openstack/tripleo-heat-templates
Code Issues Proposed changes

Ensure we set proper SELinux label on container-puppet.sh

Browse Source 
Just to ensure we have the right label, even if something does mount the
directory with re-labelling. This would avoid any race-condition chance.

Also update old svirt_sandbox_file_t alias since the common thing is
"container_file_t".

Change-Id: Ic036ad901885f9d8c8072b560f2d9f3c8e919d58
Closes-Bug: #1854377
This commit is contained in:
Cédric Jeanneret 2019-11-28 16:25:33 +01:00
parent 9af663bc20
commit 3b146b1e45
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
common/deploy-steps-tasks-step-0.j2.yaml
View File

@ -4,13 +4,13 @@
when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'"
- name: Create /var/lib/container-puppet
no_log: True
file: path=/var/lib/container-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
- name: Write container-puppet.py
no_log: True
copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
- name: Write container-puppet.sh
no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t
{%- for role in roles %}
- import_tasks: {{role.name}}/deploy_steps_tasks.yaml

2
common/deploy-steps.j2
View File

@ -1577,7 +1577,7 @@ outputs:
copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
- name: Write container-puppet.sh
no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t
- include_tasks: fast_forward_upgrade_prep_role_tasks.yaml
with_sequence: start=0 end={{fast_forward_upgrade_prep_steps_max}}
loop_control: