Merge pull request #14910 from mattclay/libvirt-no-selinux

Add noseclabel support to libvirt_lxc plugin.

docsite/rst/intro_configuration.rst

@@ -952,6 +952,17 @@ The default list is: nfs,vboxsf,fuse,ramfs::
 
     special_context_filesystems = nfs,vboxsf,fuse,ramfs,myspecialfs
 
+libvirt_lxc_noseclabel
+======================
+
+.. versionadded:: 2.1
+
+This setting causes libvirt to connect to lxc containers by passing --noseclabel to virsh.
+This is necessary when running on systems which do not have SELinux.
+The default behavior is no::
+
+    libvirt_lxc_noseclabel = True
+
 Galaxy Settings
 ---------------
 

examples/ansible.cfg

@@ -278,6 +278,9 @@
 # needs to be changed to use the file system dependent context.
 #special_context_filesystems=nfs,vboxsf,fuse,ramfs
 
+# Set this to yes to allow libvirt_lxc connections to work without SELinux.
+#libvirt_lxc_noseclabel = yes
+
 [colors]
 #higlight = white
 #verbose = blue

lib/ansible/constants.py

@@ -167,6 +167,7 @@ DEFAULT_NO_TARGET_SYSLOG   = get_config(p, DEFAULTS, 'no_target_syslog', 'ANSIBL
 
 # selinux
 DEFAULT_SELINUX_SPECIAL_FS = get_config(p, 'selinux', 'special_context_filesystems', None, 'fuse, nfs, vboxsf, ramfs', islist=True)
+DEFAULT_LIBVIRT_LXC_NOSECLABEL = get_config(p, 'selinux', 'libvirt_lxc_noseclabel', 'LIBVIRT_LXC_NOSECLABEL', False, boolean=True)
 
 ### PRIVILEGE ESCALATION ###
 # Backwards Compat

lib/ansible/plugins/connection/libvirt_lxc.py

@@ -88,7 +88,12 @@ class Connection(ConnectionBase):
         return the process's exit code immediately.
         '''
         executable = C.DEFAULT_EXECUTABLE.split()[0] if C.DEFAULT_EXECUTABLE else '/bin/sh'
-        local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace', self.lxc, '--', executable , '-c', cmd]
+        local_cmd = [self.virsh, '-q', '-c', 'lxc:///', 'lxc-enter-namespace']
+
+        if C.DEFAULT_LIBVIRT_LXC_NOSECLABEL:
+            local_cmd += ['--noseclabel']
+
+        local_cmd += [self.lxc, '--', executable, '-c', cmd]
 
         display.vvv("EXEC %s" % (local_cmd,), host=self.lxc)
         local_cmd = [to_bytes(i, errors='strict') for i in local_cmd]