Add flag to enable SELinux in docker profile

SELinux for docker is disabled by default; this commit adds an option selinux_enabled that will add it if set to true. Change-Id: I883e64c1b69b24c75441fc3a628942fb1d90d448
2018-03-12 14:31:25 +02:00 · 2018-03-12 14:31:25 +02:00 · fdcad62d8f
parent 8c9b116c11
commit fdcad62d8f
2 changed files with 31 additions and 4 deletions
--- a/manifests/profile/base/docker.pp
+++ b/manifests/profile/base/docker.pp
@ -30,9 +30,7 @@
 #   (defaults to false)
 #
 # [*docker_options*]
-#   OPTIONS that are used to startup the docker service.  NOTE:
-#   --selinux-enabled is dropped due to recommendations here:
-#   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
+#   OPTIONS that are used to startup the docker service.
 #   Defaults to '--log-driver=journald --signature-verification=false --iptables=false --live-restore'
 #
 # [*configure_network*]
@ -58,6 +56,12 @@
 #   String. Value to configure the deployment user.
 #   Defaults to hiera('deployment_user', undef)
 #
+# [*selinux_enabled*]
+#   Boolean. Whether to enable SELinux for docker or not. NOTE:
+#   --selinux-enabled is disabled by default due to recommendations here:
+#   https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.2_Release_Notes/technology-preview-file_systems.html
+#   Defaults to false
+#
 # DEPRECATED PARAMETERS
 #
 # [*insecure_registry_address*]
@ -85,6 +89,7 @@ class tripleo::profile::base::docker (
  $step                = Integer(hiera('step')),
  $debug               = false,
  $deployment_user     = hiera('deployment_user', undef),
+  $selinux_enabled     = false,
  # DEPRECATED PARAMETERS
  $insecure_registry_address = undef,
  $docker_namespace = undef,
@ -122,7 +127,12 @@ class tripleo::profile::base::docker (
    }

    if $docker_options {
-      $options_changes = [ "set OPTIONS '\"${docker_options}\"'" ]
+      if $selinux_enabled {
+        $selinux_enabled_string = ' --selinux-enabled'
+      } else {
+        $selinux_enabled_string = ''
+      }
+      $options_changes = [ "set OPTIONS '\"${docker_options}${selinux_enabled_string}\"'" ]
    } else {
      $options_changes = [ 'rm OPTIONS' ]
    }
--- a/spec/classes/tripleo_profile_base_docker_spec.rb
+++ b/spec/classes/tripleo_profile_base_docker_spec.rb
@ -126,6 +126,23 @@ describe 'tripleo::profile::base::docker' do
      }
    end

+    context 'with step 1 and selinux enabled' do
+      let(:params) { {
+          :step            => 1,
+          :selinux_enabled => true,
+      } }
+
+      it { is_expected.to contain_class('tripleo::profile::base::docker') }
+      it { is_expected.to contain_package('docker') }
+      it { is_expected.to contain_service('docker') }
+      it { is_expected.to contain_file('/etc/systemd/system/docker.service.d/99-unset-mountflags.conf') }
+      it {
+          is_expected.to contain_augeas('docker-sysconfig-options').with_changes([
+            "set OPTIONS '\"--log-driver=journald --signature-verification=false --iptables=false --live-restore --selinux-enabled\"'",
+          ])
+      }
+    end
+
    context 'with step 1 and storage_options configured' do
      let(:params) { {
          :step              => 1,