From 4b4015aaaa102d49a28fbba9c8a8ac0ae005ab2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Thu, 8 Sep 2022 16:55:11 +0200 Subject: [PATCH] Correct label for /run/libvirt The former label (virt_var_run_t) was in fact the one set by fcontext: /var/run/libvirt(/.*)? all files system_u:object_r:virt_var_run_t:s0 While it makes sense when libvirt is running on the host, it has no actual value in containerized services. More over, it was already relabeled to container_file_t from within the migration-target container, since that one bind-mounts the location with the "z" flag. In order to stop seeing the label flapping upon deploy and day-2 operations, the best thing to do is to stop using the virt_var_run_t label and just ensure containers are relabeling this location. Resolves: rhbz#2122656 Change-Id: I64f7e5d5f7dab8e59c6a48f01d636880e429d2f2 (cherry picked from commit 96c9eb7a34dce1bfdaef4b92919ff562360cb65a) --- .../ceilometer-agent-compute-container-puppet.yaml | 2 +- .../deprecated/nova/nova-libvirt-container-puppet.yaml | 10 +++++----- deployment/nova/nova-libvirt-common.yaml | 2 +- .../nova/nova-modular-libvirt-container-puppet.yaml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml index e70701dd72..e3a939ba09 100644 --- a/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml +++ b/deployment/ceilometer/ceilometer-agent-compute-container-puppet.yaml @@ -105,7 +105,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/ceilometer_agent_compute.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer:/var/lib/kolla/config_files/src:ro - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/log/containers/ceilometer:/var/log/ceilometer:z environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS diff --git a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml index 0583428ed6..b5a6173e1a 100644 --- a/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/deprecated/nova/nova-libvirt-container-puppet.yaml @@ -573,7 +573,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /var/lib/nova:/var/lib/nova:shared @@ -624,7 +624,7 @@ outputs: - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - /etc/libvirt:/etc/libvirt - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt:shared - /var/cache/libvirt:/var/cache/libvirt:shared - /var/lib/vhost_sockets:/var/lib/vhost_sockets @@ -661,7 +661,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova - /etc/libvirt:/etc/libvirt - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt:shared - /var/lib/container-config-scripts/nova_libvirt_init_secret.sh:/nova_libvirt_init_secret.sh:ro - str_replace: @@ -884,8 +884,8 @@ outputs: - { 'path': /var/lib/libvirt, 'setype': container_file_t } - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': container_file_t } - - { 'path': /run/libvirt, 'setype': virt_var_run_t } - # qemu user on host will be cretaed by libvirt package install, ensure + - { 'path': /run/libvirt} + # qemu user on host will be created by libvirt package install, ensure # the qemu user created with same uid/gid as like libvirt package. # These specific values are required since ovs is running on host. # Once ovs with DPDK is containerized, we could modify this uid/gid diff --git a/deployment/nova/nova-libvirt-common.yaml b/deployment/nova/nova-libvirt-common.yaml index 39108a1b5c..3b8f2556a6 100644 --- a/deployment/nova/nova-libvirt-common.yaml +++ b/deployment/nova/nova-libvirt-common.yaml @@ -151,7 +151,7 @@ outputs: - /etc/selinux/config:/etc/selinux/config:ro - /etc/libvirt:/etc/libvirt:shared - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/lib/nova:/var/lib/nova:shared - /var/lib/libvirt:/var/lib/libvirt:shared - /var/cache/libvirt:/var/cache/libvirt:shared diff --git a/deployment/nova/nova-modular-libvirt-container-puppet.yaml b/deployment/nova/nova-modular-libvirt-container-puppet.yaml index 4aa68a3187..1e4a9ba73e 100644 --- a/deployment/nova/nova-modular-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-modular-libvirt-container-puppet.yaml @@ -716,7 +716,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova - /etc/libvirt:/etc/libvirt - - /run/libvirt:/run/libvirt:shared + - /run/libvirt:/run/libvirt:shared,z - /var/lib/libvirt:/var/lib/libvirt:shared - /var/lib/container-config-scripts/nova_libvirt_init_secret.sh:/nova_libvirt_init_secret.sh:ro - str_replace: @@ -929,7 +929,7 @@ outputs: - { 'path': /var/lib/libvirt, 'setype': container_file_t } - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': container_file_t } - - { 'path': /run/libvirt, 'setype': virt_var_run_t } + - { 'path': /run/libvirt } - { 'path': /var/log/libvirt, 'setype': container_file_t } - { 'path': /var/log/libvirt/qemu, 'setype': container_file_t } - { 'path': /var/log/containers/libvirt/swtpm, 'setype': container_file_t, 'mode': '0750' }