Allow containerized undercloud deploy with SELinux

When SELinux is enforcing, use the docker volume mount flag :z for the docker-puppet tool's bind-mounted volumes in RW mode. Note, if a volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers. Volumes from /etc/pki mounted RO do not require the context changes. For those RO volumes that do require it, use :ro,z. For deploy-steps, make sure ansible file resources in /var/lib/ are enforced the same SELinux context attributes what docker's :z provides. Partial-bug: #1682179 Related-bug: #1723003 Change-Id: Idc0caa49573bd88e8410d3d4217fd39e9aabf8f2 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
6 years ago · 1fc9285125
parent 3b17b3fccd
commit 1fc9285125
3 changed files with 24 additions and 8 deletions
--- a/common/deploy-steps.j2
+++ b/common/deploy-steps.j2
@ -219,12 +219,12 @@ resources:
                    -
                      # Write the manifest for baremetal puppet configuration
                      - name: Create /var/lib/tripleo-config directory
-                        file: path=/var/lib/tripleo-config state=directory
+                        file: path=/var/lib/tripleo-config state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                      - name: Write the puppet step_config manifest
                        copy: content="{{ '{{' }}puppet_step_config{{ '}}' }}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600
                      # this creates a JSON config file for our docker-puppet.py script
                      - name: Create /var/lib/docker-puppet
-                        file: path=/var/lib/docker-puppet state=directory
+                        file: path=/var/lib/docker-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                      - name: Write docker-puppet-tasks json files
                        copy: content="{{ '{{' }}puppet_config | to_json{{ '}}' }}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600
                      # FIXME: can we move docker-puppet somewhere so it's installed via a package?
@ -241,7 +241,7 @@ resources:
                        copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{ '{{' }}item.key{{ '}}' }}.json" force=yes mode=0600
                        with_dict: "{{ '{{' }}docker_startup_configs{{ '}}' }}"
                      - name: Create /var/lib/kolla/config_files directory
-                        file: path=/var/lib/kolla/config_files state=directory
+                        file: path=/var/lib/kolla/config_files state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
                      - name: Write kolla config json files
                        copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="{{ '{{' }}item.key{{ '}}' }}" force=yes mode=0600
                        with_dict: "{{ '{{' }}kolla_config{{ '}}' }}"
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@ -273,10 +273,10 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                '--env', 'HOSTNAME=%s' % short_hostname(),
                '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''),
                '--env', 'STEP=%s' % os.environ.get('STEP', '6'),
-                '--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
-                '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
-                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
-                '--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
+                '--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
+                '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
+                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z',
+                '--volume', '%s:/var/lib/config-data/:z' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
                '--volume', 'tripleo_logs:/var/log/tripleo/',
                # Syslog socket for puppet logs
                '--volume', '/dev/log:/dev/log',
@ -286,7 +286,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
                '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
                # script injection
-                '--volume', '%s:%s:rw' % (sh_script, sh_script) ]
+                '--volume', '%s:%s:z' % (sh_script, sh_script) ]

        for volume in volumes:
            if volume:
--- a/releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml
+++ b/releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml
@ -0,0 +1,16 @@
+---
+upgrade: &notes
+  - |
+    The configuration management related directories managed by the
+    tripleo deployment tools and bind-mounted as docker volumes now
+    using the `:z` flag, which is a docker's equivalent for
+    `chcon -Rt svirt_sandbox_file_t -l s0`. This makes those
+    directories available for all containers on the host, in the
+    shared mode: `/var/lib/tripleo-config`, `/var/lib/docker-puppet`,
+    `/var/lib/kolla/config`, `/etc/puppet`,
+    `/usr/share/openstack-puppet/modules/`, `/var/lib/config-data`.
+security: *notes
+fixes:
+  - |
+    Allow containerized services to be executed on hosts with SELinux
+    in the enforcing mode.