From 245da47a9d6396e7b302e970a044d210eedd189d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= Date: Wed, 3 Oct 2018 14:56:59 +0200 Subject: [PATCH] Add SELinux configurations for a proper Standalone deploy With this patch, we're able to deploy a "standalone" stack using podman on a fully-enabled SELinux system. Change-Id: I4bfa2e1d3fe6c968c4d4a2ee1c2d4fb00a1667a1 --- common/deploy-steps-tasks.yaml | 4 ++-- docker/services/database/redis.yaml | 2 +- docker/services/horizon.yaml | 8 +++++--- docker/services/nova-compute.yaml | 13 +++++++------ docker/services/nova-ironic.yaml | 2 +- docker/services/nova-libvirt.yaml | 21 +++++++++++++-------- docker/services/rabbitmq.yaml | 11 ++++++----- 7 files changed, 35 insertions(+), 26 deletions(-) diff --git a/common/deploy-steps-tasks.yaml b/common/deploy-steps-tasks.yaml index 4da60a44ad..75523637a2 100644 --- a/common/deploy-steps-tasks.yaml +++ b/common/deploy-steps-tasks.yaml @@ -132,7 +132,7 @@ dest: "/var/lib/docker-config-scripts/{{ item[0] }}" force: yes mode: "{{ item[1].mode | default('0600', true) }}" - setype: svirt_sandbox_file_t + setype: svirt_sandbox_file_t loop: "{{ role_data_docker_config_scripts | dictsort }}" loop_control: label: "{{ item[0] }}" @@ -208,7 +208,7 @@ dest: "{{ item[0] }}" force: yes mode: '0600' - setype: svirt_sandbox_file_t + setype: svirt_sandbox_file_t loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}" loop_control: label: "{{ item[0] }}" diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 1e2bcf2218..bb94c38d3f 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -158,7 +158,7 @@ outputs: state: directory with_items: - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t } - - { 'path': /var/run/redis, 'setype': container_var_run_t } + - { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t } - name: redis logs readme copy: dest: /var/log/redis/readme.txt diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml index cd47a3d1d9..b14340beec 100644 --- a/docker/services/horizon.yaml +++ b/docker/services/horizon.yaml @@ -173,11 +173,13 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/horizon - - /var/log/containers/httpd/horizon + - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t } + - { 'path': /var/www, 'setype': svirt_sandbox_file_t } - name: horizon logs readme copy: dest: /var/log/horizon/readme.txt diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index c652dec90a..d60ed712f5 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -194,7 +194,7 @@ outputs: privileged: false detach: false volumes: - - /var/lib/nova:/var/lib/nova:shared + - /var/lib/nova:/var/lib/nova:shared,z - /var/lib/docker-config-scripts/:/docker-config-scripts/ command: "/docker-config-scripts/nova_statedir_ownership.py" step_4: @@ -228,7 +228,7 @@ outputs: - /dev:/dev - /lib/modules:/lib/modules:ro - /run:/run - - /var/lib/nova:/var/lib/nova:shared + - /var/lib/nova:/var/lib/nova:shared,z - /var/lib/libvirt:/var/lib/libvirt - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci @@ -243,12 +243,13 @@ outputs: - {get_attr: [NovaComputeBase, role_data, host_prep_tasks]} - - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/nova - - /var/lib/nova/instances - - /var/lib/libvirt + - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 07c7a9e50d..23c385c616 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -139,7 +139,7 @@ outputs: - /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro - /run:/run - /dev:/dev - - /var/lib/nova/:/var/lib/nova:shared + - /var/lib/nova/:/var/lib/nova:shared,z - /var/log/containers/nova:/var/log/nova environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index e715837c82..39a01e866a 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -283,6 +283,7 @@ outputs: image: {get_param: DockerNovaLibvirtImage} net: host pid: host + security_opt: label=disable privileged: true restart: always volumes: @@ -295,7 +296,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/lib/nova:/var/lib/nova:shared + - /var/lib/nova:/var/lib/nova:shared,z - /var/run/libvirt:/var/run/libvirt - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro @@ -308,6 +309,7 @@ outputs: net: host pid: host privileged: true + security_opt: label=disable restart: always healthcheck: test: /openstack/healthcheck @@ -322,7 +324,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/lib/nova:/var/lib/nova:shared + - /var/lib/nova:/var/lib/nova:shared,z - /etc/libvirt:/etc/libvirt - /var/run/libvirt:/var/run/libvirt - /var/lib/libvirt:/var/lib/libvirt @@ -369,6 +371,7 @@ outputs: - nova_libvirt_init_secret: detach: false image: {get_param: DockerNovaLibvirtImage} + security_opt: label=disable privileged: false user: root volumes: @@ -391,14 +394,16 @@ outputs: host_prep_tasks: - name: create libvirt persistent data directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /etc/libvirt - - /etc/libvirt/secrets - - /etc/libvirt/qemu - - /var/lib/libvirt - - /var/log/containers/libvirt + - { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t } + - { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t } + - { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t } # qemu user on host will be cretaed by libvirt package install, ensure # the qemu user created with same uid/gid as like libvirt package. # These specific values are required since ovs is running on host. diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml index 8d86492597..41ac3a0001 100644 --- a/docker/services/rabbitmq.yaml +++ b/docker/services/rabbitmq.yaml @@ -181,8 +181,8 @@ outputs: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - internal_tls_enabled - @@ -211,11 +211,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/rabbitmq - - /var/lib/rabbitmq + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt