Revert "Drop the SELinux flags for openvswitch /var/run directory"
This reverts commit af80a0d914.
Reason: the added SELinux rule actually allows openvswitch to write in
container_file_t - not the contrary. We therefore still need the ":z" flag.
A possible follow-up would be to drop the "shared" flag (useless) and
remove the duplicated mount.
Change-Id: Idc8813792b5c6d4d4226491f81de2965beeaadbe
This commit is contained in:
Cédric Jeanneret (Tengu)
Cédric Jeanneret
parent
fa3140a723
commit
1ce103186d
|
|
@ -364,7 +364,7 @@ outputs:
|
|||
- /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
- /var/lib/neutron:/var/lib/neutron:shared,z
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
||||
|
|
|
|||
|
|
@ -322,7 +322,7 @@ outputs:
|
|||
- /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
- /var/lib/neutron:/var/lib/neutron:shared,z
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
||||
|
|
|
|||
|
|
@ -243,7 +243,7 @@ outputs:
|
|||
# on the unix domain socket - /run/openvswitch/db.sock
|
||||
volumes:
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/neutron_ovs_agent.json:
|
||||
command: /neutron_ovs_agent_launcher.sh
|
||||
|
|
@ -295,7 +295,8 @@ outputs:
|
|||
- /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
- /var/run/openvswitch/:/var/run/openvswitch/:shared,z
|
||||
-
|
||||
if:
|
||||
- docker_puppet_mount_host
|
||||
|
|
@ -325,7 +326,7 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/container-config-scripts/neutron_ovs_agent_launcher.sh:/neutron_ovs_agent_launcher.sh:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
metadata_settings:
|
||||
|
|
|
|||
|
|
@ -184,7 +184,7 @@ outputs:
|
|||
# on the unix domain socket - /run/openvswitch/db.sock
|
||||
volumes:
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
# Needed for creating module load files
|
||||
- /etc/sysconfig/modules:/etc/sysconfig/modules
|
||||
kolla_config:
|
||||
|
|
|
|||
|
|
@ -216,7 +216,7 @@ outputs:
|
|||
config_image: {get_param: ContainerNeutronConfigImage}
|
||||
volumes:
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/ovn_metadata_agent.json:
|
||||
command:
|
||||
|
|
@ -298,7 +298,7 @@ outputs:
|
|||
list_concat:
|
||||
- {get_attr: [ContainersCommon, container_puppet_apply_volumes]}
|
||||
- - /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
ovn_metadata_agent:
|
||||
start_order: 1
|
||||
image: {get_param: ContainerOvnMetadataImage}
|
||||
|
|
@ -316,7 +316,7 @@ outputs:
|
|||
- /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /run/openvswitch:/run/openvswitch:shared,z
|
||||
- /var/lib/neutron:/var/lib/neutron:shared,z
|
||||
- /run/netns:/run/netns:shared
|
||||
- /var/lib/neutron/kill_scripts:/etc/neutron/kill_scripts:shared,z
|
||||
|
|
|
|||
Loading…
Reference in New Issue