puppet-manifests: Added apparmor rule for /etc/ntp_initial.conf

'/etc/ntp_initial.conf' is created by puppet ntp module and it is impossible to be assigned the read/write permission by the default apparmor profile '/etc/apparmor.d/usr.sbin.ntpd'. This commit uses the puppet command to add the 'r' permission to '/etc/ntp_initial.conf' after it is created by puppet ntp module. Test Plan: Pass: Deploy the iso on an AIO-SX Execute following steps to enable app-armor #system host-lock controller-0 #system hos-update controller-0 apparmor=enabled #system host-unlock controller-0 No delay/timeout of 180 secs be seen in the [puppet.log] Closes-Bug: 2020773 Change-Id: Iff5f8711db95ebc09b0a551cfbc48d5844461887 Signed-off-by: Haiqing Bai <haiqing.bai@windriver.com>
2023-05-25 18:12:47 +08:00 · 2023-05-25 18:12:47 +08:00 · a5615ce766
commit a5615ce766
parent bad31f6be6
1 changed files with 16 additions and 13 deletions
--- a/puppet-manifests/src/modules/platform/manifests/ntp.pp
+++ b/puppet-manifests/src/modules/platform/manifests/ntp.pp
@ -1,23 +1,25 @@
+class platform::ntp::apparmor {
+  exec { 'apparmor-update-ntpd':
+    command => "sed -i '/\\/etc\\/ntp.conf r,/a\\ \\ \\/etc\\/ntp_initial.conf r,' /etc/apparmor.d/usr.sbin.ntpd",
+    unless  => "grep -q '/etc/ntp_initial.conf r,' /etc/apparmor.d/usr.sbin.ntpd",
+    notify  => Exec['reload-apparmor-ntp-profile'],
+  }
+
+  exec { 'reload-apparmor-ntp-profile':
+    command     => '/usr/sbin/apparmor_parser -vTr /etc/apparmor.d/usr.sbin.ntpd',
+    refreshonly => true
+  }
+}
 class platform::ntp (
  $ntpdate_timeout,
  $servers = [],
  $enabled = true,
 )
 {
+  include platform::ntp::apparmor
  # Setting ntp service name
-  case $::osfamily {
-    'RedHat': {
-      $ntp_service_name = 'ntpd'
-      $ntp_pmon_conf_template = 'platform/ntp.pmon.conf.erb'
-    }
-    'Debian': {
-      $ntp_service_name = 'ntp'
-      $ntp_pmon_conf_template = 'platform/ntp_debian.pmon.conf.erb'
-    }
-    default: {
-      fail("unsuported osfamily ${::osfamily}, currently Debian and Redhat are the only supported platforms")
-    }
-  }
+  $ntp_service_name = 'ntp'
+  $ntp_pmon_conf_template = 'platform/ntp_debian.pmon.conf.erb'

  if $enabled {
    $pmon_ensure = 'link'
@ -26,6 +28,7 @@ class platform::ntp (
  }

  File['ntp_config']
+  -> Class['platform::ntp::apparmor']
  -> File['ntp_config_initial']
  -> file { 'ntp_pmon_config':
    ensure  => file,