Add some notes about SELinux and limitations
With newer podman and container-selinux, we may face some issues depending on where directories are located. The way we're running the role is also important - being launched as root or as a user makes a big difference, especially with the user's home content. It also updates the setup.cfg content to match new format requirements Change-Id: Ib2b7fd2f557d4743efd2eaca18474fb45b91cbcf
This commit is contained in:
parent
30d23d5152
commit
5aea24664d
34
README.rst
34
README.rst
|
@ -120,6 +120,31 @@ Dependencies
|
||||||
|
|
||||||
None
|
None
|
||||||
|
|
||||||
|
Warnings
|
||||||
|
--------
|
||||||
|
|
||||||
|
On-disk repositories
|
||||||
|
....................
|
||||||
|
|
||||||
|
Please ensure the SELinux label for the on-disk repositories are correct.
|
||||||
|
Depending on your container-selinux (and podman) version, you may face issues.
|
||||||
|
|
||||||
|
An example of a correct type: ```system_u:object_r:rpm_var_cache_t```
|
||||||
|
This matches the one of /var/cache/dnf, and is accessible from within a
|
||||||
|
container
|
||||||
|
|
||||||
|
Directories located in the user's home
|
||||||
|
......................................
|
||||||
|
|
||||||
|
You may want to avoid pointing to directories in your $HOME when running this
|
||||||
|
role, especially when it's running from within TripleO client (for instance
|
||||||
|
with the ```openstack tripleo container image prepare``` command). Doing so
|
||||||
|
may break due to the SELinux labels and permissions associated to your home
|
||||||
|
directory.
|
||||||
|
|
||||||
|
Please use another location, such as /opt, or even /tmp - and double-check the
|
||||||
|
SELinux labels therein.
|
||||||
|
|
||||||
Example Playbooks
|
Example Playbooks
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
|
@ -182,7 +207,7 @@ In this playbook the tasks\_from is set as a variable instead of an
|
||||||
yum_repos_dir_path: /etc/yum.repos.d
|
yum_repos_dir_path: /etc/yum.repos.d
|
||||||
modified_append_tag: updated
|
modified_append_tag: updated
|
||||||
yum_cache: /tmp/containers-updater/yum_cache
|
yum_cache: /tmp/containers-updater/yum_cache
|
||||||
rpms_path: /home/stack/rpms
|
rpms_path: /opt/rpms
|
||||||
|
|
||||||
.. code-block::
|
.. code-block::
|
||||||
|
|
||||||
|
@ -195,7 +220,7 @@ In this playbook the tasks\_from is set as a variable instead of an
|
||||||
tasks_from: yum_update.yml
|
tasks_from: yum_update.yml
|
||||||
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
|
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
|
||||||
modified_append_tag: updated
|
modified_append_tag: updated
|
||||||
rpms_path: /home/stack/rpms/
|
rpms_path: /opt/rpms/
|
||||||
|
|
||||||
Note, if you have a locally installed gating repo, you can add
|
Note, if you have a locally installed gating repo, you can add
|
||||||
``update_repo: gating-repo``. This may be the case for the consequent in-place
|
``update_repo: gating-repo``. This may be the case for the consequent in-place
|
||||||
|
@ -242,7 +267,7 @@ network connectivity.
|
||||||
vars:
|
vars:
|
||||||
tasks_from: rpm_install.yml
|
tasks_from: rpm_install.yml
|
||||||
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
|
source_image: docker.io/tripleomaster/centos-binary-nova-api:latest
|
||||||
rpms_path: /home/stack/rpms
|
rpms_path: /opt/rpms
|
||||||
modified_append_tag: -hotfix
|
modified_append_tag: -hotfix
|
||||||
|
|
||||||
Dev install
|
Dev install
|
||||||
|
@ -289,6 +314,9 @@ or it can be used to build an image from a local Python directory:
|
||||||
python_dir:
|
python_dir:
|
||||||
- /home/joe/git/openstack/heat
|
- /home/joe/git/openstack/heat
|
||||||
|
|
||||||
|
Note: here, we can use a directory located in the user's home because it's
|
||||||
|
probably launched by the user.
|
||||||
|
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
[metadata]
|
[metadata]
|
||||||
name = ansible-role-tripleo-modify-image
|
name = ansible-role-tripleo-modify-image
|
||||||
summary = ansible-tripleo-modify-image - Ansible role to allow modification to container images built for the TripleO project.
|
summary = ansible-tripleo-modify-image - Ansible role to allow modification to container images built for the TripleO project.
|
||||||
description-file =
|
description_file =
|
||||||
README.rst
|
README.rst
|
||||||
author = TripleO Team
|
author = TripleO Team
|
||||||
author-email = sbaker@redhat.com
|
author_email = sbaker@redhat.com
|
||||||
home-page = https://git.openstack.org/cgit/openstack/ansible-role-tripleo-modify-image
|
home_page = https://git.openstack.org/cgit/openstack/ansible-role-tripleo-modify-image
|
||||||
classifier =
|
classifier =
|
||||||
License :: OSI Approved :: Apache Software License
|
License :: OSI Approved :: Apache Software License
|
||||||
Development Status :: 4 - Beta
|
Development Status :: 4 - Beta
|
||||||
|
@ -15,7 +15,7 @@ classifier =
|
||||||
Topic :: Utilities
|
Topic :: Utilities
|
||||||
|
|
||||||
[global]
|
[global]
|
||||||
setup-hooks =
|
setup_hooks =
|
||||||
pbr.hooks.setup_hook
|
pbr.hooks.setup_hook
|
||||||
|
|
||||||
[files]
|
[files]
|
||||||
|
|
Loading…
Reference in New Issue