container_puppet_config: disable SElinux labelling

This is a leftover from container-puppet.py that was missed in the migration to Ansible. If we don't do that, SElinux will report alerts because the entrypoint (container-puppet.sh) tries to copy (and therefore read) the content of /tmp/puppet-tmp which isn't readable per current OpenStack SElinux podman policies. While this is done in the policy, let's port the configuration that was done before in container-puppet.py and this patch will be reverted once the policy is less restritive. Change-Id: I5baefe16f313cc17d369c9f16529516fc8d6f6e5 Related-Bug: #1864501
2020-02-24 10:58:53 -05:00 · 2020-02-24 10:58:53 -05:00 · 99448e20fe
parent a976fafdb8
commit 99448e20fe
1 changed files with 3 additions and 0 deletions
--- a/tripleo_ansible/ansible_plugins/modules/container_puppet_config.py
+++ b/tripleo_ansible/ansible_plugins/modules/container_puppet_config.py
@ -266,6 +266,9 @@ class ContainerPuppetManager:
                           '/dev/log:/dev/log:rw']
        # Defaults
        default_data = {
+            # the security_opt can be removed once we properly address:
+            # https://bugs.launchpad.net/tripleo/+bug/1864501
+            'security_opt': 'label=disable',
            'user': 0,
            'entrypoint': CONTAINER_ENTRYPOINT,
            'environment': self._get_environment_config()