openstack/tripleo-heat-templates
Code Issues Proposed changes

Replace svirt_sandbox_file_t by container_file_t

Browse Source 
While they are, at SELinux level, exactly the same (one is an alias to
the other), the "container_file_t" name is easier to understand (and
shorter to write).

A second pass in a couple of days or weeks will be needed in order to
change files that were merged after this first pass.

Change-Id: Ib4b3e65dbaeb5894403301251866b9817240a9d5
This commit is contained in:
Cédric Jeanneret 2020-02-07 13:33:20 +01:00
parent 0ccca0e362
commit 0875895553
96 changed files with 191 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/container_startup_configs_tasks.yaml
View File

@ -7,13 +7,13 @@
path: "/var/lib/tripleo-config/container-startup-config/{{ step_path }}/"
mode: 0600
recurse: yes
setype: svirt_sandbox_file_t
setype: container_file_t
- name: "Creating container startup configs for {{ step_path }}"
copy:
content: "{{ item.value | to_nice_json }}"
dest: "/var/lib/tripleo-config/container-startup-config/{{ step_path }}/{{ item.key }}.json"
setype: svirt_sandbox_file_t
setype: container_file_t
mode: 0600
no_log: true
loop: "{{ item.1 | dict2items }}"

20
common/deploy-steps-tasks-step-1.yaml
View File

@ -20,7 +20,7 @@
file:
path: /var/lib/tripleo-config
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
recurse: true
tags:
@ -49,7 +49,7 @@
file:
path: /var/lib/tripleo-config/check-mode
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
recurse: true
tags:
@ -103,7 +103,7 @@
file:
path: /var/lib/container-puppet
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
tags:
- container_config
@ -124,7 +124,7 @@
file:
path: /var/lib/container-puppet/check-mode
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
tags:
- container_config
@ -171,7 +171,7 @@
file:
path: /var/lib/container-config-scripts
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
tags:
- container_config_scripts
@ -201,7 +201,7 @@
dest: "/var/lib/container-config-scripts/{{ item[0] }}"
force: yes
mode: "{{ item[1].mode | default('0600', true) }}"
setype: svirt_sandbox_file_t
setype: container_file_t
loop: "{{ role_data_container_config_scripts | dictsort }}"
loop_control:
label: "{{ item[0] }}"
@ -254,7 +254,7 @@
file:
path: /var/lib/kolla/config_files
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
recurse: true
tags:
@ -264,7 +264,7 @@
file:
path: /var/lib/config-data
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
- name: Write kolla config json files
@ -274,7 +274,7 @@
dest: "{{ item[0] }}"
force: yes
mode: '0600'
setype: svirt_sandbox_file_t
setype: container_file_t
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
loop_control:
label: "{{ item[0] }}"
@ -318,7 +318,7 @@
file:
path: /etc/puppet/check-mode/hieradata
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
recurse: true
check_mode: no

6
common/deploy-steps.j2
View File

@ -615,7 +615,7 @@ outputs:
file:
path: /var/lib/tripleo-config/scripts
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
selevel: s0
recurse: true
@ -1235,7 +1235,7 @@ outputs:
- include_vars: global_vars.yaml
no_log: true
- name: ensure we get the right selinux context
command: chcon -R -t svirt_sandbox_file_t /var/lib/config-data
command: chcon -R -t container_file_t /var/lib/config-data
args:
warn: no
tags:
@ -1623,7 +1623,7 @@ outputs:
name: Run Fast Forward Upgrade Prep Workarounds for {{role.name}}
{%- endfor %}
- name: Create /var/lib/container-puppet
file: path=/var/lib/container-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
- name: Write container-puppet.py
no_log: True
copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600

4
deployment/aodh/aodh-api-container-puppet.yaml
View File

@ -248,8 +248,8 @@ outputs:
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/aodh-api, setype: svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/aodh-api, setype: container_file_t, 'mode': '0750' }
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]
external_upgrade_tasks:

2
deployment/aodh/aodh-evaluator-container-puppet.yaml
View File

@ -114,7 +114,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when:
- step|int == 1

2
deployment/aodh/aodh-listener-container-puppet.yaml
View File

@ -114,7 +114,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when:
- step|int == 1

4
deployment/aodh/aodh-notifier-container-puppet.yaml
View File

@ -114,8 +114,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/aodh, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/aodh, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/aodh, 'setype': container_file_t }
external_upgrade_tasks:
- when:
- step|int == 1

2
deployment/ceilometer/ceilometer-agent-central-container-puppet.yaml
View File

@ -172,7 +172,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when:
- step|int == 1

2
deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml
View File

@ -119,7 +119,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

2
deployment/ceilometer/ceilometer-agent-ipmi-container-puppet.yaml
View File

@ -137,7 +137,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' }
fast_forward_upgrade_tasks:
- when:
- step|int == 0

2
deployment/ceilometer/ceilometer-agent-notification-container-puppet.yaml
View File

@ -124,7 +124,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ceilometer, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ceilometer, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

4
deployment/cinder/cinder-api-container-puppet.yaml
View File

@ -376,8 +376,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/cinder-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/cinder-api, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when: step|int == 1
block:

4
deployment/cinder/cinder-common-container-puppet.yaml
View File

@ -72,8 +72,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/cinder, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/cinder, 'setype': container_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

2
deployment/cinder/cinder-scheduler-container-puppet.yaml
View File

@ -135,7 +135,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/cinder, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

4
deployment/database/mysql-container-puppet.yaml
View File

@ -250,8 +250,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'container_file_t'}
upgrade_tasks:
# LP 1810136
# After upgrade, the new mariadb (e.g. 10.3) might not be able

6
deployment/database/mysql-pacemaker-puppet.yaml
View File

@ -313,9 +313,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- {'path': /var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'}
- {'path': /var/log/mariadb, 'setype': 'svirt_sandbox_file_t', 'mode': '0750'}
- {'path': /var/log/containers/mysql, 'setype': 'container_file_t', 'mode': '0750'}
- {'path': /var/lib/mysql, 'setype': 'container_file_t'}
- {'path': /var/log/mariadb, 'setype': 'container_file_t', 'mode': '0750'}
metadata_settings:
get_attr: [MysqlBase, role_data, metadata_settings]
deploy_steps_tasks:

6
deployment/database/redis-container-puppet.yaml
View File

@ -169,7 +169,7 @@ outputs:
restart: always
systemd_exec_flags:
RuntimeDirectory: redis
ExecStartPre: /bin/chcon -t svirt_sandbox_file_t /var/run/redis
ExecStartPre: /bin/chcon -t container_file_t /var/run/redis
healthcheck:
test: /openstack/healthcheck
volumes:
@ -219,8 +219,8 @@ outputs:
path: "{{ item.path }}"
state: directory
with_items:
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/redis, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/run/redis, 'setype': container_file_t }
- name: ensure /var/run/redis is present upon reboot
copy:
dest: /etc/tmpfiles.d/var-run-redis.conf

6
deployment/database/redis-pacemaker-puppet.yaml
View File

@ -289,9 +289,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/redis, 'setype': container_file_t }
- { 'path': /var/log/containers/redis, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/run/redis, 'setype': container_file_t }
- name: ensure /var/run/redis is present upon reboot
copy:
dest: /etc/tmpfiles.d/var-run-redis.conf

2
deployment/etcd/etcd-container-puppet.yaml
View File

@ -157,7 +157,7 @@ outputs:
file:
path: /var/lib/etcd
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
upgrade_tasks: []
metadata_settings:
if:

2
deployment/experimental/designate/designate-api-container-puppet.yaml
View File

@ -165,4 +165,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }

2
deployment/experimental/designate/designate-central-container-puppet.yaml
View File

@ -218,4 +218,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }

4
deployment/experimental/designate/designate-mdns-container-puppet.yaml
View File

@ -175,5 +175,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/designate, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/designate, 'setype': container_file_t }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }

2
deployment/experimental/designate/designate-producer-container-puppet.yaml
View File

@ -133,4 +133,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }

2
deployment/experimental/designate/designate-sink-container-puppet.yaml
View File

@ -125,4 +125,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }

4
deployment/experimental/designate/designate-worker-container-puppet.yaml
View File

@ -226,9 +226,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/designate, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/designate, 'setype': container_file_t, 'mode': '0750' }
- name: create persistent named directory
file:
path: /var/named-persistent
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t

6
deployment/glance/glance-api-container-puppet.yaml
View File

@ -121,7 +121,7 @@ parameters:
Netapp share to mount for image storage (when GlanceNetappNfsEnabled is true)
type: string
GlanceNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
description: >
NFS mount options for image storage (when GlanceNfsEnabled is true)
type: string
@ -175,7 +175,7 @@ parameters:
URI that specifies the staging location to use when importing images
type: string
GlanceStagingNfsOptions:
default: '_netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
default: '_netdev,bg,intr,context=system_u:object_r:container_file_t:s0'
description: >
NFS mount options for NFS image import staging
type: string
@ -621,7 +621,7 @@ outputs:
file:
path: /var/lib/glance
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]
external_upgrade_tasks:

4
deployment/glance/glance-api-logging-file-container.yaml
View File

@ -38,5 +38,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/glance, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/glance, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/glance, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/glance, 'setype': container_file_t, 'mode': '0750' }

6
deployment/gnocchi/gnocchi-api-container-puppet.yaml
View File

@ -361,9 +361,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': {get_param: GnocchiFileBasePath}, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': container_file_t, 'mode': '0750' }
- { 'path': {get_param: GnocchiFileBasePath}, 'setype': container_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

4
deployment/gnocchi/gnocchi-metricd-container-puppet.yaml
View File

@ -159,12 +159,12 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' }
- name: create persistent data directory
file:
path: {get_param: GnocchiFileBasePath}
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: ensure ceph configurations exist
file:
path: /etc/ceph

4
deployment/gnocchi/gnocchi-statsd-container-puppet.yaml
View File

@ -151,12 +151,12 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/gnocchi, 'setype': container_file_t, 'mode': '0750' }
- name: create persistent data directory
file:
path: {get_param: GnocchiFileBasePath}
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: ensure ceph configurations exist
file:
path: /etc/ceph

2
deployment/haproxy/haproxy-container-puppet.yaml
View File

@ -365,7 +365,7 @@ outputs:
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/haproxy, 'setype': var_log_t, 'mode': '0750' }
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/haproxy, 'setype': container_file_t }
metadata_settings:
list_concat:
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}

4
deployment/haproxy/haproxy-pacemaker-puppet.yaml
View File

@ -306,8 +306,8 @@ outputs:
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/haproxy, 'setype': var_log_t, 'mode': '0750' }
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/haproxy, 'setype': container_file_t }
- { 'path': /var/log/haproxy, 'setype': container_file_t }
metadata_settings:
{get_attr: [HAProxyBase, role_data, metadata_settings]}
deploy_steps_tasks:

6
deployment/horizon/horizon-container-puppet.yaml
View File

@ -320,9 +320,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/www, 'setype': container_file_t }
upgrade_tasks: []
external_upgrade_tasks:
- when:

4
deployment/ironic/ironic-api-container-puppet.yaml
View File

@ -281,8 +281,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-api, 'setype': container_file_t, 'mode': '0750' }
external_upgrade_tasks:
- when: step|int == 1
block:

4
deployment/ironic/ironic-conductor-container-puppet.yaml
View File

@ -554,8 +554,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic, 'setype': container_file_t }
- name: stat /httpboot
stat: path=/httpboot
register: stat_httpboot

4
deployment/ironic/ironic-inspector-container-puppet.yaml
View File

@ -491,9 +491,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/ironic-inspector, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/ironic-inspector, 'setype': container_file_t, 'mode': '0750' }
- name: create persistent ironic-inspector dnsmasq dhcp hostsdir
file:
path: /var/lib/ironic-inspector/dhcp-hostsdir
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t

6
deployment/ironic/ironic-pxe-container-puppet.yaml
View File

@ -166,6 +166,6 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/ironic, 'setype': container_file_t }
- { 'path': /var/log/containers/ironic, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': container_file_t, 'mode': '0750' }

4
deployment/iscsid/iscsid-container-puppet.yaml
View File

@ -99,12 +99,12 @@ outputs:
file:
path: /etc/iscsi
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: ensure /var/lib/iscsi exists
file:
path: /var/lib/iscsi
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: stat /lib/systemd/system/iscsid.socket
stat: path=/lib/systemd/system/iscsid.socket
register: stat_iscsid_socket

2
deployment/keepalived/keepalived-container-puppet.yaml
View File

@ -149,4 +149,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/keepalived, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/keepalived, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/barbican-api.yaml
View File

@ -39,5 +39,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/barbican, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/barbican-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/barbican, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/barbican-api, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/heat-api-cfn.yaml
View File

@ -25,5 +25,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/heat-api-cfn, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/heat-api-cfn, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/heat-api.yaml
View File

@ -25,5 +25,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/heat-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/heat-api, 'setype': container_file_t, 'mode': '0750' }

2
deployment/logging/files/heat-engine.yaml
View File

@ -40,4 +40,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/heat, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/keystone.yaml
View File

@ -40,5 +40,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/keystone, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/keystone, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/keystone, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/keystone, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/neutron-api.yaml
View File

@ -48,5 +48,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/neutron-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/neutron, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/neutron-api, 'setype': container_file_t, 'mode': '0750' }

2
deployment/logging/files/neutron-common.yaml
View File

@ -36,4 +36,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/neutron, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/nova-api.yaml
View File

@ -48,5 +48,5 @@ outputs:
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/nova-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/nova-api, 'setype': container_file_t, 'mode': '0750' }

2
deployment/logging/files/nova-common.yaml
View File

@ -68,4 +68,4 @@ outputs:
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' }

2
deployment/logging/files/nova-libvirt.yaml
View File

@ -38,4 +38,4 @@ outputs:
setype: "{{ item.setype }}"
state: directory
with_items:
- { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/libvirt, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/nova-metadata.yaml
View File

@ -37,5 +37,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/nova-metadata, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/nova-metadata, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/files/placement-api.yaml
View File

@ -37,5 +37,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/placement, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/placement, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/placement, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/placement, 'setype': container_file_t, 'mode': '0750' }

4
deployment/logging/rsyslog-container-puppet.yaml
View File

@ -221,10 +221,10 @@ outputs:
file:
path: /var/log/containers/rsyslog
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
mode: '0750'
- name: create persistent state directory for rsyslog
file:
path: /var/lib/rsyslog.container
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t

4
deployment/manila/manila-api-container-puppet.yaml
View File

@ -251,8 +251,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/manila-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/manila-api, 'setype': container_file_t, 'mode': '0750' }
upgrade_tasks: []
fast_forward_upgrade_tasks:
- name: Check if manila_api is deployed

2
deployment/manila/manila-scheduler-container-puppet.yaml
View File

@ -109,7 +109,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

4
deployment/manila/manila-share-container-puppet.yaml
View File

@ -164,8 +164,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/manila, 'setype': container_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

4
deployment/manila/manila-share-pacemaker-puppet.yaml
View File

@ -201,8 +201,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/manila, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/manila, 'setype': container_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

4
deployment/messaging/rpc-qdrouterd-container-puppet.yaml
View File

@ -149,6 +149,6 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/qdrouterd, 'setype': container_file_t }
metadata_settings: {}

2
deployment/metrics/collectd-container-puppet.yaml
View File

@ -681,7 +681,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/collectd, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/collectd, 'setype': container_file_t, 'mode': '0750' }
fast_forward_upgrade_tasks:
- when:
- step|int == 0

4
deployment/metrics/qdr-container-puppet.yaml
View File

@ -315,5 +315,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/metrics-qdr, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/metrics-qdr, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/metrics-qdr, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/metrics-qdr, 'setype': container_file_t }

2
deployment/mistral/mistral-api-container-puppet.yaml
View File

@ -249,7 +249,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' }
deploy_steps_tasks:
- name: Copy in action mapping file
when: step|int == 3

2
deployment/mistral/mistral-engine-container-puppet.yaml
View File

@ -137,7 +137,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

2
deployment/mistral/mistral-event-engine-container-puppet.yaml
View File

@ -112,7 +112,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

10
deployment/mistral/mistral-executor-container-puppet.yaml
View File

@ -218,8 +218,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/mistral, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/mistral, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/mistral, 'setype': container_file_t }
- name: create mistral/.ssh directory
file:
path: /var/lib/mistral/.ssh
@ -237,18 +237,18 @@ outputs:
src: "{{ undercloud_cfg_file }}"
dest: /var/lib/mistral/undercloud.conf
mode: 0444
setype: svirt_sandbox_file_t
setype: container_file_t
local_follow: true
- name: create ceph-ansible source directory
file:
path: /usr/share/ceph-ansible
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: create octavia-amphora-images directory
file:
path: /usr/share/openstack-octavia-amphora-images
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

4
deployment/multipathd/multipathd-container.yaml
View File

@ -154,10 +154,10 @@ outputs:
file:
path: /etc/multipath
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- name: ensure /etc/multipath.conf exists
file:
path: /etc/multipath.conf
state: touch
setype: svirt_sandbox_file_t
setype: container_file_t
upgrade_tasks: []

2
deployment/neutron/neutron-dhcp-container-puppet.yaml
View File

@ -414,7 +414,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink

2
deployment/neutron/neutron-l3-container-puppet.yaml
View File

@ -370,7 +370,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink

2
deployment/neutron/neutron-metadata-container-puppet.yaml
View File

@ -203,7 +203,7 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
- - name: enable virt_sandbox_use_netlink for healtcheck
seboolean:
name: virt_sandbox_use_netlink

6
deployment/nova/nova-compute-container-puppet.yaml
View File

@ -953,9 +953,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- { 'path': /var/lib/nova/instances, 'setype': container_file_t }
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

4
deployment/nova/nova-ironic-container-puppet.yaml
View File

@ -221,8 +221,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/nova, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

14
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -827,14 +827,14 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /etc/libvirt, 'setype': container_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': container_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': container_file_t }
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- { 'path': /var/run/libvirt, 'setype': virt_var_run_t }
- { 'path': /var/log/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/libvirt/qemu, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/libvirt, 'setype': container_file_t }
- { 'path': /var/log/libvirt/qemu, 'setype': container_file_t }
# qemu user on host will be cretaed by libvirt package install, ensure
# the qemu user created with same uid/gid as like libvirt package.
# These specific values are required since ovs is running on host.

2
deployment/nova/novajoin-container-puppet.yaml
View File

@ -246,7 +246,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/novajoin, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/novajoin, 'setype': container_file_t, 'mode': '0750' }
- name: Enroll to FreeIPA
command: ipa-client-install -U --password={{ ipa_otp }}
args:

6
deployment/octavia/octavia-api-container-puppet.yaml
View File

@ -353,9 +353,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/run/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/octavia-api, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/run/octavia, 'setype': container_file_t, 'mode': '0750' }
update_tasks:
- name: Set internal tls variable
set_fact:

2
deployment/octavia/octavia-health-manager-container-puppet.yaml
View File

@ -155,4 +155,4 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }

2
deployment/octavia/octavia-housekeeping-container-puppet.yaml
View File

@ -154,5 +154,5 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
upgrade_tasks: []

2
deployment/octavia/octavia-worker-container-puppet.yaml
View File

@ -141,7 +141,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/octavia, 'setype': container_file_t, 'mode': '0750' }
- name: Ensure packages required for configuring octavia are present
package:
name:

2
deployment/openvswitch/openvswitch-dpdk-netcontrold-container-ansible.yaml
View File

@ -78,4 +78,4 @@ outputs:
file:
path: "/var/log/containers/netcontrold"
state: directory
setype: "svirt_sandbox_file_t"
setype: "container_file_t"

4
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -286,8 +286,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

4
deployment/ovn/ovn-dbs-container-puppet.yaml
View File

@ -202,6 +202,6 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
upgrade_tasks: []

4
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@ -252,8 +252,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
deploy_steps_tasks:
- name: OVN DBS tag container image for pacemaker
when: step|int == 1

2
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -370,5 +370,5 @@ outputs:
file:
path: /var/lib/neutron
state: directory
setype: svirt_sandbox_file_t
setype: container_file_t
upgrade_tasks: []

4
deployment/qdr/qdrouterd-container-puppet.yaml
View File

@ -139,6 +139,6 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/qdrouterd, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/qdrouterd, 'setype': container_file_t }
metadata_settings: {}

4
deployment/rabbitmq/rabbitmq-container-puppet.yaml
View File

@ -346,8 +346,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
# TODO: Removal of package
upgrade_tasks: []
update_tasks:

4
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
View File

@ -295,8 +295,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
upgrade_tasks: []
update_tasks:
# TODO: Are we sure we want to support this. Rolling update

4
deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
View File

@ -245,8 +245,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container
shell: |
echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf

4
deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
View File

@ -245,8 +245,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container
shell: |
echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf

4
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
View File

@ -290,8 +290,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
upgrade_tasks: []
update_tasks:
# TODO: Are we sure we want to support this. Rolling update

4
deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
View File

@ -253,8 +253,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/rabbitmq, 'setype': container_file_t }
- { 'path': /var/log/containers/rabbitmq, 'setype': container_file_t, 'mode': '0750' }
- name: stop the Erlang port mapper on the host and make sure it cannot bind to the port used by container
shell: |
echo 'export ERL_EPMD_ADDRESS=127.0.0.1' > /etc/rabbitmq/rabbitmq-env.conf

4
deployment/sahara/sahara-api-container-puppet.yaml
View File

@ -210,8 +210,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/sahara, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/sahara, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/sahara, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/sahara, 'setype': container_file_t }
fast_forward_upgrade_tasks:
- when:
- step|int == 0

4
deployment/sahara/sahara-engine-container-puppet.yaml
View File

@ -127,8 +127,8 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/sahara, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/sahara, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/sahara, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/sahara, 'setype': container_file_t }
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink

6
deployment/swift/swift-proxy-container-puppet.yaml
View File

@ -433,9 +433,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /srv/node, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/swift, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /srv/node, 'setype': container_file_t }
- { 'path': /var/log/swift, 'setype': container_file_t }
- { 'path': /var/log/containers/swift, 'setype': container_file_t, 'mode': '0750' }
deploy_steps_tasks:
- name: Configure rsyslog for swift-proxy
when: step|int == 1

6
deployment/swift/swift-storage-container-puppet.yaml
View File

@ -596,9 +596,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /srv/node, 'setype': svirt_sandbox_file_t }
- { 'path': /var/cache/swift, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/swift, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /srv/node, 'setype': container_file_t }
- { 'path': /var/cache/swift, 'setype': container_file_t }
- { 'path': /var/log/containers/swift, 'setype': container_file_t, 'mode': '0750' }
- name: Set swift_use_local_disks fact
set_fact:
swift_use_local_disks: {get_param: SwiftUseLocalDir}

6
deployment/undercloud/tempest-container-puppet.yaml
View File

@ -59,9 +59,9 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/tempest, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/lib/tempestdata, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/tempest, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/tempest, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/lib/tempestdata, 'setype': container_file_t }
- { 'path': /var/lib/tempest, 'setype': container_file_t }
puppet_config:
config_volume: ''
step_config: ''

4
deployment/zaqar/zaqar-container-puppet.yaml
View File

@ -388,7 +388,7 @@ outputs:
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/zaqar, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/zaqar, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/zaqar, 'setype': container_file_t, 'mode': '0750' }
- { 'path': /var/log/containers/httpd/zaqar, 'setype': container_file_t, 'mode': '0750' }
metadata_settings:
get_attr: [ApacheServiceBase, role_data, metadata_settings]

2
environments/storage-environment.yaml
View File

@ -50,7 +50,7 @@ parameter_defaults:
## e.g. "'[fdd0::1]:/export/glance'")
# GlanceNfsShare: ''
## Mount options for the NFS image storage mount point
# GlanceNfsOptions: 'intr,context=system_u:object_r:svirt_sandbox_file_t:s0'
# GlanceNfsOptions: 'intr,context=system_u:object_r:container_file_t:s0'
#### NOVA NFS SETTINGS ####

4
environments/storage/glance-nfs.yaml
View File

@ -19,7 +19,7 @@ parameter_defaults:
# NFS mount options for image storage (when GlanceNfsEnabled is true)
# Type: string
GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0
GlanceNfsOptions: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0
# NFS share to mount for image storage (when GlanceNfsEnabled is true)
# Type: string
@ -31,7 +31,7 @@ parameter_defaults:
# NFS mount options for NFS image import staging
# Type: string
GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:svirt_sandbox_file_t:s0
GlanceStagingNfsOptions: _netdev,bg,intr,context=system_u:object_r:container_file_t:s0
# NFS share to mount for image import staging
# Type: string

5
releasenotes/notes/svirt_sandbox_file_t-to-container_file_t-f4914561f6e9e4c7.yaml Normal file
View File

@ -0,0 +1,5 @@
---
other:
- Not a functionnal change, only cosmetics. For better understanding and
readability, changing all the svirt_sandbox_file_t to shorter, nicer
container_file_t