Merge "Stop using (and breaking) /var/tmp for horizon temporary things"

deployment/horizon/horizon-container-puppet.yaml

@@ -318,7 +318,7 @@ outputs:
                   - /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
                   - /var/log/containers/horizon:/var/log/horizon:z
                   - /var/log/containers/httpd/horizon:/var/log/httpd:z
-                  - /var/tmp/:/var/tmp/:z
+                  - /var/tmp/horizon:/var/tmp/:z
                   - /var/www/:/var/www/:ro
                 - if:
                     - {get_param: EnableInternalTLS}
@@ -360,7 +360,26 @@ outputs:
             - { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/www, 'setype': container_file_t }
-      upgrade_tasks: []
+            - { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
+        - name: ensure /var/tmp/horizon exists on boot
+          copy:
+            dest: /etc/tmpfiles.d/var-tmp-horizon.conf
+            content: |
+              d /var/tmp/horizon 1777 root root - -
+      upgrade_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: &tmp_reset_label
+            - name: Reset selinux label on /var/tmp
+              file:
+                path: /var/tmp
+                state: directory
+                setype: tmp_t
+                mode: 1777
+      update_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: *tmp_reset_label
       external_upgrade_tasks:
         - when:
             - step|int == 1