From 944e09e7690f64ffdda958b179dccc6724535aed Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Fri, 20 Nov 2015 12:13:42 -0800 Subject: [PATCH] Allow haproxy to bind to all ports in selinux By default haproxy can only bind to HTTP(S) ports all other ports can't be bound due to the selinux policy. Simple fix for this is to toggle the boolean that allows haproxy to bind any port in the selinux policy. Do this with an exec that first checks if the boolean is set. Change-Id: I49c8bdc3586fa82cd954a6ef9be27f48f9a623ec --- manifests/site.pp | 1 + modules/openstack_project/manifests/git.pp | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/manifests/site.pp b/manifests/site.pp index 1cada2af5c..2dd09b0e27 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -501,6 +501,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ { # CentOS machines to load balance git access. # Node-OS: centos6 +# Node-OS: centos7 node /^git(-fe\d+)?\.openstack\.org$/ { $group = "git-loadbalancer" class { 'openstack_project::git': diff --git a/modules/openstack_project/manifests/git.pp b/modules/openstack_project/manifests/git.pp index d4911a4099..23eb3479e6 100644 --- a/modules/openstack_project/manifests/git.pp +++ b/modules/openstack_project/manifests/git.pp @@ -127,6 +127,14 @@ class openstack_project::git ( options => 'maxqueue 512', } + exec { 'haproxy_allow_bind_ports': + # If bool is already set don't set it again + onlyif => 'bash -c \'getsebool haproxy_connect_any | grep -q off\'', + command => 'setsebool -P haproxy_connect_any 1', + path => '/bin:/usr/sbin', + before => Service['haproxy'], + } + file { '/etc/rsyslog.d/haproxy.conf': ensure => present, owner => 'root',