From 75f55d13ad9060b7821a6e7702a347debd785ee9 Mon Sep 17 00:00:00 2001
From: Maksim Malchuk <maksim.malchuk@gmail.com>
Date: Thu, 13 Jan 2022 14:28:13 +0300
Subject: [PATCH] Fix Apparmor libvirt profile removal

The apparmor_parser actually doesn't remove the file or doesn't create
the symlink in '/etc/apparmor.d/disable' itself so the next run of the
baremetal role will fail with the error "Unable to remove "libvirtd".
Even more after reboot, the profile is still active. We need to
disable the profile completly ourselves. This change fixes the
idempotents of the baremetal role.

Closes-Bug: #1960302
Change-Id: I162e417387393e806886b1c9ea8053b89778b4d1
Signed-off-by: Maksim Malchuk <maksim.malchuk@gmail.com>
---
 ansible/roles/baremetal/tasks/post-install.yml             | 6 +++++-
 ...-apparmor-libvirt-profile-removal-01db6ca6dd66879f.yaml | 7 +++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/fix-apparmor-libvirt-profile-removal-01db6ca6dd66879f.yaml

diff --git a/ansible/roles/baremetal/tasks/post-install.yml b/ansible/roles/baremetal/tasks/post-install.yml
index 55d31d836..1c23a49b7 100644
--- a/ansible/roles/baremetal/tasks/post-install.yml
+++ b/ansible/roles/baremetal/tasks/post-install.yml
@@ -201,7 +201,11 @@
   when: ansible_facts.distribution == "Ubuntu"
 
 - name: Remove apparmor profile for libvirt
-  command: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd
+  shell: |
+    apparmor_parser -v -R /etc/apparmor.d/usr.sbin.libvirtd && \
+    ln -vsf /etc/apparmor.d/usr.sbin.libvirtd /etc/apparmor.d/disable
+  args:
+    executable: /bin/bash
   become: True
   when:
     - ansible_facts.distribution == "Ubuntu"
diff --git a/releasenotes/notes/fix-apparmor-libvirt-profile-removal-01db6ca6dd66879f.yaml b/releasenotes/notes/fix-apparmor-libvirt-profile-removal-01db6ca6dd66879f.yaml
new file mode 100644
index 000000000..80d800e26
--- /dev/null
+++ b/releasenotes/notes/fix-apparmor-libvirt-profile-removal-01db6ca6dd66879f.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes the baremetal role to avoid an error "Unable to remove "libvirtd".
+    Now the symlink /etc/apparmor.d/disable/usr.sbin.libvirtd is created by
+    the role.
+    `LP#1960302 <https://bugs.launchpad.net/kolla-ansible/+bug/1960302>`__
-- 
GitLab