)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3202964d6ef59675ed4d942731c1c273faccb4b8","unresolved":true,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2021-11-03 13:29:45 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"disable-selinux: Set to permissive"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"e5a924fa_cc1311f3","line":8,"updated":"2021-11-12 09:12:09.000000000","message":"Needs some justification. We disable it and go to the trouble of rebooting for a reason - to avoid audit logs filling up.","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":5,"context_line":"CommitDate: 2021-11-03 13:29:45 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"disable-selinux: Set to permissive"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"bbb23dfb_f8714c5e","line":8,"in_reply_to":"e5a924fa_cc1311f3","updated":"2022-03-16 11:07:38.000000000","message":"Michael added a justification to the commit message.","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"e78d785a04fa3c8166497e3b5087452da8515b39","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"selinux: default to permissive"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"disable-selinux role has been renamed to selinux and now supports setting"},{"line_number":10,"context_line":"desired state."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Previously Kayobe was defaulting to disabling and rebooted the host -"},{"line_number":13,"context_line":"to avoid audit logs filling up. This change allows operators to define"},{"line_number":14,"context_line":"desired SELinux state and defaults to permissive - to adhere to those site"},{"line_number":15,"context_line":"policies that require SELinux to be at least in permissive state."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"32b616ef_7523d145","line":15,"range":{"start_line":9,"start_character":0,"end_line":15,"end_character":65},"updated":"2022-01-05 09:31:35.000000000","message":"Please wrap lines to 72 characters.","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"selinux: default to permissive"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"disable-selinux role has been renamed to selinux and now supports setting"},{"line_number":10,"context_line":"desired state."},{"line_number":11,"context_line":""},{"line_number":12,"context_line":"Previously Kayobe was defaulting to disabling and rebooted the host -"},{"line_number":13,"context_line":"to avoid audit logs filling up. This change allows operators to define"},{"line_number":14,"context_line":"desired SELinux state and defaults to permissive - to adhere to those site"},{"line_number":15,"context_line":"policies that require SELinux to be at least in permissive state."},{"line_number":16,"context_line":""},{"line_number":17,"context_line":"Change-Id: I42933b0b7d55c69c9f6992e331fafb2e6c42d4d1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"1c8089d2_ffa1cb02","line":15,"range":{"start_line":9,"start_character":0,"end_line":15,"end_character":65},"in_reply_to":"32b616ef_7523d145","updated":"2022-03-16 11:07:38.000000000","message":"Done","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"bc40ad788c02391bfbc4ebc4e3210c655b2f89a4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"9d729740_abe0de7d","updated":"2021-11-04 09:41:10.000000000","message":"Maybe the role should be named selinux now that it can set any state?","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"82d014aa6cd3ca41bf404ad0c8a1a9b924f7286b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"9f97a58b_be56bd4a","updated":"2021-11-12 09:10:45.000000000","message":"See kolla_selinux_state in ansible/kolla-ansible.yml.","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"dada4f113d5a141702355461834adf289cf3830a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"4b8405e2_60857906","updated":"2021-11-12 09:14:11.000000000","message":"docs","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3202964d6ef59675ed4d942731c1c273faccb4b8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"dc71cd1c_ee13e1ba","updated":"2021-11-12 09:12:09.000000000","message":"reno etc","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"3202964d6ef59675ed4d942731c1c273faccb4b8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d00200e5_49988aaf","in_reply_to":"9d729740_abe0de7d","updated":"2021-11-12 09:12:09.000000000","message":"Agree","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"237322a1512fadfdcf56c625e52854b8b39e1eb3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":11,"id":"09ebb8f3_185f8da0","updated":"2022-06-09 23:36:49.000000000","message":"recheck","commit_id":"90c334b0d81c636231a4fa82fd92c8af9d4dbb08"}],"ansible/releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"e78d785a04fa3c8166497e3b5087452da8515b39","unresolved":true,"context_lines":[{"line_number":5,"context_line":"    disabling selinux previously)."},{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    ``disable-selinux`` role has been renamed to ``selinux`` and so have been"},{"line_number":9,"context_line":"    variables"},{"line_number":10,"context_line":"    If you set one of them - please adapt your configuration to new names."},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Kayobe now sets SELinux to permissive by default (compared to ``disabled``"},{"line_number":13,"context_line":"    previously). If you want to retain previous behaviour please set"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"3d79aa2e_130fd018","line":10,"range":{"start_line":8,"start_character":0,"end_line":10,"end_character":74},"updated":"2022-01-05 09:31:35.000000000","message":"Missing dot after variables. Maybe add an example of the variable change?","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":5,"context_line":"    disabling selinux previously)."},{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    ``disable-selinux`` role has been renamed to ``selinux`` and so have been"},{"line_number":9,"context_line":"    variables"},{"line_number":10,"context_line":"    If you set one of them - please adapt your configuration to new names."},{"line_number":11,"context_line":"  - |"},{"line_number":12,"context_line":"    Kayobe now sets SELinux to permissive by default (compared to ``disabled``"},{"line_number":13,"context_line":"    previously). If you want to retain previous behaviour please set"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"98060d11_808a1e03","line":10,"range":{"start_line":8,"start_character":0,"end_line":10,"end_character":74},"in_reply_to":"3d79aa2e_130fd018","updated":"2022-03-16 11:07:38.000000000","message":"Also wrong location for the release note.","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"}],"ansible/roles/disable-selinux/tasks/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"b92a726e0b071cd253ddbb7c71679360678a01c9","unresolved":true,"context_lines":[{"line_number":38,"context_line":"      when: not is_local | bool"},{"line_number":39,"context_line":"  when:"},{"line_number":40,"context_line":"    - disable_selinux_do_reboot | bool"},{"line_number":41,"context_line":"    - selinux_result is changed"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"36e59635_c9607547","line":41,"range":{"start_line":41,"start_character":6,"end_line":41,"end_character":31},"updated":"2021-11-12 09:14:04.000000000","message":"A reboot is only required if it is enabled or disabled. Going from enforcing to permissive and back again can be applied immediately.","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":38,"context_line":"      when: not is_local | bool"},{"line_number":39,"context_line":"  when:"},{"line_number":40,"context_line":"    - disable_selinux_do_reboot | bool"},{"line_number":41,"context_line":"    - selinux_result is changed"}],"source_content_type":"text/x-yaml","patch_set":3,"id":"9c6ec0f0_f5f07698","line":41,"range":{"start_line":41,"start_character":6,"end_line":41,"end_character":31},"in_reply_to":"36e59635_c9607547","updated":"2022-03-16 11:07:38.000000000","message":"The selinux module provides a reboot_required variable. I updated the role to use it.","commit_id":"142964219910b66e1bff777552f453c2b9f7b0af"}],"ansible/roles/selinux/defaults/main.yml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"94fba47373c5255025f810ef6f24c055c1e8dca9","unresolved":true,"context_lines":[{"line_number":6,"context_line":"selinux_state: permissive"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"# Whether to reboot to apply SELinux config changes."},{"line_number":9,"context_line":"selinux_do_reboot: true"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"# Number of seconds to wait for hosts to become accessible via SSH after being"},{"line_number":12,"context_line":"# rebooted."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"304d10a7_7e2c9b7a","line":9,"range":{"start_line":9,"start_character":19,"end_line":9,"end_character":23},"updated":"2022-06-13 10:20:55.000000000","message":"Did we agree to making this false by default? Otherwise a host configure will reboot all hosts previously deployed with selinux disabled.","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"4b411263ad2b101bd96ebac1a8b929cf590d4bcb","unresolved":true,"context_lines":[{"line_number":6,"context_line":"selinux_state: permissive"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"# Whether to reboot to apply SELinux config changes."},{"line_number":9,"context_line":"selinux_do_reboot: true"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"# Number of seconds to wait for hosts to become accessible via SSH after being"},{"line_number":12,"context_line":"# rebooted."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"4abc715c_1708c479","line":9,"range":{"start_line":9,"start_character":19,"end_line":9,"end_character":23},"in_reply_to":"304d10a7_7e2c9b7a","updated":"2022-06-16 12:18:44.000000000","message":"That\u0027s exactly what we agreed. I missed updating this part.","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"cc0a6e8e2f6887b57f248999bc1bd405a05e8686","unresolved":false,"context_lines":[{"line_number":6,"context_line":"selinux_state: permissive"},{"line_number":7,"context_line":""},{"line_number":8,"context_line":"# Whether to reboot to apply SELinux config changes."},{"line_number":9,"context_line":"selinux_do_reboot: true"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"# Number of seconds to wait for hosts to become accessible via SSH after being"},{"line_number":12,"context_line":"# rebooted."}],"source_content_type":"text/x-yaml","patch_set":12,"id":"a6e08eb4_353ea7f0","line":9,"range":{"start_line":9,"start_character":19,"end_line":9,"end_character":23},"in_reply_to":"4abc715c_1708c479","updated":"2022-06-17 07:29:12.000000000","message":"Done","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"}],"ansible/roles/selinux/tasks/main.yml":[{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"e78d785a04fa3c8166497e3b5087452da8515b39","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    path: /etc/selinux/config"},{"line_number":13,"context_line":"  register: stat_result"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"- name: Ensure desired SELinux state "},{"line_number":16,"context_line":"  selinux:"},{"line_number":17,"context_line":"    policy: \"{{ selinux_policy }}\""},{"line_number":18,"context_line":"    state: \"{{ selinux_state }}\""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"8d483e2c_4da5e62c","line":15,"range":{"start_line":15,"start_character":36,"end_line":15,"end_character":37},"updated":"2022-01-05 09:31:35.000000000","message":"Trailing whitespace","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    path: /etc/selinux/config"},{"line_number":13,"context_line":"  register: stat_result"},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"- name: Ensure desired SELinux state "},{"line_number":16,"context_line":"  selinux:"},{"line_number":17,"context_line":"    policy: \"{{ selinux_policy }}\""},{"line_number":18,"context_line":"    state: \"{{ selinux_state }}\""}],"source_content_type":"text/x-yaml","patch_set":6,"id":"690d8dde_f51251fa","line":15,"range":{"start_line":15,"start_character":36,"end_line":15,"end_character":37},"in_reply_to":"8d483e2c_4da5e62c","updated":"2022-03-16 11:07:38.000000000","message":"Done","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"e78d785a04fa3c8166497e3b5087452da8515b39","unresolved":true,"context_lines":[{"line_number":39,"context_line":"  when:"},{"line_number":40,"context_line":"    - selinux_do_reboot | bool"},{"line_number":41,"context_line":"    - selinux_result is changed"},{"line_number":42,"context_line":"    - selinux_state \u003d\u003d \u0027enabled\u0027 or selinux_state \u003d\u003d \u0027disabled\u0027"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"be7334d7_a5726bab","line":42,"range":{"start_line":42,"start_character":6,"end_line":42,"end_character":63},"updated":"2022-01-05 09:31:35.000000000","message":"According to Ansible docs possible states are: disabled, enforcing, permissive\n\nI think we will need to check the current state to figure out if a reboot is needed.\n\nhttps://docs.ansible.com/ansible/latest/collections/ansible/posix/selinux_module.html","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"b2a699da2f83c7aeb5a1be4011a1f2308f4c74ee","unresolved":false,"context_lines":[{"line_number":39,"context_line":"  when:"},{"line_number":40,"context_line":"    - selinux_do_reboot | bool"},{"line_number":41,"context_line":"    - selinux_result is changed"},{"line_number":42,"context_line":"    - selinux_state \u003d\u003d \u0027enabled\u0027 or selinux_state \u003d\u003d \u0027disabled\u0027"}],"source_content_type":"text/x-yaml","patch_set":6,"id":"2e9c4fb4_f4d4d39f","line":42,"range":{"start_line":42,"start_character":6,"end_line":42,"end_character":63},"in_reply_to":"be7334d7_a5726bab","updated":"2022-03-16 11:07:38.000000000","message":"The selinux module provides a reboot_required variable. I updated the role to use it and remove the check of selinux_state (\u0027enabled\u0027 was not valid anyway).","commit_id":"a371eb3306346f179ec6538c39a6e2a5de8c8266"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"94fba47373c5255025f810ef6f24c055c1e8dca9","unresolved":true,"context_lines":[{"line_number":20,"context_line":"  become: True"},{"line_number":21,"context_line":"  when: stat_result.stat.exists"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: Abort SELinux configuration because reboot is disabled"},{"line_number":24,"context_line":"  fail:"},{"line_number":25,"context_line":"    msg: |"},{"line_number":26,"context_line":"      SELinux state change requires a reboot, but selinux_do_reboot is"},{"line_number":27,"context_line":"      false. Please run again with selinux_do_reboot set to true to reboot."},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - not selinux_do_reboot | bool"},{"line_number":30,"context_line":"    - selinux_result.reboot_required"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"- block:"},{"line_number":33,"context_line":"    - name: Set a fact to determine whether we are running locally"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"ad7f2273_1374e5b1","line":30,"range":{"start_line":23,"start_character":0,"end_line":30,"end_character":36},"updated":"2022-06-13 10:20:55.000000000","message":"This isn\u0027t quite how I remembered the outcome of our discussion. I thought we had agreed to first run the selinux module with check_mode\u003dtrue, then fail if necessary before making changes. This would allow the user to either set selinux_do_reboot to true, or change the kayobe state to match the running state.\n\nI suppose the main thing we\u0027d want to avoid is if the user sets selinux_do_reboot to true, but on the second run we don\u0027t see reboot_required. Have you tested that case?","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"61f684cba8b82f61d6e12fbaf42e0a81387837f4","unresolved":false,"context_lines":[{"line_number":20,"context_line":"  become: True"},{"line_number":21,"context_line":"  when: stat_result.stat.exists"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: Abort SELinux configuration because reboot is disabled"},{"line_number":24,"context_line":"  fail:"},{"line_number":25,"context_line":"    msg: |"},{"line_number":26,"context_line":"      SELinux state change requires a reboot, but selinux_do_reboot is"},{"line_number":27,"context_line":"      false. Please run again with selinux_do_reboot set to true to reboot."},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - not selinux_do_reboot | bool"},{"line_number":30,"context_line":"    - selinux_result.reboot_required"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"- block:"},{"line_number":33,"context_line":"    - name: Set a fact to determine whether we are running locally"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"445b0240_d07c8aa7","line":30,"range":{"start_line":23,"start_character":0,"end_line":30,"end_character":36},"in_reply_to":"a3dad93d_173e5449","updated":"2022-06-24 13:53:40.000000000","message":"Thanks for testing, I think this is fine.","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"4b411263ad2b101bd96ebac1a8b929cf590d4bcb","unresolved":true,"context_lines":[{"line_number":20,"context_line":"  become: True"},{"line_number":21,"context_line":"  when: stat_result.stat.exists"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: Abort SELinux configuration because reboot is disabled"},{"line_number":24,"context_line":"  fail:"},{"line_number":25,"context_line":"    msg: |"},{"line_number":26,"context_line":"      SELinux state change requires a reboot, but selinux_do_reboot is"},{"line_number":27,"context_line":"      false. Please run again with selinux_do_reboot set to true to reboot."},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - not selinux_do_reboot | bool"},{"line_number":30,"context_line":"    - selinux_result.reboot_required"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"- block:"},{"line_number":33,"context_line":"    - name: Set a fact to determine whether we are running locally"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"ddcc8d57_eced53ad","line":30,"range":{"start_line":23,"start_character":0,"end_line":30,"end_character":36},"in_reply_to":"ad7f2273_1374e5b1","updated":"2022-06-16 12:18:44.000000000","message":"I will need to do some actual testing then. I will push an updated patch once done.","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"cc0a6e8e2f6887b57f248999bc1bd405a05e8686","unresolved":true,"context_lines":[{"line_number":20,"context_line":"  become: True"},{"line_number":21,"context_line":"  when: stat_result.stat.exists"},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"- name: Abort SELinux configuration because reboot is disabled"},{"line_number":24,"context_line":"  fail:"},{"line_number":25,"context_line":"    msg: |"},{"line_number":26,"context_line":"      SELinux state change requires a reboot, but selinux_do_reboot is"},{"line_number":27,"context_line":"      false. Please run again with selinux_do_reboot set to true to reboot."},{"line_number":28,"context_line":"  when:"},{"line_number":29,"context_line":"    - not selinux_do_reboot | bool"},{"line_number":30,"context_line":"    - selinux_result.reboot_required"},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"- block:"},{"line_number":33,"context_line":"    - name: Set a fact to determine whether we are running locally"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"a3dad93d_173e5449","line":30,"range":{"start_line":23,"start_character":0,"end_line":30,"end_character":36},"in_reply_to":"ddcc8d57_eced53ad","updated":"2022-06-17 07:29:12.000000000","message":"I am not sure we need to use check_mode. Subsequent invocations of the selinux module will still notice that a reboot is needed.\n\nFirst run:\n\nTASK [selinux : Ensure desired SELinux state] **************************************************************************************************************************************************************\n[WARNING]: SELinux state change will take effect next reboot\nchanged: [seed]\n\nTASK [selinux : Abort SELinux configuration because reboot is disabled] ************************************************************************************************************************************\nfatal: [seed]: FAILED! \u003d\u003e {\"changed\": false, \"msg\": \"SELinux state change requires a reboot, but selinux_do_reboot is false. Please run again with selinux_do_reboot set to true to reboot.\\n\"}\n\nSecond run:\n\nTASK [selinux : Ensure desired SELinux state] **************************************************************************************************************************************************************\n[WARNING]: SELinux state change will take effect next reboot\nok: [seed]\n\nTASK [selinux : Abort SELinux configuration because reboot is disabled] ************************************************************************************************************************************\nfatal: [seed]: FAILED! \u003d\u003e {\"changed\": false, \"msg\": \"SELinux state change requires a reboot, but selinux_do_reboot is false. Please run again with selinux_do_reboot set to true to reboot.\\n\"}\n\nThird run with reboot allowed:\n\nTASK [selinux : Ensure desired SELinux state] **************************************************************************************************************************************************************\n[WARNING]: SELinux state change will take effect next reboot\nok: [seed]\n\nTASK [selinux : Abort SELinux configuration because reboot is disabled] ************************************************************************************************************************************\nskipping: [seed]\n\nTASK [selinux : Set a fact to determine whether we are running locally] ************************************************************************************************************************************\nok: [seed]\n\nTASK [selinux : Reboot the system to apply SELinux changes (local)]","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"94fba47373c5255025f810ef6f24c055c1e8dca9","unresolved":true,"context_lines":[{"line_number":49,"context_line":"        - not is_local | bool"},{"line_number":50,"context_line":"  when:"},{"line_number":51,"context_line":"    - selinux_do_reboot | bool"},{"line_number":52,"context_line":"    - selinux_result.reboot_required"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"9dd247c0_23459410","line":52,"range":{"start_line":52,"start_character":6,"end_line":52,"end_character":36},"updated":"2022-06-13 10:20:55.000000000","message":"The selinux_result task is conditional on the config file existing, so this attribute might not exist.","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"cc0a6e8e2f6887b57f248999bc1bd405a05e8686","unresolved":false,"context_lines":[{"line_number":49,"context_line":"        - not is_local | bool"},{"line_number":50,"context_line":"  when:"},{"line_number":51,"context_line":"    - selinux_do_reboot | bool"},{"line_number":52,"context_line":"    - selinux_result.reboot_required"}],"source_content_type":"text/x-yaml","patch_set":12,"id":"5694e518_5cf39387","line":52,"range":{"start_line":52,"start_character":6,"end_line":52,"end_character":36},"in_reply_to":"9dd247c0_23459410","updated":"2022-06-17 07:29:12.000000000","message":"Done","commit_id":"84ad719ae96f633f7054903f99127577ce0a9451"}],"playbooks/kayobe-infra-vm-base/overrides.yml.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2c25bdfe02f29cb442f96085435e49f1b2543fbe","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"# NOTE(mgoddard): Don\u0027t reboot after changing SELinux state during CI testing,"},{"line_number":3,"context_line":"# as Ansible is run directly on the controller."},{"line_number":4,"context_line":"selinux_do_reboot: false"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"# Use the OpenStack infra\u0027s Dockerhub mirror."},{"line_number":7,"context_line":"docker_registry_mirrors:"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"e868d131_4b7808db","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":17},"updated":"2022-03-17 09:59:32.000000000","message":"Do we still need this? Going from enforcing to permissive shouldn\u0027t require a reboot.","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"04c5c2259427471ea1ab770c8a9cbd94d6b6739a","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"# NOTE(mgoddard): Don\u0027t reboot after changing SELinux state during CI testing,"},{"line_number":3,"context_line":"# as Ansible is run directly on the controller."},{"line_number":4,"context_line":"selinux_do_reboot: false"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"# Use the OpenStack infra\u0027s Dockerhub mirror."},{"line_number":7,"context_line":"docker_registry_mirrors:"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"a313cb00_676dc3f3","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":17},"in_reply_to":"887873ac_f0081917","updated":"2022-06-10 13:55:59.000000000","message":"I removed all occurrences of this variable in CI playbooks.\n\nWe just keep disable_selinux_do_reboot for upgrade jobs.","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"de956e2cfd5e5917470f061deed076913f2069d8","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"# NOTE(mgoddard): Don\u0027t reboot after changing SELinux state during CI testing,"},{"line_number":3,"context_line":"# as Ansible is run directly on the controller."},{"line_number":4,"context_line":"selinux_do_reboot: false"},{"line_number":5,"context_line":""},{"line_number":6,"context_line":"# Use the OpenStack infra\u0027s Dockerhub mirror."},{"line_number":7,"context_line":"docker_registry_mirrors:"}],"source_content_type":"text/x-jinja2","patch_set":9,"id":"887873ac_f0081917","line":4,"range":{"start_line":4,"start_character":0,"end_line":4,"end_character":17},"in_reply_to":"e868d131_4b7808db","updated":"2022-03-17 10:30:10.000000000","message":"I wasn\u0027t making any assumptions about the initial SELinux state of the CI VMs.","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"}],"releasenotes/notes/rename-disable-selinux-9053ff36792066bc.yaml":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2c25bdfe02f29cb442f96085435e49f1b2543fbe","unresolved":true,"context_lines":[{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The ``disable-selinux`` role has been renamed to ``selinux`` and so have"},{"line_number":9,"context_line":"    been variables. If you set one of them, adapt your configuration:"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``"},{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"4132ddd2_23a35d5b","line":9,"range":{"start_line":9,"start_character":4,"end_line":9,"end_character":8},"updated":"2022-03-17 09:59:32.000000000","message":"the related","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"de956e2cfd5e5917470f061deed076913f2069d8","unresolved":false,"context_lines":[{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The ``disable-selinux`` role has been renamed to ``selinux`` and so have"},{"line_number":9,"context_line":"    been variables. If you set one of them, adapt your configuration:"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``"},{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"5e41e344_2b804ce5","line":9,"range":{"start_line":9,"start_character":4,"end_line":9,"end_character":8},"in_reply_to":"4132ddd2_23a35d5b","updated":"2022-03-17 10:30:10.000000000","message":"Ack","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"94fba47373c5255025f810ef6f24c055c1e8dca9","unresolved":true,"context_lines":[{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The ``disable-selinux`` role has been renamed to ``selinux`` and so have"},{"line_number":9,"context_line":"    been variables. If you set one of them, adapt your configuration:"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``"},{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"cc84ee0d_23d85143","line":9,"range":{"start_line":9,"start_character":4,"end_line":9,"end_character":8},"in_reply_to":"5e41e344_2b804ce5","updated":"2022-06-13 10:20:55.000000000","message":"Not done","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"cc0a6e8e2f6887b57f248999bc1bd405a05e8686","unresolved":false,"context_lines":[{"line_number":6,"context_line":"upgrade:"},{"line_number":7,"context_line":"  - |"},{"line_number":8,"context_line":"    The ``disable-selinux`` role has been renamed to ``selinux`` and so have"},{"line_number":9,"context_line":"    been variables. If you set one of them, adapt your configuration:"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"    * ``disable_selinux_do_reboot`` becomes ``selinux_do_reboot``"},{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"}],"source_content_type":"text/x-yaml","patch_set":9,"id":"bceeb82a_48e60c68","line":9,"range":{"start_line":9,"start_character":4,"end_line":9,"end_character":8},"in_reply_to":"cc84ee0d_23d85143","updated":"2022-06-17 07:29:12.000000000","message":"Done","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"cb0980e32240aae055aeeae7ec16ffda7b0bf7e6","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"},{"line_number":13,"context_line":"  - |"},{"line_number":14,"context_line":"    Kayobe now sets SELinux to ``permissive`` by default (compared to"},{"line_number":15,"context_line":"    ``disabled`` previously). **This will cause a reboot** on the first"},{"line_number":16,"context_line":"    invocation of ``kayobe * host configure``. If you want to postpone"},{"line_number":17,"context_line":"    rebooting, set ``selinux_do_reboot`` to ``false``. If you want to retain"},{"line_number":18,"context_line":"    previous behaviour, set ``selinux_state`` to ``disabled``."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"88d37f08_d76085ce","line":18,"range":{"start_line":15,"start_character":30,"end_line":18,"end_character":62},"updated":"2022-03-16 13:50:46.000000000","message":"I updated the reno to highlight that it will cause a reboot when running host configure on systems which already have SElinux disabled.\n\nWhat are your thoughts on defaulting selinux_do_reboot to false, to avoid production systems being rebooted by mistake?","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"fe5244a904703eb9939ecce94290ce0aa46ced8b","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"},{"line_number":13,"context_line":"  - |"},{"line_number":14,"context_line":"    Kayobe now sets SELinux to ``permissive`` by default (compared to"},{"line_number":15,"context_line":"    ``disabled`` previously). **This will cause a reboot** on the first"},{"line_number":16,"context_line":"    invocation of ``kayobe * host configure``. If you want to postpone"},{"line_number":17,"context_line":"    rebooting, set ``selinux_do_reboot`` to ``false``. If you want to retain"},{"line_number":18,"context_line":"    previous behaviour, set ``selinux_state`` to ``disabled``."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"e9df7484_c3736a88","line":18,"range":{"start_line":15,"start_character":30,"end_line":18,"end_character":62},"in_reply_to":"83e7e429_be1e22fd","updated":"2022-04-14 12:23:50.000000000","message":"We agreed to add a fail task in case a reboot is needed, unless selinux_do_reboot is true.","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"2c25bdfe02f29cb442f96085435e49f1b2543fbe","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"},{"line_number":13,"context_line":"  - |"},{"line_number":14,"context_line":"    Kayobe now sets SELinux to ``permissive`` by default (compared to"},{"line_number":15,"context_line":"    ``disabled`` previously). **This will cause a reboot** on the first"},{"line_number":16,"context_line":"    invocation of ``kayobe * host configure``. If you want to postpone"},{"line_number":17,"context_line":"    rebooting, set ``selinux_do_reboot`` to ``false``. If you want to retain"},{"line_number":18,"context_line":"    previous behaviour, set ``selinux_state`` to ``disabled``."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"a1f2a4eb_02eabff7","line":18,"range":{"start_line":15,"start_character":30,"end_line":18,"end_character":62},"in_reply_to":"88d37f08_d76085ce","updated":"2022-03-17 09:59:32.000000000","message":"Or we could put a configurable throttle on the reboot task, with a conservative default of 1?","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"de956e2cfd5e5917470f061deed076913f2069d8","unresolved":true,"context_lines":[{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"},{"line_number":13,"context_line":"  - |"},{"line_number":14,"context_line":"    Kayobe now sets SELinux to ``permissive`` by default (compared to"},{"line_number":15,"context_line":"    ``disabled`` previously). **This will cause a reboot** on the first"},{"line_number":16,"context_line":"    invocation of ``kayobe * host configure``. If you want to postpone"},{"line_number":17,"context_line":"    rebooting, set ``selinux_do_reboot`` to ``false``. If you want to retain"},{"line_number":18,"context_line":"    previous behaviour, set ``selinux_state`` to ``disabled``."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"83e7e429_be1e22fd","line":18,"range":{"start_line":15,"start_character":30,"end_line":18,"end_character":62},"in_reply_to":"a1f2a4eb_02eabff7","updated":"2022-03-17 10:30:10.000000000","message":"That\u0027s OK for HA controllers, but could still wreak havoc with hypervisors hosting active VMs. But we also don\u0027t want to deploy a broken OpenStack because SELinux stayed enforcing.\n\nOne solution would be to reboot if we\u0027re in an initial deployment (docker not running yet?), but only do so if selinux_do_reboot is explicitly set otherwise. Is this getting too much into the weeds?","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"},{"author":{"_account_id":15197,"name":"Pierre Riteau","email":"pierre@stackhpc.com","username":"priteau","status":"StackHPC"},"change_message_id":"884de45d3f271439253c12e147b43dd75c68503a","unresolved":false,"context_lines":[{"line_number":12,"context_line":"    * ``disable_selinux_reboot_timeout`` becomes ``selinux_reboot_timeout``"},{"line_number":13,"context_line":"  - |"},{"line_number":14,"context_line":"    Kayobe now sets SELinux to ``permissive`` by default (compared to"},{"line_number":15,"context_line":"    ``disabled`` previously). **This will cause a reboot** on the first"},{"line_number":16,"context_line":"    invocation of ``kayobe * host configure``. If you want to postpone"},{"line_number":17,"context_line":"    rebooting, set ``selinux_do_reboot`` to ``false``. If you want to retain"},{"line_number":18,"context_line":"    previous behaviour, set ``selinux_state`` to ``disabled``."}],"source_content_type":"text/x-yaml","patch_set":9,"id":"6319240d_053c9c63","line":18,"range":{"start_line":15,"start_character":30,"end_line":18,"end_character":62},"in_reply_to":"e9df7484_c3736a88","updated":"2022-06-09 19:15:16.000000000","message":"I updated the patch with the approach we discussed on April 14.","commit_id":"6bc7a3b1fa0ba119df1653de5249556be4973172"}]}