Add SELinux configurations for a proper Standalone deploy

With this patch, we're able to deploy a "standalone" stack using
podman on a fully-enabled SELinux system.

Change-Id: I4bfa2e1d3fe6c968c4d4a2ee1c2d4fb00a1667a1
This commit is contained in:
Cédric Jeanneret 2018-10-03 14:56:59 +02:00 committed by Emilien Macchi
parent ec227891bd
commit 245da47a9d
7 changed files with 35 additions and 26 deletions

View File

@ -132,7 +132,7 @@
dest: "/var/lib/docker-config-scripts/{{ item[0] }}"
force: yes
mode: "{{ item[1].mode | default('0600', true) }}"
setype: svirt_sandbox_file_t
setype: svirt_sandbox_file_t
loop: "{{ role_data_docker_config_scripts | dictsort }}"
loop_control:
label: "{{ item[0] }}"
@ -208,7 +208,7 @@
dest: "{{ item[0] }}"
force: yes
mode: '0600'
setype: svirt_sandbox_file_t
setype: svirt_sandbox_file_t
loop: "{{ lookup('file', tripleo_role_name + '/kolla_config.yaml', errors='ignore') | default([], True) | from_yaml | dictsort }}"
loop_control:
label: "{{ item[0] }}"

View File

@ -158,7 +158,7 @@ outputs:
state: directory
with_items:
- { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t }
- { 'path': /var/run/redis, 'setype': container_var_run_t }
- { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t }
- name: redis logs readme
copy:
dest: /var/log/redis/readme.txt

View File

@ -173,11 +173,13 @@ outputs:
host_prep_tasks:
- name: create persistent logs directory
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/horizon
- /var/log/containers/httpd/horizon
- { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t }
- { 'path': /var/www, 'setype': svirt_sandbox_file_t }
- name: horizon logs readme
copy:
dest: /var/log/horizon/readme.txt

View File

@ -194,7 +194,7 @@ outputs:
privileged: false
detach: false
volumes:
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/nova:/var/lib/nova:shared,z
- /var/lib/docker-config-scripts/:/docker-config-scripts/
command: "/docker-config-scripts/nova_statedir_ownership.py"
step_4:
@ -228,7 +228,7 @@ outputs:
- /dev:/dev
- /lib/modules:/lib/modules:ro
- /run:/run
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/nova:/var/lib/nova:shared,z
- /var/lib/libvirt:/var/lib/libvirt
- /sys/class/net:/sys/class/net
- /sys/bus/pci:/sys/bus/pci
@ -243,12 +243,13 @@ outputs:
- {get_attr: [NovaComputeBase, role_data, host_prep_tasks]}
- - name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/lib/nova
- /var/lib/nova/instances
- /var/lib/libvirt
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova/instances, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- name: ensure ceph configurations exist
file:
path: /etc/ceph

View File

@ -139,7 +139,7 @@ outputs:
- /etc/iscsi:/var/lib/kolla/config_files/src-iscsid:ro
- /run:/run
- /dev:/dev
- /var/lib/nova/:/var/lib/nova:shared
- /var/lib/nova/:/var/lib/nova:shared,z
- /var/log/containers/nova:/var/log/nova
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

View File

@ -283,6 +283,7 @@ outputs:
image: {get_param: DockerNovaLibvirtImage}
net: host
pid: host
security_opt: label=disable
privileged: true
restart: always
volumes:
@ -295,7 +296,7 @@ outputs:
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/nova:/var/lib/nova:shared,z
- /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
@ -308,6 +309,7 @@ outputs:
net: host
pid: host
privileged: true
security_opt: label=disable
restart: always
healthcheck:
test: /openstack/healthcheck
@ -322,7 +324,7 @@ outputs:
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /var/lib/nova:/var/lib/nova:shared
- /var/lib/nova:/var/lib/nova:shared,z
- /etc/libvirt:/etc/libvirt
- /var/run/libvirt:/var/run/libvirt
- /var/lib/libvirt:/var/lib/libvirt
@ -369,6 +371,7 @@ outputs:
- nova_libvirt_init_secret:
detach: false
image: {get_param: DockerNovaLibvirtImage}
security_opt: label=disable
privileged: false
user: root
volumes:
@ -391,14 +394,16 @@ outputs:
host_prep_tasks:
- name: create libvirt persistent data directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /etc/libvirt
- /etc/libvirt/secrets
- /etc/libvirt/qemu
- /var/lib/libvirt
- /var/log/containers/libvirt
- { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/containers/libvirt, 'setype': svirt_sandbox_file_t }
# qemu user on host will be cretaed by libvirt package install, ensure
# the qemu user created with same uid/gid as like libvirt package.
# These specific values are required since ovs is running on host.

View File

@ -181,8 +181,8 @@ outputs:
-
- /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro
- /var/lib/rabbitmq:/var/lib/rabbitmq
- /var/log/containers/rabbitmq:/var/log/rabbitmq
- /var/lib/rabbitmq:/var/lib/rabbitmq:z
- /var/log/containers/rabbitmq:/var/log/rabbitmq:z
- if:
- internal_tls_enabled
-
@ -211,11 +211,12 @@ outputs:
host_prep_tasks:
- name: create persistent directories
file:
path: "{{ item }}"
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- /var/log/containers/rabbitmq
- /var/lib/rabbitmq
- { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t }
- { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t }
- name: rabbitmq logs readme
copy:
dest: /var/log/rabbitmq/readme.txt