From a09c8af2fbbf4e13f15cfab117e319b4ee6d4660 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Tue, 12 Jul 2022 11:15:37 +0200 Subject: [PATCH] Add some notes about SELinux and limitations With newer podman and container-selinux, we may face some issues depending on where directories are located. The way we're running the role is also important - being launched as root or as a user makes a big difference, especially with the user's home content. It also updates the setup.cfg content to match new format requirements Change-Id: Ib2b7fd2f557d4743efd2eaca18474fb45b91cbcf --- README.rst | 39 ++++++++++++++++++++++++++++++++++++--- setup.cfg | 8 ++++---- 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/README.rst b/README.rst index 84c6ab8..601c6bc 100644 --- a/README.rst +++ b/README.rst @@ -120,6 +120,36 @@ Dependencies None +Warnings +-------- + +On-disk repositories +.................... + +Please ensure the SELinux label for the on-disk repositories are correct. +Depending on your container-selinux (and podman) version, you may face issues. + +Some examples of a correct type: + + - ```system_u:object_r:rpm_var_cache_t``` + - ```system_u:object_r:container_file_t``` + +First one matches the one of /var/cache/dnf, and is accessible from within a +container, while the second one may allow a container to actually write in +there. + +Directories located in the user's home +...................................... + +You may want to avoid pointing to directories in your $HOME when running this +role, especially when it's running from within TripleO client (for instance +with the ```openstack tripleo container image prepare``` command). Doing so +may break due to the SELinux labels and permissions associated to your home +directory. + +Please use another location, such as /opt, or even /tmp - and double-check the +SELinux labels therein. + Example Playbooks ----------------- @@ -182,7 +212,7 @@ In this playbook the tasks\_from is set as a variable instead of an yum_repos_dir_path: /etc/yum.repos.d modified_append_tag: updated yum_cache: /tmp/containers-updater/yum_cache - rpms_path: /home/stack/rpms + rpms_path: /opt/rpms .. code-block:: @@ -195,7 +225,7 @@ In this playbook the tasks\_from is set as a variable instead of an tasks_from: yum_update.yml source_image: docker.io/tripleomaster/centos-binary-nova-api:latest modified_append_tag: updated - rpms_path: /home/stack/rpms/ + rpms_path: /opt/rpms/ Note, if you have a locally installed gating repo, you can add ``update_repo: gating-repo``. This may be the case for the consequent in-place @@ -242,7 +272,7 @@ network connectivity. vars: tasks_from: rpm_install.yml source_image: docker.io/tripleomaster/centos-binary-nova-api:latest - rpms_path: /home/stack/rpms + rpms_path: /opt/rpms modified_append_tag: -hotfix Dev install @@ -289,6 +319,9 @@ or it can be used to build an image from a local Python directory: python_dir: - /home/joe/git/openstack/heat +Note: here, we can use a directory located in the user's home because it's +probably launched by the user. + License ------- diff --git a/setup.cfg b/setup.cfg index 7970eae..16ce90a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -1,11 +1,11 @@ [metadata] name = ansible-role-tripleo-modify-image summary = ansible-tripleo-modify-image - Ansible role to allow modification to container images built for the TripleO project. -description-file = +description_file = README.rst author = TripleO Team -author-email = sbaker@redhat.com -home-page = https://git.openstack.org/cgit/openstack/ansible-role-tripleo-modify-image +author_email = sbaker@redhat.com +home_page = https://git.openstack.org/cgit/openstack/ansible-role-tripleo-modify-image classifier = License :: OSI Approved :: Apache Software License Development Status :: 4 - Beta @@ -15,7 +15,7 @@ classifier = Topic :: Utilities [global] -setup-hooks = +setup_hooks = pbr.hooks.setup_hook [files]