diff --git a/docsite/rst/intro_configuration.rst b/docsite/rst/intro_configuration.rst index 190c0cf6be..0bc6fbfad7 100644 --- a/docsite/rst/intro_configuration.rst +++ b/docsite/rst/intro_configuration.rst @@ -952,6 +952,17 @@ The default list is: nfs,vboxsf,fuse,ramfs:: special_context_filesystems = nfs,vboxsf,fuse,ramfs,myspecialfs +libvirt_lxc_noseclabel +====================== + +.. versionadded:: 2.1 + +This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh. +This is necessary when running on systems which do not have SELinux. +The default behavior is no:: + + libvirt_lxc_noseclabel = True + Galaxy Settings --------------- diff --git a/examples/ansible.cfg b/examples/ansible.cfg index 6c265e9bf2..8465ccca4b 100644 --- a/examples/ansible.cfg +++ b/examples/ansible.cfg @@ -278,6 +278,9 @@ # needs to be changed to use the file system dependent context. #special_context_filesystems=nfs,vboxsf,fuse,ramfs +# Set this to yes to allow libvirt_lxc connections to work without SELinux. +#libvirt_lxc_noseclabel = yes + [colors] #higlight = white #verbose = blue diff --git a/lib/ansible/constants.py b/lib/ansible/constants.py index 796073c95b..4def61e1aa 100644 --- a/lib/ansible/constants.py +++ b/lib/ansible/constants.py @@ -167,6 +167,7 @@ DEFAULT_NO_TARGET_SYSLOG = get_config(p, DEFAULTS, 'no_target_syslog', 'ANSIBL # selinux DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf, ramfs', islist=True) +DEFAULT_LIBVIRT_LXC_NOSECLABEL = get_config(p, 'selinux', 'libvirt_lxc_noseclabel', 'LIBVIRT_LXC_NOSECLABEL', False, boolean=True) ### PRIVILEGE ESCALATION ### # Backwards Compat diff --git a/lib/ansible/plugins/connection/libvirt_lxc.py b/lib/ansible/plugins/connection/libvirt_lxc.py index 03e9771a2e..9c4d6eac27 100644 --- a/lib/ansible/plugins/connection/libvirt_lxc.py +++ b/lib/ansible/plugins/connection/libvirt_lxc.py @@ -88,7 +88,12 @@ class Connection(ConnectionBase): return the process's exit code immediately. ''' executable = C.DEFAULT_EXECUTABLE.split()[0] if C.DEFAULT_EXECUTABLE else '/bin/sh' - local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace', self.lxc, '--', executable , '-c', cmd] + local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace'] + + if C.DEFAULT_LIBVIRT_LXC_NOSECLABEL: + local_cmd += ['--noseclabel'] + + local_cmd += [self.lxc, '--', executable, '-c', cmd] display.vvv("EXEC %s" % (local_cmd,), host=self.lxc) local_cmd = [to_bytes(i, errors='strict') for i in local_cmd]