You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Depending on the host history, it may happen some directory content don't have the correct SELinux type. This has been seen with OVN service, during a Queens -> Train FFU: while the /var/lib/openvswitch/ovn directory had the correct container_file_t type, some files in this location were typed with openvswitch_var_lib_t, leading to errors during the deploy part of the upgrade (after the OS upgrade, when the deploy is running on the cleaned host). The specific issue depends on the actual files with the wrong label, but usually it involves a container crash/error, leading to a deploy error, and a manual intervention in order to correct the SELinux type in the location. This situation may happen when first deployed on Queens, since it was using Docker. For the records, back then Docker Daemon was configured in order to disable the SELinux support, so it didn't really care about labels; but the situation is different with Podman, and we have a full SELinux support at all levels on the OS, leading to the issue. For the records, tripleo-heat-templates as well as tripleo-ansible are setting the "setype: container_file_t" on the directories, but we don't use the "recurse: true" in order to avoid performance issues - some locations might be huge, and it would take too much time to relabel everything via ansible. This patch aims to converge all the mounts to the same options, and ensure no SELinux denial can prevent the actual container startup and function. Change-Id: Ic3e427156fc82c524c763d1896937fcc3c49fabb Closes-Bug: #1943459
|7 days ago|
|notes||5 days ago|
|source||5 months ago|