feat: golden-image build support (cloud-init on EL, selinux relabel, SSH wait)

2026-05-27 05:05:55 +02:00
parent 2c35409519
commit 939c5c741f
5 changed files with 34 additions and 0 deletions
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -11,6 +11,16 @@
      register: configuration_setfiles_result
      changed_when: configuration_setfiles_result.rc == 0

+    # setfiles in the chroot misses paths created at first boot (e.g. /var/lib/sss),
+    # leaving unlabeled_t files that block services under enforcing SELinux. Force a
+    # complete relabel on first boot; fixfiles consumes and removes the flag.
+    - name: Force a complete SELinux relabel on first boot
+      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
+      ansible.builtin.file:
+        path: /mnt/.autorelabel
+        state: touch
+        mode: "0644"
+
    # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
    # is left permissive and expected to relabel on first boot.
    - name: Disable SELinux