libvirt: make it possible to run libvirt on the host

markgoddard · markgoddard · commit 1152fc60e7d2 · 2022-03-22T12:49:46.000Z
In some cases it may be desirable to run the libvirt daemon on the host. For example, when mixing host and container OS distributions or versions. This change implements changes to the baremetal role necessary to disable the nova_libvirt container. In this case we should not remove libvirt packages from the host, nor should we remove the AppArmor profile for libvirt on Ubuntu hosts. Needed-By: https://review.opendev.org/c/openstack/kolla-ansible/+/825357 Change-Id: I8dbe805cea66bd04374b36a4e8876da9b05b2045 (cherry picked from commit efd3335f6d8add0a4bf15f98bb744e990352bbfb)
diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml
@@ -68,13 +68,13 @@ redhat_pkg_install:
 ubuntu_pkg_removals:
  - lxd
  - lxc
- - libvirt-bin
+ - "{% if enable_nova_libvirt_container | bool %}libvirt-bin{% endif %}"
  - open-iscsi
  - "{% if enable_chrony | bool %}chrony{% endif %}"
 
 redhat_pkg_removals:
- - libvirt
- - libvirt-daemon
+ - "{% if enable_nova_libvirt_container | bool %}libvirt{% endif %}"
+ - "{% if enable_nova_libvirt_container | bool %}libvirt-daemon{% endif %}"
  - iscsi-initiator-utils
  - "{% if enable_chrony | bool %}chrony{% endif %}"
 
@@ -86,3 +86,6 @@ virtualenv:
 # directory. This is typically required for modules such as yum and apt which
 # are not available on PyPI.
 virtualenv_site_packages: True
+
+# Whether to remove the AppArmor libvirt profile on Ubuntu hosts.
+apparmor_remove_libvirt_profile: "{{ enable_nova_libvirt_container | bool }}"
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
@@ -188,29 +188,30 @@
     daemon_reload: yes
   register: docker_reloaded
 
-- name: Get stat of libvirtd apparmor profile
-  stat:
-    path: /etc/apparmor.d/usr.sbin.libvirtd
-  register: apparmor_libvirtd_profile
-  when: ansible_facts.distribution == "Ubuntu"
-
-- name: Get stat of libvirtd apparmor disable profile
-  stat:
-    path: /etc/apparmor.d/disable/usr.sbin.libvirtd
-  register: apparmor_libvirtd_disable_profile
-  when: ansible_facts.distribution == "Ubuntu"
-
-- name: Remove apparmor profile for libvirt
-  shell: |
-    apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
-    ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
-  args:
-    executable: /bin/bash
-  become: True
+- block:
+    - name: Get stat of libvirtd apparmor profile
+      stat:
+        path: /etc/apparmor.d/usr.sbin.libvirtd
+      register: apparmor_libvirtd_profile
+
+    - name: Get stat of libvirtd apparmor disable profile
+      stat:
+        path: /etc/apparmor.d/disable/usr.sbin.libvirtd
+      register: apparmor_libvirtd_disable_profile
+
+    - name: Remove apparmor profile for libvirt
+      shell: |
+        apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
+        ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
+      args:
+        executable: /bin/bash
+      become: True
+      when:
+        - apparmor_libvirtd_profile.stat.exists
+        - not apparmor_libvirtd_disable_profile.stat.exists
   when:
     - ansible_facts.distribution == "Ubuntu"
-    - apparmor_libvirtd_profile.stat.exists
-    - not apparmor_libvirtd_disable_profile.stat.exists
+    - apparmor_remove_libvirt_profile | bool
 
 - name: Get stat of chronyd apparmor profile
   stat:
