Add SELinux configurations for a proper Standalone deploy
With this patch, we're able to deploy a "standalone" stack using podman on a fully-enabled SELinux system. Change-Id: I4bfa2e1d3fe6c968c4d4a2ee1c2d4fb00a1667a1
This commit is contained in:
parent
ec227891bd
commit
245da47a9d
@ -132,7 +132,7 @@
|
||||
dest: "/var/lib/docker-config-scripts/{{ item[0] }}"
|
||||
force: yes
|
||||
mode: "{{ item[1].mode | default('0600', true) }}"
|
||||
setype: svirt_sandbox_file_t
|
||||
setype: svirt_sandbox_file_t
|
||||
loop: "{{ role_data_docker_config_scripts | dictsort }}"
|
||||
loop_control:
|
||||
label: "{{ item[0] }}"
|
||||
@ -208,7 +208,7 @@
|
||||
dest: "{{ item[0] }}"
|
||||
force: yes
|
||||
mode: '0600'
|
||||
setype: svirt_sandbox_file_t
|
||||
setype: svirt_sandbox_file_t
|
||||
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
|
||||
loop_control:
|
||||
label: "{{ item[0] }}"
|
||||
|
@ -158,7 +158,7 @@ outputs:
|
||||
state: directory
|
||||
with_items:
|
||||
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/run/redis, 'setype': container_var_run_t }
|
||||
- { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
|
||||
- name: redis logs readme
|
||||
copy:
|
||||
dest: /var/log/redis/readme.txt
|
||||
|
@ -173,11 +173,13 @@ outputs:
|
||||
host_prep_tasks:
|
||||
- name: create persistent logs directory
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
setype: "{{ item.setype }}"
|
||||
with_items:
|
||||
- /var/log/containers/horizon
|
||||
- /var/log/containers/httpd/horizon
|
||||
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
|
||||
- name: horizon logs readme
|
||||
copy:
|
||||
dest: /var/log/horizon/readme.txt
|
||||
|
@ -194,7 +194,7 @@ outputs:
|
||||
privileged: false
|
||||
detach: false
|
||||
volumes:
|
||||
- /var/lib/nova:/var/lib/nova:shared
|
||||
- /var/lib/nova:/var/lib/nova:shared,z
|
||||
- /var/lib/docker-config-scripts/:/docker-config-scripts/
|
||||
command: "/docker-config-scripts/nova_statedir_ownership.py"
|
||||
step_4:
|
||||
@ -228,7 +228,7 @@ outputs:
|
||||
- /dev:/dev
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run:/run
|
||||
- /var/lib/nova:/var/lib/nova:shared
|
||||
- /var/lib/nova:/var/lib/nova:shared,z
|
||||
- /var/lib/libvirt:/var/lib/libvirt
|
||||
- /sys/class/net:/sys/class/net
|
||||
- /sys/bus/pci:/sys/bus/pci
|
||||
@ -243,12 +243,13 @@ outputs:
|
||||
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
|
||||
- - name: create persistent directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
setype: "{{ item.setype }}"
|
||||
with_items:
|
||||
- /var/lib/nova
|
||||
- /var/lib/nova/instances
|
||||
- /var/lib/libvirt
|
||||
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
- name: ensure ceph configurations exist
|
||||
file:
|
||||
path: /etc/ceph
|
||||
|
@ -139,7 +139,7 @@ outputs:
|
||||
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
|
||||
- /run:/run
|
||||
- /dev:/dev
|
||||
- /var/lib/nova/:/var/lib/nova:shared
|
||||
- /var/lib/nova/:/var/lib/nova:shared,z
|
||||
- /var/log/containers/nova:/var/log/nova
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
|
@ -283,6 +283,7 @@ outputs:
|
||||
image: {get_param: DockerNovaLibvirtImage}
|
||||
net: host
|
||||
pid: host
|
||||
security_opt: label=disable
|
||||
privileged: true
|
||||
restart: always
|
||||
volumes:
|
||||
@ -295,7 +296,7 @@ outputs:
|
||||
- /dev:/dev
|
||||
- /run:/run
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
- /var/lib/nova:/var/lib/nova:shared
|
||||
- /var/lib/nova:/var/lib/nova:shared,z
|
||||
- /var/run/libvirt:/var/run/libvirt
|
||||
- /var/lib/libvirt:/var/lib/libvirt
|
||||
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
|
||||
@ -308,6 +309,7 @@ outputs:
|
||||
net: host
|
||||
pid: host
|
||||
privileged: true
|
||||
security_opt: label=disable
|
||||
restart: always
|
||||
healthcheck:
|
||||
test: /openstack/healthcheck
|
||||
@ -322,7 +324,7 @@ outputs:
|
||||
- /dev:/dev
|
||||
- /run:/run
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
- /var/lib/nova:/var/lib/nova:shared
|
||||
- /var/lib/nova:/var/lib/nova:shared,z
|
||||
- /etc/libvirt:/etc/libvirt
|
||||
- /var/run/libvirt:/var/run/libvirt
|
||||
- /var/lib/libvirt:/var/lib/libvirt
|
||||
@ -369,6 +371,7 @@ outputs:
|
||||
- nova_libvirt_init_secret:
|
||||
detach: false
|
||||
image: {get_param: DockerNovaLibvirtImage}
|
||||
security_opt: label=disable
|
||||
privileged: false
|
||||
user: root
|
||||
volumes:
|
||||
@ -391,14 +394,16 @@ outputs:
|
||||
host_prep_tasks:
|
||||
- name: create libvirt persistent data directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
setype: "{{ item.setype }}"
|
||||
with_items:
|
||||
- /etc/libvirt
|
||||
- /etc/libvirt/secrets
|
||||
- /etc/libvirt/qemu
|
||||
- /var/lib/libvirt
|
||||
- /var/log/containers/libvirt
|
||||
- { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
# qemu user on host will be cretaed by libvirt package install, ensure
|
||||
# the qemu user created with same uid/gid as like libvirt package.
|
||||
# These specific values are required since ovs is running on host.
|
||||
|
@ -181,8 +181,8 @@ outputs:
|
||||
-
|
||||
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/rabbitmq:/var/lib/rabbitmq
|
||||
- /var/log/containers/rabbitmq:/var/log/rabbitmq
|
||||
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
|
||||
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
@ -211,11 +211,12 @@ outputs:
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
setype: "{{ item.setype }}"
|
||||
with_items:
|
||||
- /var/log/containers/rabbitmq
|
||||
- /var/lib/rabbitmq
|
||||
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
|
||||
- name: rabbitmq logs readme
|
||||
copy:
|
||||
dest: /var/log/rabbitmq/readme.txt
|
||||
|
Loading…
Reference in New Issue
Block a user