@gmail.com>
Date: Wed, 29 Jun 2022 13:49:47 +0200
Subject: [PATCH] trying to add a wait condition to switch on SELinux once
 Openstack has booted

---
 roles/rke2/tasks/fix_selinux.yml | 12 ++++++++-
 roles/rke2/tasks/setup_host.yml  | 46 ++++++--------------------------
 2 files changed, 19 insertions(+), 39 deletions(-)

diff --git a/roles/rke2/tasks/fix_selinux.yml b/roles/rke2/tasks/fix_selinux.yml
index 0d8c76b..a5217d1 100644
--- a/roles/rke2/tasks/fix_selinux.yml
+++ b/roles/rke2/tasks/fix_selinux.yml
@@ -52,4 +52,14 @@
       - setroubleshoot      
       - python3-libselinux
       - policycoreutils-python-utils
-    state: absent
\ No newline at end of file
+    state: absent
+#rancher    40814  0.1  0.3 751524 58892 ?        Ssl  05:02   0:16 /bin/openstack-cloud-controller-manager --v=2 --cloud-config=/etc/config/cloud.conf --cluster-name=kubernetes --cloud-provider=openstack --use-service-account-credentials=true --controllers=cloud-node,cloud-node-lifecycle,route,service --bind-address=127.0.0.1 --cluster-name=rke2-cluster-beta
+
+- name: wait for openstack-cloud-controller to have booted (very indirect and stupid method)
+  wait_for:
+    path:  /var/lib/kubelet/pods/*/containers/rke2-ingress-nginx-controller
+
+- name: Enable SELinux
+  selinux:
+    policy: targeted
+    state: enforcing
\ No newline at end of file
diff --git a/roles/rke2/tasks/setup_host.yml b/roles/rke2/tasks/setup_host.yml
index e1e7e15..db99315 100644
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -69,44 +69,20 @@
 - name: Enable SELinux
   selinux:
     policy: targeted
-    #state: permissive
-    state: enforcing
+    state: permissive
+    #state: enforcing
 
 
 #Download the mozilla root CA into the right directory, and update the trust chain
-- name: Download root CA
-  get_url:
-    url: https://curl.se/ca/cacert.pem
-    dest: /etc/ssl/certs
+#- name: Download root CA
+#  get_url:
+#    url: https://curl.se/ca/cacert.pem
+#    dest: /etc/ssl/certs
 
-- name: Update CA trust
-  shell: update-ca-trust
+#- name: Update CA trust
+#  shell: update-ca-trust
 
 
-
-#yes, I know....
-#- name: Copy SELinux Policies- Master
-#  template:
-#    src: ../selinux/my-openstackcloud-mgmt.pp
-#    dest: /etc/selinux/targeted/policy/my-openstackcloud.pp
-#  when: "'master' in group_names"
-
-#- name: Copy SELinux Policies - Server 1
-#  template:
-#    src: ../selinux/my-openstackcloud-server1.pp
-#    dest: /etc/selinux/targeted/policy/my-openstackcloud.pp
-#  when: inventory_hostname=="k8s-server-001"  
-
-#- name: Copy SELinux Policies - Server 2
-#  template:
-#    src: ../selinux/my-openstackcloud-server2.pp
-#    dest: /etc/selinux/targeted/policy/my-openstackcloud.pp
-#  when: inventory_hostname=="k8s-server-002" 
-
-#- name: Activate SELinux Policies Exceptions on ControlPlane
-#  shell: semodule -i /etc/selinux/targeted/policy/my-openstackcloud.pp 
-#  when: "'control-plane' in group_names"
-
 - name: Ensure /var/lib/rancher/rke2/server/manifests
   file:
     path: /var/lib/rancher/rke2/server/manifests
@@ -118,12 +94,6 @@
     path: /etc/rancher/rke2
     state: directory
     recurse: yes
-#TODO needs to be rewritten for dnf
-#- name: update package cache
-#  apt:
-#    update_cache: yes
-#  when: dist_upgrade
-
 
 #- name: upgrade packages
 #  apt: 
-- 
GitLab