From 3d747b720051ed053f2e36b5679862b92265443b Mon Sep 17 00:00:00 2001
From: Michal Arbet <michal.arbet@ultimum.io>
Date: Mon, 8 Jun 2020 11:12:19 +0200
Subject: [PATCH] Remove chrony package if containerized chrony is enabled

This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513
---
 ansible/roles/baremetal/defaults/main.yml        |  2 ++
 ansible/roles/baremetal/tasks/post-install.yml   | 16 ++++++++++++++++
 ...hrony-permission-denied-917b3bffc5cdb38d.yaml |  6 ++++++
 3 files changed, 24 insertions(+)
 create mode 100644 releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml

diff --git a/ansible/roles/baremetal/defaults/main.yml b/ansible/roles/baremetal/defaults/main.yml
index 6fa555bbb..f74ae19f7 100644
--- a/ansible/roles/baremetal/defaults/main.yml
+++ b/ansible/roles/baremetal/defaults/main.yml
@@ -60,11 +60,13 @@ ubuntu_pkg_removals:
  - lxc
  - libvirt-bin
  - open-iscsi
+ - "{% if enable_chrony | bool %}chrony{% endif %}"
 
 redhat_pkg_removals:
  - libvirt
  - libvirt-daemon
  - iscsi-initiator-utils
+ - "{% if enable_chrony | bool %}chrony{% endif %}"
 
 # Path to a virtualenv in which to install python packages. If None, a
 # virtualenv will not be used.
diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 6b2d2a0f1..2616a9734 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -146,6 +146,22 @@
     - ansible_distribution == "Ubuntu"
     - apparmor_libvirtd_profile.stat.exists
 
+- name: Get stat of chronyd apparmor profile
+  stat:
+    path: /etc/apparmor.d/usr.sbin.chronyd
+  register: apparmor_chronyd_profile
+  when:
+    - ansible_os_family == "Debian"
+    - enable_chrony | bool
+
+- name: Remove apparmor profile for chrony
+  command: apparmor_parser -R /etc/apparmor.d/usr.sbin.chronyd
+  become: True
+  when:
+    - ansible_os_family == "Debian"
+    - enable_chrony | bool
+    - apparmor_chronyd_profile.stat.exists
+
 - name: Create docker group
   group:
     name: docker
diff --git a/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml b/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml
new file mode 100644
index 000000000..53a62d01d
--- /dev/null
+++ b/releasenotes/notes/bug-1882513-chrony-permission-denied-917b3bffc5cdb38d.yaml
@@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Removing chrony package and AppArmor profile from docker host if
+    containerized chrony is enabled.
+    `LP#1882513 <https://bugs.launchpad.net/kolla-ansible/+bug/1882513>`__
-- 
GitLab