diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 7e199d8d5a..c66d897749 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -833,7 +833,7 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/iscsi:/var/lib/iscsi:z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/lib/libvirt:/var/lib/libvirt:shared - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci - /boot:/boot:ro diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 11e9e1da49..e98b3a1c5e 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -312,11 +312,6 @@ conditions: - {get_param: QemuCACert} - '' - docker_enabled: - equals: - - {get_param: ContainerCli} - - 'docker' - nova_nfs_enabled: or: - and: @@ -685,7 +680,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /var/log/libvirt/qemu:/var/log/libvirt/qemu @@ -700,7 +695,10 @@ outputs: pid: host pids_limit: {get_param: ContainerNovaLibvirtPidsLimit} privileged: true - security_opt: label=disable + security_opt: + - label=level:s0 + - label=type:spc_t + - label=filetype:container_share_t restart: always cpuset_cpus: {get_attr: [RoleParametersValue, value, container_cpuset_cpus]} depends_on: @@ -722,17 +720,14 @@ outputs: - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/cache/libvirt:/var/cache/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/lib/vhost_sockets:/var/lib/vhost_sockets - /var/lib/nova:/var/lib/nova:shared - - - if: - - docker_enabled - - - - /sys/fs/selinux:/sys/fs/selinux - - null + - /sys/fs/selinux:/sys/fs/selinux + - /etc/selinux/config:/etc/selinux/config:ro - if: - use_tls_for_live_migration @@ -804,8 +799,8 @@ outputs: - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared command: - /bin/bash - -c @@ -846,12 +841,13 @@ outputs: file: path: "{{ item.path }}" state: directory - setype: "{{ item.setype }}" + setype: "{{ item.setype | default(omit) }}" with_items: - { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t } - { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t } - { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t } - { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t } + - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } - { 'path': /var/run/libvirt, 'setype': virt_var_run_t } - { 'path': /var/log/libvirt, 'setype': svirt_sandbox_file_t }