Merge "Add SELinux configurations for a proper Standalone deploy"
This commit is contained in:
commit
0fd44e4713
@ -132,7 +132,7 @@
|
|||||||
dest: "/var/lib/docker-config-scripts/{{ item[0] }}"
|
dest: "/var/lib/docker-config-scripts/{{ item[0] }}"
|
||||||
force: yes
|
force: yes
|
||||||
mode: "{{ item[1].mode | default('0600', true) }}"
|
mode: "{{ item[1].mode | default('0600', true) }}"
|
||||||
setype: svirt_sandbox_file_t
|
setype: svirt_sandbox_file_t
|
||||||
loop: "{{ role_data_docker_config_scripts | dictsort }}"
|
loop: "{{ role_data_docker_config_scripts | dictsort }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item[0] }}"
|
label: "{{ item[0] }}"
|
||||||
@ -208,7 +208,7 @@
|
|||||||
dest: "{{ item[0] }}"
|
dest: "{{ item[0] }}"
|
||||||
force: yes
|
force: yes
|
||||||
mode: '0600'
|
mode: '0600'
|
||||||
setype: svirt_sandbox_file_t
|
setype: svirt_sandbox_file_t
|
||||||
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
|
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item[0] }}"
|
label: "{{ item[0] }}"
|
||||||
|
@ -158,7 +158,7 @@ outputs:
|
|||||||
state: directory
|
state: directory
|
||||||
with_items:
|
with_items:
|
||||||
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
|
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
|
||||||
- { 'path': /var/run/redis, 'setype': container_var_run_t }
|
- { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
|
||||||
- name: redis logs readme
|
- name: redis logs readme
|
||||||
copy:
|
copy:
|
||||||
dest: /var/log/redis/readme.txt
|
dest: /var/log/redis/readme.txt
|
||||||
|
@ -173,11 +173,13 @@ outputs:
|
|||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent logs directory
|
- name: create persistent logs directory
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
setype: "{{ item.setype }}"
|
||||||
with_items:
|
with_items:
|
||||||
- /var/log/containers/horizon
|
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/log/containers/httpd/horizon
|
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
|
||||||
|
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
|
||||||
- name: horizon logs readme
|
- name: horizon logs readme
|
||||||
copy:
|
copy:
|
||||||
dest: /var/log/horizon/readme.txt
|
dest: /var/log/horizon/readme.txt
|
||||||
|
@ -194,7 +194,7 @@ outputs:
|
|||||||
privileged: false
|
privileged: false
|
||||||
detach: false
|
detach: false
|
||||||
volumes:
|
volumes:
|
||||||
- /var/lib/nova:/var/lib/nova:shared
|
- /var/lib/nova:/var/lib/nova:shared,z
|
||||||
- /var/lib/docker-config-scripts/:/docker-config-scripts/
|
- /var/lib/docker-config-scripts/:/docker-config-scripts/
|
||||||
command: "/docker-config-scripts/nova_statedir_ownership.py"
|
command: "/docker-config-scripts/nova_statedir_ownership.py"
|
||||||
step_4:
|
step_4:
|
||||||
@ -228,7 +228,7 @@ outputs:
|
|||||||
- /dev:/dev
|
- /dev:/dev
|
||||||
- /lib/modules:/lib/modules:ro
|
- /lib/modules:/lib/modules:ro
|
||||||
- /run:/run
|
- /run:/run
|
||||||
- /var/lib/nova:/var/lib/nova:shared
|
- /var/lib/nova:/var/lib/nova:shared,z
|
||||||
- /var/lib/libvirt:/var/lib/libvirt
|
- /var/lib/libvirt:/var/lib/libvirt
|
||||||
- /sys/class/net:/sys/class/net
|
- /sys/class/net:/sys/class/net
|
||||||
- /sys/bus/pci:/sys/bus/pci
|
- /sys/bus/pci:/sys/bus/pci
|
||||||
@ -243,12 +243,13 @@ outputs:
|
|||||||
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
|
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
|
||||||
- - name: create persistent directories
|
- - name: create persistent directories
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
setype: "{{ item.setype }}"
|
||||||
with_items:
|
with_items:
|
||||||
- /var/lib/nova
|
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/lib/nova/instances
|
- { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/lib/libvirt
|
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
|
||||||
- name: ensure ceph configurations exist
|
- name: ensure ceph configurations exist
|
||||||
file:
|
file:
|
||||||
path: /etc/ceph
|
path: /etc/ceph
|
||||||
|
@ -139,7 +139,7 @@ outputs:
|
|||||||
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
|
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
|
||||||
- /run:/run
|
- /run:/run
|
||||||
- /dev:/dev
|
- /dev:/dev
|
||||||
- /var/lib/nova/:/var/lib/nova:shared
|
- /var/lib/nova/:/var/lib/nova:shared,z
|
||||||
- /var/log/containers/nova:/var/log/nova
|
- /var/log/containers/nova:/var/log/nova
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
@ -283,6 +283,7 @@ outputs:
|
|||||||
image: {get_param: DockerNovaLibvirtImage}
|
image: {get_param: DockerNovaLibvirtImage}
|
||||||
net: host
|
net: host
|
||||||
pid: host
|
pid: host
|
||||||
|
security_opt: label=disable
|
||||||
privileged: true
|
privileged: true
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
@ -295,7 +296,7 @@ outputs:
|
|||||||
- /dev:/dev
|
- /dev:/dev
|
||||||
- /run:/run
|
- /run:/run
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||||
- /var/lib/nova:/var/lib/nova:shared
|
- /var/lib/nova:/var/lib/nova:shared,z
|
||||||
- /var/run/libvirt:/var/run/libvirt
|
- /var/run/libvirt:/var/run/libvirt
|
||||||
- /var/lib/libvirt:/var/lib/libvirt
|
- /var/lib/libvirt:/var/lib/libvirt
|
||||||
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
|
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
|
||||||
@ -308,6 +309,7 @@ outputs:
|
|||||||
net: host
|
net: host
|
||||||
pid: host
|
pid: host
|
||||||
privileged: true
|
privileged: true
|
||||||
|
security_opt: label=disable
|
||||||
restart: always
|
restart: always
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: /openstack/healthcheck
|
test: /openstack/healthcheck
|
||||||
@ -322,7 +324,7 @@ outputs:
|
|||||||
- /dev:/dev
|
- /dev:/dev
|
||||||
- /run:/run
|
- /run:/run
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||||
- /var/lib/nova:/var/lib/nova:shared
|
- /var/lib/nova:/var/lib/nova:shared,z
|
||||||
- /etc/libvirt:/etc/libvirt
|
- /etc/libvirt:/etc/libvirt
|
||||||
- /var/run/libvirt:/var/run/libvirt
|
- /var/run/libvirt:/var/run/libvirt
|
||||||
- /var/lib/libvirt:/var/lib/libvirt
|
- /var/lib/libvirt:/var/lib/libvirt
|
||||||
@ -369,6 +371,7 @@ outputs:
|
|||||||
- nova_libvirt_init_secret:
|
- nova_libvirt_init_secret:
|
||||||
detach: false
|
detach: false
|
||||||
image: {get_param: DockerNovaLibvirtImage}
|
image: {get_param: DockerNovaLibvirtImage}
|
||||||
|
security_opt: label=disable
|
||||||
privileged: false
|
privileged: false
|
||||||
user: root
|
user: root
|
||||||
volumes:
|
volumes:
|
||||||
@ -391,14 +394,16 @@ outputs:
|
|||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create libvirt persistent data directories
|
- name: create libvirt persistent data directories
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
setype: "{{ item.setype }}"
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/libvirt
|
- { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
|
||||||
- /etc/libvirt/secrets
|
- { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
|
||||||
- /etc/libvirt/qemu
|
- { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/lib/libvirt
|
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/log/containers/libvirt
|
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
|
||||||
|
- { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t }
|
||||||
# qemu user on host will be cretaed by libvirt package install, ensure
|
# qemu user on host will be cretaed by libvirt package install, ensure
|
||||||
# the qemu user created with same uid/gid as like libvirt package.
|
# the qemu user created with same uid/gid as like libvirt package.
|
||||||
# These specific values are required since ovs is running on host.
|
# These specific values are required since ovs is running on host.
|
||||||
|
@ -181,8 +181,8 @@ outputs:
|
|||||||
-
|
-
|
||||||
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
|
||||||
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
|
||||||
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
|
||||||
- if:
|
- if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
-
|
-
|
||||||
@ -211,11 +211,12 @@ outputs:
|
|||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item.path }}"
|
||||||
state: directory
|
state: directory
|
||||||
|
setype: "{{ item.setype }}"
|
||||||
with_items:
|
with_items:
|
||||||
- /var/log/containers/rabbitmq
|
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
|
||||||
- /var/lib/rabbitmq
|
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
|
||||||
- name: rabbitmq logs readme
|
- name: rabbitmq logs readme
|
||||||
copy:
|
copy:
|
||||||
dest: /var/log/rabbitmq/readme.txt
|
dest: /var/log/rabbitmq/readme.txt
|
||||||
|
Loading…
Reference in New Issue
Block a user