openstack
/
puppet-tripleo
Code Issues Proposed changes

Add missing "z" flag for specific mounts 

Depending on the host history, it may happen some directory content
don't have the correct SELinux type. This has been seen with OVN
service, during a Queens -> Train FFU:

while the /var/lib/openvswitch/ovn directory had the correct
container_file_t type, some files in this location were typed with
openvswitch_var_lib_t, leading to errors during the deploy part of the
upgrade (after the OS upgrade, when the deploy is running on the cleaned
host).
The specific issue depends on the actual files with the wrong label, but
usually it involves a container crash/error, leading to a deploy error,
and a manual intervention in order to correct the SELinux type in the
location.

This situation may happen when first deployed on Queens, since it was
using Docker. For the records, back then Docker Daemon was configured in
order to disable the SELinux support, so it didn't really care about
labels; but the situation is different with Podman, and we have a full
SELinux support at all levels on the OS, leading to the issue.

For the records, tripleo-heat-templates as well as tripleo-ansible are
setting the "setype: container_file_t" on the directories, but we don't
use the "recurse: true" in order to avoid performance issues - some
locations might be huge, and it would take too much time to relabel
everything via ansible.

This patch aims to converge all the mounts to the same options, and
ensure no SELinux denial can prevent the actual container startup and
function.

Change-Id: Ic3e427156fc82c524c763d1896937fcc3c49fabb
Closes-Bug: #1943459
(cherry picked from commit e8c4e9304f)
This commit is contained in:
Cédric Jeanneret 2021-09-13 15:54:34 +02:00 committed by Cedric Jeanneret
parent b67596f1b5
commit 848f2acd5b
9 changed files with 25 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/profile/pacemaker/cinder/backup_bundle.pp
View File

@ -183,7 +183,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
'cinder-backup-var-lib-cinder' => {
'source-dir' => '/var/lib/cinder',
'target-dir' => '/var/lib/cinder',
'options' => 'rw',
'options' => 'rw,z',
},
'cinder-backup-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
@ -208,7 +208,7 @@ class tripleo::profile::pacemaker::cinder::backup_bundle (
'cinder-backup-var-log' => {
'source-dir' => '/var/log/containers/cinder',
'target-dir' => '/var/log/cinder',
'options' => 'rw',
'options' => 'rw,z',
},
'cinder-backup-ceph-cfg-dir' => {
'source-dir' => $ceph_conf_path,

4
manifests/profile/pacemaker/cinder/volume_bundle.pp
View File

@ -184,7 +184,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
'cinder-volume-var-lib-cinder' => {
'source-dir' => '/var/lib/cinder',
'target-dir' => '/var/lib/cinder',
'options' => 'rw',
'options' => 'rw,z',
},
'cinder-volume-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
@ -209,7 +209,7 @@ class tripleo::profile::pacemaker::cinder::volume_bundle (
'cinder-volume-var-log' => {
'source-dir' => '/var/log/containers/cinder',
'target-dir' => '/var/log/cinder',
'options' => 'rw',
'options' => 'rw,z',
},
'cinder-volume-ceph-cfg-dir' => {
'source-dir' => $ceph_conf_path,

6
manifests/profile/pacemaker/database/mysql_bundle.pp
View File

@ -425,19 +425,19 @@ MYSQL_HOST=localhost\n",
'mysql-lib' => {
'source-dir' => '/var/lib/mysql',
'target-dir' => '/var/lib/mysql',
'options' => 'rw',
'options' => 'rw,z',
},
# NOTE: we cannot remove this bind mount until the resource-agent
# can use the configured log-file for initial bootstrap operations
'mysql-log-mariadb' => {
'source-dir' => '/var/log/mariadb',
'target-dir' => '/var/log/mariadb',
'options' => 'rw',
'options' => 'rw,z',
},
'mysql-log' => {
'source-dir' => '/var/log/containers/mysql',
'target-dir' => '/var/log/mysql',
'options' => 'rw',
'options' => 'rw,z',
},
'mysql-dev-log' => {
'source-dir' => '/dev/log',

4
manifests/profile/pacemaker/database/redis_bundle.pp
View File

@ -295,12 +295,12 @@ slave-announce-port ${local_tuple[0][2]}
'redis-lib' => {
'source-dir' => '/var/lib/redis',
'target-dir' => '/var/lib/redis',
'options' => 'rw',
'options' => 'rw,z',
},
'redis-log' => {
'source-dir' => '/var/log/containers/redis',
'target-dir' => '/var/log/redis',
'options' => 'rw',
'options' => 'rw,z',
},
'redis-run' => {
'source-dir' => '/var/run/redis',

2
manifests/profile/pacemaker/haproxy_bundle.pp
View File

@ -204,7 +204,7 @@ class tripleo::profile::pacemaker::haproxy_bundle (
'haproxy-var-lib' => {
'source-dir' => '/var/lib/haproxy',
'target-dir' => '/var/lib/haproxy',
'options' => 'rw',
'options' => 'rw,z',
},
'haproxy-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',

4
manifests/profile/pacemaker/manila/share_bundle.pp
View File

@ -185,7 +185,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
'manila-share-var-lib-manila' => {
'source-dir' => '/var/lib/manila',
'target-dir' => '/var/lib/manila',
'options' => 'rw',
'options' => 'rw,z',
},
'manila-share-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
@ -210,7 +210,7 @@ class tripleo::profile::pacemaker::manila::share_bundle (
'manila-share-var-log' => {
'source-dir' => '/var/log/containers/manila',
'target-dir' => '/var/log/manila',
'options' => 'rw',
'options' => 'rw,z',
},
'manila-share-ceph-cfg-dir' => {
'source-dir' => $ceph_conf_path,

12
manifests/profile/pacemaker/ovn_dbs_bundle.pp
View File

@ -194,32 +194,32 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
'ovn-dbs-run-files' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/run/openvswitch',
'options' => 'rw',
'options' => 'rw,z',
},
'ovn-dbs-new-run-files' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/run/ovn',
'options' => 'rw',
'options' => 'rw,z',
},
'ovn-dbs-log-files' => {
'source-dir' => '/var/log/containers/openvswitch',
'target-dir' => '/var/log/openvswitch',
'options' => 'rw',
'options' => 'rw,z',
},
'ovn-dbs-new-log-files' => {
'source-dir' => '/var/log/containers/openvswitch',
'target-dir' => '/var/log/ovn',
'options' => 'rw',
'options' => 'rw,z',
},
'ovn-dbs-db-path' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/etc/openvswitch',
'options' => 'rw',
'options' => 'rw,z',
},
'ovn-dbs-new-db-path' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/etc/ovn',
'options' => 'rw',
'options' => 'rw,z',
},
}
if (hiera('ovn_dbs_short_node_names_override', undef)) {

4
manifests/profile/pacemaker/rabbitmq_bundle.pp
View File

@ -238,7 +238,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
'rabbitmq-lib' => {
'source-dir' => '/var/lib/rabbitmq',
'target-dir' => '/var/lib/rabbitmq',
'options' => 'rw',
'options' => 'rw,z',
},
'rabbitmq-pki-extracted' => {
'source-dir' => '/etc/pki/ca-trust/extracted',
@ -263,7 +263,7 @@ class tripleo::profile::pacemaker::rabbitmq_bundle (
'rabbitmq-log' => {
'source-dir' => '/var/log/containers/rabbitmq',
'target-dir' => '/var/log/rabbitmq',
'options' => 'rw',
'options' => 'rw,z',
},
'rabbitmq-dev-log' => {
'source-dir' => '/dev/log',

5
releasenotes/notes/pacemaker-selinux-8dc0344afd5d64bd.yaml Normal file
View File

@ -0,0 +1,5 @@
---
upgrade:
- |
Services managed by Pacemaker will be restarted when this change is applied
as an Update or Upgrade process.