Merge pull request #14910 from mattclay/libvirt-no-selinux

Add noseclabel support to libvirt_lxc plugin.
2024-09-14 20:13:21 +02:00 · 2016-03-11 00:24:05 +00:00 · 2016-03-11 00:24:05 +00:00 · 32a1662ad0
commit 32a1662ad0
parent 8a42f3417c ba1bcdfc17
4 changed files with 21 additions and 1 deletions
--- a/docsite/rst/intro_configuration.rst
+++ b/docsite/rst/intro_configuration.rst
@ -952,6 +952,17 @@ The default list is: nfs,vboxsf,fuse,ramfs::

    special_context_filesystems = nfs,vboxsf,fuse,ramfs,myspecialfs

+libvirt_lxc_noseclabel
+======================
+
+.. versionadded:: 2.1
+
+This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh.
+This is necessary when running on systems which do not have SELinux.
+The default behavior is no::
+
+    libvirt_lxc_noseclabel = True
+
 Galaxy Settings
 ---------------

--- a/examples/ansible.cfg
+++ b/examples/ansible.cfg
@ -278,6 +278,9 @@
 # needs to be changed to use the file system dependent context.
 #special_context_filesystems=nfs,vboxsf,fuse,ramfs

+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
 [colors]
 #higlight = white
 #verbose = blue
--- a/lib/ansible/constants.py
+++ b/lib/ansible/constants.py
@ -167,6 +167,7 @@ DEFAULT_NO_TARGET_SYSLOG   = get_config(p, DEFAULTS, 'no_target_syslog', 'ANSIBL

 # selinux
 DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf, ramfs', islist=True)
+DEFAULT_LIBVIRT_LXC_NOSECLABEL = get_config(p, 'selinux', 'libvirt_lxc_noseclabel', 'LIBVIRT_LXC_NOSECLABEL', False, boolean=True)

 ### PRIVILEGE ESCALATION ###
 # Backwards Compat
--- a/lib/ansible/plugins/connection/libvirt_lxc.py
+++ b/lib/ansible/plugins/connection/libvirt_lxc.py
@ -88,7 +88,12 @@ class Connection(ConnectionBase):
        return the process's exit code immediately.
        '''
        executable = C.DEFAULT_EXECUTABLE.split()[0] if C.DEFAULT_EXECUTABLE else '/bin/sh'
-        local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace', self.lxc, '--', executable , '-c', cmd]
+        local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace']
+
+        if C.DEFAULT_LIBVIRT_LXC_NOSECLABEL:
+            local_cmd += ['--noseclabel']
+
+        local_cmd += [self.lxc, '--', executable, '-c', cmd]

        display.vvv("EXEC %s" % (local_cmd,), host=self.lxc)
        local_cmd = [to_bytes(i, errors='strict') for i in local_cmd]