container_puppet_config: disable SElinux labelling
This is a leftover from container-puppet.py that was missed in the migration to Ansible. If we don't do that, SElinux will report alerts because the entrypoint (container-puppet.sh) tries to copy (and therefore read) the content of /tmp/puppet-tmp which isn't readable per current OpenStack SElinux podman policies. While this is done in the policy, let's port the configuration that was done before in container-puppet.py and this patch will be reverted once the policy is less restritive. Change-Id: I5baefe16f313cc17d369c9f16529516fc8d6f6e5 Related-Bug: #1864501
This commit is contained in:
parent
a976fafdb8
commit
99448e20fe
|
@ -266,6 +266,9 @@ class ContainerPuppetManager:
|
|||
'/dev/log:/dev/log:rw']
|
||||
# Defaults
|
||||
default_data = {
|
||||
# the security_opt can be removed once we properly address:
|
||||
# https://bugs.launchpad.net/tripleo/+bug/1864501
|
||||
'security_opt': 'label=disable',
|
||||
'user': 0,
|
||||
'entrypoint': CONTAINER_ENTRYPOINT,
|
||||
'environment': self._get_environment_config()
|
||||
|
|
Loading…
Reference in New Issue