openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Add SELinux configurations for a proper Standalone deploy"

This commit is contained in:
Zuul 2018-10-11 15:55:01 +00:00 committed by Gerrit Code Review
parent 77e4ee3a8e 245da47a9d
commit 0fd44e4713
7 changed files with 35 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/deploy-steps-tasks.yaml
View File

@ -132,7 +132,7 @@
dest: "/var/lib/docker-config-scripts/{{ item[0] }}" dest: "/var/lib/docker-config-scripts/{{ item[0] }}"
force: yes force: yes
mode: "{{ item[1].mode | default('0600', true) }}" mode: "{{ item[1].mode | default('0600', true) }}"
setype: svirt_sandbox_file_t setype: svirt_sandbox_file_t
loop: "{{ role_data_docker_config_scripts | dictsort }}" loop: "{{ role_data_docker_config_scripts | dictsort }}"
loop_control: loop_control:
label: "{{ item[0] }}" label: "{{ item[0] }}"
@ -208,7 +208,7 @@
dest: "{{ item[0] }}" dest: "{{ item[0] }}"
force: yes force: yes
mode: '0600' mode: '0600'
setype: svirt_sandbox_file_t setype: svirt_sandbox_file_t
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}" loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
loop_control: loop_control:
label: "{{ item[0] }}" label: "{{ item[0] }}"

2
docker/services/database/redis.yaml
View File

@ -158,7 +158,7 @@ outputs:
state: directory state: directory
with_items: with_items:
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/run/redis, 'setype': container_var_run_t } - { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
- name: redis logs readme - name: redis logs readme
copy: copy:
dest: /var/log/redis/readme.txt dest: /var/log/redis/readme.txt

8
docker/services/horizon.yaml
View File

@ -173,11 +173,13 @@ outputs:
host_prep_tasks: host_prep_tasks:
- name: create persistent logs directory - name: create persistent logs directory
file: file:
path: "{{ item }}" path: "{{ item.path }}"
state: directory state: directory
setype: "{{ item.setype }}"
with_items: with_items:
- /var/log/containers/horizon - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
- /var/log/containers/httpd/horizon - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
- name: horizon logs readme - name: horizon logs readme
copy: copy:
dest: /var/log/horizon/readme.txt dest: /var/log/horizon/readme.txt

13
docker/services/nova-compute.yaml
View File

@ -194,7 +194,7 @@ outputs:
privileged: false privileged: false
detach: false detach: false
volumes: volumes:
- /var/lib/nova:/var/lib/nova:shared - /var/lib/nova:/var/lib/nova:shared,z
- /var/lib/docker-config-scripts/:/docker-config-scripts/ - /var/lib/docker-config-scripts/:/docker-config-scripts/
command: "/docker-config-scripts/nova_statedir_ownership.py" command: "/docker-config-scripts/nova_statedir_ownership.py"
step_4: step_4:
@ -228,7 +228,7 @@ outputs:
- /dev:/dev - /dev:/dev
- /lib/modules:/lib/modules:ro - /lib/modules:/lib/modules:ro
- /run:/run - /run:/run
- /var/lib/nova:/var/lib/nova:shared - /var/lib/nova:/var/lib/nova:shared,z
- /var/lib/libvirt:/var/lib/libvirt - /var/lib/libvirt:/var/lib/libvirt
- /sys/class/net:/sys/class/net - /sys/class/net:/sys/class/net
- /sys/bus/pci:/sys/bus/pci - /sys/bus/pci:/sys/bus/pci
@ -243,12 +243,13 @@ outputs:
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]} - {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
- - name: create persistent directories - - name: create persistent directories
file: file:
path: "{{ item }}" path: "{{ item.path }}"
state: directory state: directory
setype: "{{ item.setype }}"
with_items: with_items:
- /var/lib/nova - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- /var/lib/nova/instances - { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
- /var/lib/libvirt - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- name: ensure ceph configurations exist - name: ensure ceph configurations exist
file: file:
path: /etc/ceph path: /etc/ceph

2
docker/services/nova-ironic.yaml
View File

@ -139,7 +139,7 @@ outputs:
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /run:/run - /run:/run
- /dev:/dev - /dev:/dev
- /var/lib/nova/:/var/lib/nova:shared - /var/lib/nova/:/var/lib/nova:shared,z
- /var/log/containers/nova:/var/log/nova - /var/log/containers/nova:/var/log/nova
environment: environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

21
docker/services/nova-libvirt.yaml
View File

@ -283,6 +283,7 @@ outputs:
image: {get_param: DockerNovaLibvirtImage} image: {get_param: DockerNovaLibvirtImage}
net: host net: host
pid: host pid: host
security_opt: label=disable
privileged: true privileged: true
restart: always restart: always
volumes: volumes:
@ -295,7 +296,7 @@ outputs:
- /dev:/dev - /dev:/dev
- /run:/run - /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup - /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova:shared - /var/lib/nova:/var/lib/nova:shared,z
- /var/run/libvirt:/var/run/libvirt - /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt - /var/lib/libvirt:/var/lib/libvirt
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /etc/libvirt/qemu:/etc/libvirt/qemu:ro
@ -308,6 +309,7 @@ outputs:
net: host net: host
pid: host pid: host
privileged: true privileged: true
security_opt: label=disable
restart: always restart: always
healthcheck: healthcheck:
test: /openstack/healthcheck test: /openstack/healthcheck
@ -322,7 +324,7 @@ outputs:
- /dev:/dev - /dev:/dev
- /run:/run - /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup - /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova:shared - /var/lib/nova:/var/lib/nova:shared,z
- /etc/libvirt:/etc/libvirt - /etc/libvirt:/etc/libvirt
- /var/run/libvirt:/var/run/libvirt - /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt - /var/lib/libvirt:/var/lib/libvirt
@ -369,6 +371,7 @@ outputs:
- nova_libvirt_init_secret: - nova_libvirt_init_secret:
detach: false detach: false
image: {get_param: DockerNovaLibvirtImage} image: {get_param: DockerNovaLibvirtImage}
security_opt: label=disable
privileged: false privileged: false
user: root user: root
volumes: volumes:
@ -391,14 +394,16 @@ outputs:
host_prep_tasks: host_prep_tasks:
- name: create libvirt persistent data directories - name: create libvirt persistent data directories
file: file:
path: "{{ item }}" path: "{{ item.path }}"
state: directory state: directory
setype: "{{ item.setype }}"
with_items: with_items:
- /etc/libvirt - { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
- /etc/libvirt/secrets - { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
- /etc/libvirt/qemu - { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
- /var/lib/libvirt - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- /var/log/containers/libvirt - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t }
# qemu user on host will be cretaed by libvirt package install, ensure # qemu user on host will be cretaed by libvirt package install, ensure
# the qemu user created with same uid/gid as like libvirt package. # the qemu user created with same uid/gid as like libvirt package.
# These specific values are required since ovs is running on host. # These specific values are required since ovs is running on host.

11
docker/services/rabbitmq.yaml
View File

@ -181,8 +181,8 @@ outputs:
- -
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq - /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq - /var/log/containers/rabbitmq:/var/log/rabbitmq:z
- if: - if:
- internal_tls_enabled - internal_tls_enabled
- -
@ -211,11 +211,12 @@ outputs:
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:
path: "{{ item }}" path: "{{ item.path }}"
state: directory state: directory
setype: "{{ item.setype }}"
with_items: with_items:
- /var/log/containers/rabbitmq - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
- /var/lib/rabbitmq - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- name: rabbitmq logs readme - name: rabbitmq logs readme
copy: copy:
dest: /var/log/rabbitmq/readme.txt dest: /var/log/rabbitmq/readme.txt