[HWORKS-175] Do not modify resolvers if flag is set (#36)

[HWORKS-175] Do not disable SELinux if not allowed to
logicalclocks · Oct 19, 2022 · 7c2cb72 · 7c2cb72
1 parent c92fc26
commit 7c2cb72
Showing 1 changed file with 67 additions and 62 deletions.
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -2,10 +2,17 @@
 if node['consul']['use_dnsmasq'].casecmp?("true")
     package 'dnsmasq'
 
-    if node['consul']['configure_resolv_conf'].casecmp?("true") &&  ! ::File.exist?('/etc/dnsmasq.d/default')
+    kubernetes_dns = nil
+    kubernetes_domain_name = nil
+    dnsmasq_resolv_file = nil
+    if node['install']['localhost'].casecmp?("true")
+        my_ip = "127.0.0.1"
+    else
+        my_ip = my_private_ip()
+    end
+
+    if node['consul']['configure_resolv_conf'].casecmp?("true")
 
-        kubernetes_dns = nil
-        kubernetes_domain_name = nil
         if node['install']['enterprise']['install'].casecmp?("true") and node['install']['kubernetes'].casecmp?("true") and node['install']['managed_kubernetes'].casecmp?("false")
             kubernetes_dns = "10.96.0.10"
             kubernetes_domain_name = "cluster.local"
@@ -18,12 +25,6 @@
                 end
             end
         end
-
-        if node['install']['localhost'].casecmp?("true")
-            my_ip = "127.0.0.1"
-        else
-            my_ip = my_private_ip()
-        end
 
         # Disable systemd-resolved for Ubuntu
         case node["platform_family"]
@@ -69,42 +70,10 @@
                 })
             end
 
-            if node['install']['localhost'].casecmp?("true")
-                dnsmasq_ips = "127.0.0.2"
-            else
-                dnsmasq_ips = "127.0.0.2,#{my_private_ip()}"
-            end
-
-            template "/etc/dnsmasq.d/default" do
-                source "dnsmasq-conf.erb"
-                owner 'root'
-                group 'root'
-                mode 0755
-                variables({
-                    :resolv_conf => nil,
-                    :dnsmasq_ip => dnsmasq_ips,
-                    :kubernetes_dns => kubernetes_dns,
-                    :kubernetes_domain_name => kubernetes_domain_name
-                })
-            end
-
             systemd_unit "systemd-resolved.service" do
                 action [:restart]
             end
         when "rhel"
-            # We need to disable SELinux as by default it does not allow creating
-            # file watches which is needed by dnsmasq.
-            # We need it disabled for Kubernetes too as it does not allow containers
-            # to access the host filesystem, which is required by pod networks for example.
-            bash 'disable_selinux' do
-                user 'root'
-                group 'root'
-                code <<-EOH
-                  setenforce 0
-                  sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
-                EOH
-            end
-
             if node['consul']['effective_resolv_conf'].empty?
                 effective_resolv_conf = "/etc/resolv.conf"
             else
@@ -129,25 +98,6 @@
                 not_if { ::File.exist?(dnsmasq_resolv_file) }
             end
 
-            if node['install']['localhost'].casecmp?("true")
-                dnsmasq_ip = "127.0.0.1"
-            else
-                dnsmasq_ip = "127.0.0.1,#{my_ip}"
-            end
-
-            template "/etc/dnsmasq.d/default" do
-                source "dnsmasq-conf.erb"
-                owner 'root'
-                group 'root'
-                mode 0755
-                variables({
-                    :resolv_conf => dnsmasq_resolv_file,
-                    :dnsmasq_ip => dnsmasq_ip,
-                    :kubernetes_dns => kubernetes_dns,
-                    :kubernetes_domain_name => kubernetes_domain_name
-                })
-            end
-
             bash "configure-resolv.conf" do
                 user 'root'
                 group 'root'
@@ -161,10 +111,65 @@
                 action :nothing
             end
         end
+    end
+
+    case node["platform_family"]
+    when "debian"
+        if node['install']['localhost'].casecmp?("true")
+            dnsmasq_ips = "127.0.0.2"
+        else
+            dnsmasq_ips = "127.0.0.2,#{my_private_ip()}"
+        end
 
-        systemd_unit "dnsmasq.service" do
-            action :restart
+        template "/etc/dnsmasq.d/default" do
+            source "dnsmasq-conf.erb"
+            owner 'root'
+            group 'root'
+            mode 0755
+            variables({
+                :resolv_conf => nil,
+                :dnsmasq_ip => dnsmasq_ips,
+                :kubernetes_dns => kubernetes_dns,
+                :kubernetes_domain_name => kubernetes_domain_name
+            })
+        end
+    when "rhel"
+        # We need to disable SELinux as by default it does not allow creating
+        # file watches which is needed by dnsmasq.
+        # We need it disabled for Kubernetes too as it does not allow containers
+        # to access the host filesystem, which is required by pod networks for example.
+        bash 'disable_selinux' do
+            user 'root'
+            group 'root'
+            code <<-EOH
+                setenforce 0
+                sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
+            EOH
+            only_if { node['install']['modify_selinux'].casecmp?("true") }
         end
+
+        if node['install']['localhost'].casecmp?("true")
+            dnsmasq_ip = "127.0.0.1"
+        else
+            dnsmasq_ip = "127.0.0.1,#{my_ip}"
+        end
+
+        template "/etc/dnsmasq.d/default" do
+            source "dnsmasq-conf.erb"
+            owner 'root'
+            group 'root'
+            mode 0755
+            variables({
+                :resolv_conf => dnsmasq_resolv_file,
+                :dnsmasq_ip => dnsmasq_ip,
+                :kubernetes_dns => kubernetes_dns,
+                :kubernetes_domain_name => kubernetes_domain_name
+            })
+        end
+    end
+
+    systemd_unit "dnsmasq.service" do
+        action :restart
     end
 end