diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml index a747d5c630..079646e84a 100644 --- a/docker/services/aodh-api.yaml +++ b/docker/services/aodh-api.yaml @@ -105,8 +105,8 @@ outputs: image: &aodh_api_image {get_param: DockerAodhApiImage} user: root volumes: - - /var/log/containers/aodh:/var/log/aodh - - /var/log/containers/httpd/aodh-api:/var/log/httpd + - /var/log/containers/aodh:/var/log/aodh:z + - /var/log/containers/httpd/aodh-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R aodh:aodh /var/log/aodh'] step_3: aodh_db_sync: @@ -155,11 +155,12 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" + setype: "{{ item.setype }}" state: directory with_items: - - /var/log/containers/aodh - - /var/log/containers/httpd/aodh-api + - { 'path': /var/log/containers/aodh, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/aodh-api, setype: svirt_sandbox_file_t } - name: aodh logs readme copy: dest: /var/log/aodh/readme.txt diff --git a/docker/services/aodh-evaluator.yaml b/docker/services/aodh-evaluator.yaml index 07fe9b2979..6a59cceb9c 100644 --- a/docker/services/aodh-evaluator.yaml +++ b/docker/services/aodh-evaluator.yaml @@ -106,7 +106,7 @@ outputs: - - /var/lib/kolla/config_files/aodh_evaluator.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/aodh:/var/log/aodh + - /var/log/containers/aodh:/var/log/aodh:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -114,6 +114,7 @@ outputs: file: path: /var/log/containers/aodh state: directory + setype: svirt_sandbox_file_t - name: aodh logs readme copy: dest: /var/log/aodh/readme.txt diff --git a/docker/services/aodh-listener.yaml b/docker/services/aodh-listener.yaml index 34e76b041b..5468719954 100644 --- a/docker/services/aodh-listener.yaml +++ b/docker/services/aodh-listener.yaml @@ -113,7 +113,7 @@ outputs: - - /var/lib/kolla/config_files/aodh_listener.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/aodh:/var/log/aodh + - /var/log/containers/aodh:/var/log/aodh:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -121,6 +121,7 @@ outputs: file: path: /var/log/containers/aodh state: directory + setype: svirt_sandbox_file_t - name: aodh logs readme copy: dest: /var/log/aodh/readme.txt diff --git a/docker/services/aodh-notifier.yaml b/docker/services/aodh-notifier.yaml index 5a5d232359..e49c75d2e9 100644 --- a/docker/services/aodh-notifier.yaml +++ b/docker/services/aodh-notifier.yaml @@ -113,7 +113,7 @@ outputs: - - /var/lib/kolla/config_files/aodh_notifier.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/aodh/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/aodh:/var/log/aodh + - /var/log/containers/aodh:/var/log/aodh:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -121,6 +121,7 @@ outputs: file: path: /var/log/containers/aodh state: directory + setype: svirt_sandbox_file_t - name: aodh logs readme copy: dest: /var/log/aodh/readme.txt diff --git a/docker/services/ceilometer-agent-central.yaml b/docker/services/ceilometer-agent-central.yaml index 5f95fe3095..317d9ee46e 100644 --- a/docker/services/ceilometer-agent-central.yaml +++ b/docker/services/ceilometer-agent-central.yaml @@ -99,7 +99,7 @@ outputs: user: root command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer'] volumes: - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z step_4: ceilometer_agent_central: image: *ceilometer_agent_central_image @@ -142,6 +142,7 @@ outputs: file: path: /var/log/containers/ceilometer state: directory + setype: svirt_sandbox_file_t - name: ceilometer logs readme copy: dest: /var/log/ceilometer/readme.txt diff --git a/docker/services/ceilometer-agent-ipmi.yaml b/docker/services/ceilometer-agent-ipmi.yaml index 86ac9e0019..007ba01844 100644 --- a/docker/services/ceilometer-agent-ipmi.yaml +++ b/docker/services/ceilometer-agent-ipmi.yaml @@ -99,7 +99,7 @@ outputs: user: root command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer'] volumes: - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z step_4: ceilometer_agent_ipmi: image: *ceilometer_agent_ipmi_image @@ -121,6 +121,7 @@ outputs: file: path: /var/log/containers/ceilometer state: directory + setype: svirt_sandbox_file_t - name: ceilometer logs readme copy: dest: /var/log/ceilometer/readme.txt diff --git a/docker/services/ceilometer-agent-notification.yaml b/docker/services/ceilometer-agent-notification.yaml index b0f8a820be..b7caf56b51 100644 --- a/docker/services/ceilometer-agent-notification.yaml +++ b/docker/services/ceilometer-agent-notification.yaml @@ -107,7 +107,7 @@ outputs: user: root command: ['/bin/bash', '-c', 'chown -R ceilometer:ceilometer /var/log/ceilometer'] volumes: - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z step_4: ceilometer_agent_notification: image: *ceilometer_agent_notification_image @@ -138,6 +138,7 @@ outputs: file: path: /var/log/containers/ceilometer state: directory + setype: svirt_sandbox_file_t - name: ceilometer logs readme copy: dest: /var/log/ceilometer/readme.txt diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml index 2a42616b2b..f84ce7821b 100644 --- a/docker/services/cinder-api.yaml +++ b/docker/services/cinder-api.yaml @@ -126,8 +126,8 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/cinder:/var/log/cinder - - /var/log/containers/httpd/cinder-api:/var/log/httpd + - /var/log/containers/cinder:/var/log/cinder:z + - /var/log/containers/httpd/cinder-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_3: cinder_api_db_sync: @@ -232,11 +232,12 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/cinder - - /var/log/containers/httpd/cinder-api + - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/cinder-api, 'setype': svirt_sandbox_file_t } - name: cinder logs readme copy: dest: /var/log/cinder/readme.txt diff --git a/docker/services/cinder-scheduler.yaml b/docker/services/cinder-scheduler.yaml index 865ecd2f0c..f2a8d3ee4e 100644 --- a/docker/services/cinder-scheduler.yaml +++ b/docker/services/cinder-scheduler.yaml @@ -108,7 +108,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/cinder:/var/log/cinder:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_4: cinder_scheduler: @@ -137,10 +137,11 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/cinder + - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t } - name: cinder logs readme copy: dest: /var/log/cinder/readme.txt diff --git a/docker/services/cinder-volume.yaml b/docker/services/cinder-volume.yaml index accf5e891d..a24733e4cf 100644 --- a/docker/services/cinder-volume.yaml +++ b/docker/services/cinder-volume.yaml @@ -157,7 +157,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/cinder:/var/log/cinder:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_4: cinder_volume: @@ -181,11 +181,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/cinder - - /var/lib/cinder + - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/cinder, 'setype': svirt_sandbox_file_t } - name: cinder logs readme copy: dest: /var/log/cinder/readme.txt diff --git a/docker/services/database/mysql.yaml b/docker/services/database/mysql.yaml index 068e075b0a..9dee7e5b89 100644 --- a/docker/services/database/mysql.yaml +++ b/docker/services/database/mysql.yaml @@ -132,8 +132,8 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/mysql:/var/log/mariadb - - /var/lib/mysql:/var/lib/mysql + - /var/log/containers/mysql:/var/log/mariadb:z + - /var/lib/mysql:/var/lib/mysql:z command: ['/bin/bash', '-c', 'chown -R mysql:mysql /var/log/mariadb /var/lib/mysql'] step_2: mysql_bootstrap: @@ -232,11 +232,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/mysql - - /var/lib/mysql + - {'path':/var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'} + - {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'} - name: mysql logs readme copy: dest: /var/log/mariadb/readme.txt diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 72f461e396..1e2bcf2218 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -109,7 +109,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/redis:/var/log/redis + - /var/log/containers/redis:/var/log/redis:z command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] - redis: start_order: 1 @@ -124,8 +124,8 @@ outputs: - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro - /etc/localtime:/etc/localtime:ro - - /var/log/containers/redis:/var/log/redis - - /var/run/redis:/var/run/redis + - /var/log/containers/redis:/var/log/redis:z + - /var/run/redis:/var/run/redis:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -154,11 +154,11 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory with_items: - - /var/log/containers/redis - - /var/run/redis + - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t } + - { 'path': /var/run/redis, 'setype': container_var_run_t } - name: redis logs readme copy: dest: /var/log/redis/readme.txt diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index 03978a2563..996aa2c92f 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -15,6 +15,7 @@ parameters: default: tag: openstack.glance.api path: /var/log/containers/glance/api.log + setype: svirt_sandbox_file_t EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set @@ -178,7 +179,7 @@ outputs: - /var/lib/kolla/config_files/glance_api.json:/var/lib/kolla/config_files/config.json - /var/lib/config-data/puppet-generated/glance_api/:/var/lib/kolla/config_files/src:ro - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - - /var/lib/glance:/var/lib/glance:slave + - /var/lib/glance:/var/lib/glance:z - if: - cinder_backend_enabled @@ -233,6 +234,7 @@ outputs: file: path: /var/lib/glance state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 5fd669f1af..a91b38b705 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -148,8 +148,8 @@ outputs: image: &gnocchi_api_image {get_param: DockerGnocchiApiImage} user: root volumes: - - /var/log/containers/gnocchi:/var/log/gnocchi - - /var/log/containers/httpd/gnocchi-api:/var/log/httpd + - /var/log/containers/gnocchi:/var/log/gnocchi:z + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R gnocchi:gnocchi /var/log/gnocchi'] gnocchi_init_lib: image: *gnocchi_api_image @@ -221,11 +221,12 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/gnocchi - - /var/log/containers/httpd/gnocchi-api + - { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': svirt_sandbox_file_t } - name: gnocchi logs readme copy: dest: /var/log/gnocchi/readme.txt diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index 7c1de9e8ff..336fb7923b 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -130,7 +130,7 @@ outputs: - - /var/lib/kolla/config_files/gnocchi_metricd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/gnocchi:/var/log/gnocchi + - /var/log/containers/gnocchi:/var/log/gnocchi:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - str_replace: template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH @@ -142,6 +142,7 @@ outputs: file: path: /var/log/containers/gnocchi state: directory + setype: svirt_sandbox_file_t - name: gnocchi logs readme copy: dest: /var/log/gnocchi/readme.txt diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index c3f95fbe41..bca8d825cd 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -130,7 +130,7 @@ outputs: - - /var/lib/kolla/config_files/gnocchi_statsd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/gnocchi:/var/log/gnocchi + - /var/log/containers/gnocchi:/var/log/gnocchi:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - str_replace: template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH @@ -142,6 +142,7 @@ outputs: file: path: /var/log/containers/gnocchi state: directory + setype: svirt_sandbox_file_t - name: gnocchi logs readme copy: dest: /var/log/gnocchi/readme.txt diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index dba4440a1a..e61f2e5037 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -155,17 +155,17 @@ outputs: - ':' - - {get_param: DeployedSSLCertificatePath} - {get_param: DeployedSSLCertificatePath} - - 'ro' + - 'ro,shared' - null - if: - internal_tls_enabled - - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro - - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro + - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared + - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - - 'ro' + - 'ro,shared' - null kolla_config: /var/lib/kolla/config_files/haproxy.json: @@ -246,12 +246,12 @@ outputs: - '' - - /var/lib/kolla/config_files/src-tls/ - {get_param: DeployedSSLCertificatePath} - - 'ro' + - 'ro,shared' - null - if: - internal_tls_enabled - - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro - - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro + - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared + - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared - list_join: - ':' - - {get_param: InternalTLSCAFile} @@ -293,11 +293,12 @@ outputs: - {get_attr: [HAProxyBase, role_data, host_prep_tasks]} - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/haproxy - - /var/lib/haproxy + - { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t } - name: haproxy logs readme copy: dest: /var/log/haproxy/readme.txt diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 9cf9eec734..7cf09a9d44 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -100,8 +100,8 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/ironic:/var/log/ironic - - /var/log/containers/httpd/ironic-api:/var/log/httpd + - /var/log/containers/ironic:/var/log/ironic:z + - /var/log/containers/httpd/ironic-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R ironic:ironic /var/log/ironic'] step_3: ironic_db_sync: @@ -157,11 +157,12 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/ironic - - /var/log/containers/httpd/ironic-api + - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/ironic-api, 'setype': svirt_sandbox_file_t } - name: ironic logs readme copy: dest: /var/log/ironic/readme.txt diff --git a/docker/services/ironic-conductor.yaml b/docker/services/ironic-conductor.yaml index 56adb0c33a..327e358b64 100644 --- a/docker/services/ironic-conductor.yaml +++ b/docker/services/ironic-conductor.yaml @@ -188,18 +188,19 @@ outputs: - /sys:/sys - /dev:/dev - /run:/run #shared? - - /var/lib/ironic:/var/lib/ironic:shared - - /var/log/containers/ironic:/var/log/ironic + - /var/lib/ironic:/var/lib/ironic:z + - /var/log/containers/ironic:/var/log/ironic:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/ironic - - /var/lib/ironic + - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } - name: ironic logs readme copy: dest: /var/log/ironic/readme.txt diff --git a/docker/services/ironic-inspector.yaml b/docker/services/ironic-inspector.yaml index be374d1e01..a74feccd08 100644 --- a/docker/services/ironic-inspector.yaml +++ b/docker/services/ironic-inspector.yaml @@ -89,8 +89,8 @@ outputs: - {get_attr: [MySQLClient, role_data, step_config]} config_image: {get_param: DockerIronicInspectorConfigImage} volumes: - - /var/lib/ironic:/var/lib/ironic:shared - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared + - /var/lib/ironic:/var/lib/ironic:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:z kolla_config: /var/lib/kolla/config_files/ironic_inspector.json: command: /usr/bin/ironic-inspector --config-file /etc/ironic-inspector/inspector-dist.conf --config-file /etc/ironic-inspector/inspector.conf @@ -224,6 +224,7 @@ outputs: file: path: /var/log/containers/ironic-inspector state: directory + setype: svirt_sandbox_file_t - name: ironic-inspector logs readme copy: dest: /var/log/ironic-inspector/readme.txt @@ -235,6 +236,7 @@ outputs: file: path: /var/lib/ironic-inspector/dhcp-hostsdir state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index 7f84d5e045..a9e2e7eabb 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -132,10 +132,10 @@ outputs: - - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro - - /var/lib/ironic:/var/lib/ironic/:shared + - /var/lib/ironic:/var/lib/ironic/:z - /dev/log:/dev/log - - /var/log/containers/ironic:/var/log/ironic - - /var/log/containers/httpd/ironic-pxe:/var/log/httpd + - /var/log/containers/ironic:/var/log/ironic:z + - /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_pxe_http: @@ -158,12 +158,13 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/ironic - - /var/log/containers/ironic - - /var/log/containers/httpd/ironic-pxe + - { 'path': /var/lib/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/ironic, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/ironic-pxe, 'setype': svirt_sandbox_file_t } - name: ironic logs readme copy: dest: /var/log/ironic/readme.txt diff --git a/docker/services/iscsid.yaml b/docker/services/iscsid.yaml index ef272d8641..706754e110 100644 --- a/docker/services/iscsid.yaml +++ b/docker/services/iscsid.yaml @@ -72,7 +72,7 @@ outputs: # However, overcloud nodes must have a unique IQN. Allow full # (write) access to /etc/iscsi so that puppet ensures the IQN # is unique and is reset once, and only once. - - /etc/iscsi:/etc/iscsi + - /etc/iscsi:/etc/iscsi:z kolla_config: /var/lib/kolla/config_files/iscsid.json: command: /usr/sbin/iscsid -f @@ -111,6 +111,7 @@ outputs: file: path: /etc/iscsi state: directory + setype: svirt_sandbox_file_t - name: stat /lib/systemd/system/iscsid.socket stat: path=/lib/systemd/system/iscsid.socket register: stat_iscsid_socket diff --git a/docker/services/keepalived.yaml b/docker/services/keepalived.yaml index bef5498b2e..7d6fbcafd9 100644 --- a/docker/services/keepalived.yaml +++ b/docker/services/keepalived.yaml @@ -98,9 +98,9 @@ outputs: - - /var/lib/kolla/config_files/keepalived.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/keepalived/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/keepalived/:/var/log/ + - /var/log/containers/keepalived/:/var/log/:z - /lib/modules/:/lib/modules/:ro - - /var/lib/haproxy/:/var/lib/haproxy/ + - /var/lib/haproxy/:/var/lib/haproxy/:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS command: /usr/local/bin/kolla_start @@ -109,6 +109,7 @@ outputs: file: path: /var/log/containers/keepalived state: directory + setype: svirt_sandbox_file_t - name: keepalived logs readme copy: dest: /var/log/keepalived-readme.txt diff --git a/docker/services/logging/files/glance-api.yaml b/docker/services/logging/files/glance-api.yaml index cacb732373..519658ee59 100644 --- a/docker/services/logging/files/glance-api.yaml +++ b/docker/services/logging/files/glance-api.yaml @@ -32,10 +32,11 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/glance + - { 'path': /var/log/containers/glance, 'setype': svirt_sandbox_file_t } - name: glance logs readme copy: dest: /var/log/glance/readme.txt diff --git a/docker/services/logging/files/keystone.yaml b/docker/services/logging/files/keystone.yaml index 32065e7518..17d7766632 100644 --- a/docker/services/logging/files/keystone.yaml +++ b/docker/services/logging/files/keystone.yaml @@ -35,11 +35,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/keystone - - /var/log/containers/httpd/keystone + - { 'path': /var/log/containers/keystone, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/keystone, 'setype': svirt_sandbox_file_t } - name: keystone logs readme copy: dest: /var/log/keystone/readme.txt diff --git a/docker/services/logging/files/nova-api.yaml b/docker/services/logging/files/nova-api.yaml index 0076da93b7..3a3e0b36a8 100644 --- a/docker/services/logging/files/nova-api.yaml +++ b/docker/services/logging/files/nova-api.yaml @@ -15,8 +15,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &nova_api_volumes - - /var/log/containers/nova:/var/log/nova - - /var/log/containers/httpd/nova-api:/var/log/httpd + - /var/log/containers/nova:/var/log/nova:z + - /var/log/containers/httpd/nova-api:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -33,11 +33,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" + setype: "{{ item.setype }}" state: directory with_items: - - /var/log/containers/nova - - /var/log/containers/httpd/nova-api + - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/nova-api, 'setype': svirt_sandbox_file_t } - name: nova logs readme copy: dest: /var/log/nova/readme.txt diff --git a/docker/services/logrotate-crond.yaml b/docker/services/logrotate-crond.yaml index 7dd0629f45..7641f27311 100644 --- a/docker/services/logrotate-crond.yaml +++ b/docker/services/logrotate-crond.yaml @@ -99,6 +99,6 @@ outputs: - /var/run/docker.sock:/var/run/docker.sock:rw - /var/lib/kolla/config_files/logrotate-crond.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/crond/:/var/lib/kolla/config_files/src:ro - - /var/log/containers:/var/log/containers + - /var/log/containers:/var/log/containers:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/docker/services/messaging/notify-rabbitmq.yaml b/docker/services/messaging/notify-rabbitmq.yaml index ecad768e62..40291597f5 100644 --- a/docker/services/messaging/notify-rabbitmq.yaml +++ b/docker/services/messaging/notify-rabbitmq.yaml @@ -127,7 +127,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq'] rabbitmq_bootstrap: start_order: 1 @@ -141,7 +141,7 @@ outputs: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z - /var/log/containers/rabbitmq:/var/log/rabbitmq - if: - internal_tls_enabled @@ -212,11 +212,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/rabbitmq - - /var/lib/rabbitmq + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt diff --git a/docker/services/messaging/rpc-rabbitmq.yaml b/docker/services/messaging/rpc-rabbitmq.yaml index 1f833a6ab1..ca2b61cee7 100644 --- a/docker/services/messaging/rpc-rabbitmq.yaml +++ b/docker/services/messaging/rpc-rabbitmq.yaml @@ -127,7 +127,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z command: ['/bin/bash', '-c', 'chown -R rabbitmq:rabbitmq /var/log/rabbitmq'] rabbitmq_bootstrap: start_order: 1 @@ -141,7 +141,7 @@ outputs: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z - /var/log/containers/rabbitmq:/var/log/rabbitmq - if: - internal_tls_enabled @@ -212,11 +212,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/rabbitmq - - /var/lib/rabbitmq + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index 0df03a64e5..75ca94915c 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -99,7 +99,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z command: ['/bin/bash', '-c', 'chown -R mistral:mistral /var/log/mistral'] step_3: mistral_db_sync: @@ -156,6 +156,7 @@ outputs: file: path: /var/log/containers/mistral state: directory + setype: svirt_sandbox_file_t - name: mistral logs readme copy: dest: /var/log/mistral/readme.txt diff --git a/docker/services/mistral-engine.yaml b/docker/services/mistral-engine.yaml index 940082f6a7..32601d8624 100644 --- a/docker/services/mistral-engine.yaml +++ b/docker/services/mistral-engine.yaml @@ -115,7 +115,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/mistral_engine.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z - /var/lib/mistral:/var/lib/mistral:ro - /usr/share/ansible/:/usr/share/ansible/:ro - /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro @@ -126,6 +126,7 @@ outputs: file: path: /var/log/containers/mistral state: directory + setype: svirt_sandbox_file_t - name: mistral logs readme copy: dest: /var/log/mistral/readme.txt diff --git a/docker/services/mistral-event-engine.yaml b/docker/services/mistral-event-engine.yaml index 9891e9b9b7..04103ce99c 100644 --- a/docker/services/mistral-event-engine.yaml +++ b/docker/services/mistral-event-engine.yaml @@ -115,7 +115,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/mistral_event_engine.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z - /var/lib/mistral:/var/lib/mistral:ro - /usr/share/ansible/:/usr/share/ansible/:ro - /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro @@ -126,6 +126,7 @@ outputs: file: path: /var/log/containers/mistral state: directory + setype: svirt_sandbox_file_t - name: mistral logs readme copy: dest: /var/log/mistral/readme.txt diff --git a/docker/services/mistral-executor.yaml b/docker/services/mistral-executor.yaml index e882b2caa4..a1ce98d33c 100644 --- a/docker/services/mistral-executor.yaml +++ b/docker/services/mistral-executor.yaml @@ -129,8 +129,8 @@ outputs: - /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro - /run:/run - /var/run/docker.sock:/var/run/docker.sock:rw - - /var/log/containers/mistral:/var/log/mistral - - /var/lib/mistral:/var/lib/mistral + - /var/log/containers/mistral:/var/log/mistral:z + - /var/lib/mistral:/var/lib/mistral:z - /usr/share/ansible/:/usr/share/ansible/:ro - /usr/share/openstack-tripleo-validations:/usr/share/openstack-tripleo-validations:ro - {get_param: MistralExecutorVolumes} @@ -138,14 +138,14 @@ outputs: environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - - name: create /var/lib/mistral directory + - name: create persistent data directory file: - path: /var/lib/mistral - state: directory - - name: create persistent logs directory - file: - path: /var/log/containers/mistral + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" + with_items: + - { 'path': /var/log/containers/mistral, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/mistral, 'setype': svirt_sandbox_file_t } - name: mistral logs readme copy: dest: /var/log/mistral/readme.txt diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 1990768dbf..1abea43c4e 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -173,8 +173,8 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron + - /run/openvswitch:/run/openvswitch:z + - /var/lib/neutron:/var/lib/neutron:z step_4: neutron_dhcp: start_order: 10 @@ -237,6 +237,7 @@ outputs: file: path: /var/lib/neutron state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index 0dee0c1543..8e3b0d9fdc 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -172,8 +172,8 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron + - /run/openvswitch:/run/openvswitch:z + - /var/lib/neutron:/var/lib/neutron:z step_4: neutron_l3_agent: start_order: 10 @@ -235,6 +235,7 @@ outputs: file: path: /var/lib/neutron state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml index 895fe33eb2..ac38e6b062 100644 --- a/docker/services/neutron-metadata.yaml +++ b/docker/services/neutron-metadata.yaml @@ -131,7 +131,7 @@ outputs: - /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /var/lib/neutron:/var/lib/neutron + - /var/lib/neutron:/var/lib/neutron:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS metadata_settings: @@ -143,6 +143,7 @@ outputs: file: path: /var/lib/neutron state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index f20d5e3436..e6f018d993 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -101,7 +101,7 @@ outputs: # on the unix domain socket - /run/openvswitch/db.sock volumes: - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:z kolla_config: /var/lib/kolla/config_files/neutron_ovs_agent.json: command: /neutron_ovs_agent_launcher.sh diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml index f228e20a61..84abc41a09 100644 --- a/docker/services/nova-api.yaml +++ b/docker/services/nova-api.yaml @@ -243,7 +243,6 @@ outputs: - - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - - /var/log/containers/nova:/var/log/nova - /var/lib/docker-config-scripts/nova_api_ensure_default_cell.sh:/nova_api_ensure_default_cell.sh:ro user: root command: "/usr/bin/bootstrap_host_exec nova_api /nova_api_ensure_default_cell.sh" @@ -311,7 +310,6 @@ outputs: - - /var/lib/config-data/nova/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/nova/etc/nova/:/etc/nova/:ro - - /var/log/containers/nova:/var/log/nova - /var/lib/docker-config-scripts/nova_api_discover_hosts.sh:/nova_api_discover_hosts.sh:ro user: root command: "/usr/bin/bootstrap_host_exec nova_api /nova_api_discover_hosts.sh" diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 5db39af851..07c7a9e50d 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -111,7 +111,7 @@ outputs: privileged: false detach: false volumes: - - /var/lib/nova:/var/lib/nova:shared + - /var/lib/nova:/var/lib/nova:z - /var/lib/docker-config-scripts/:/docker-config-scripts/ command: "/docker-config-scripts/nova_statedir_ownership.py" step_5: @@ -146,11 +146,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/nova - - /var/lib/nova + - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t } - name: nova logs readme copy: dest: /var/log/nova/readme.txt diff --git a/docker/services/novajoin.yaml b/docker/services/novajoin.yaml index fdf1bb0669..ada05350bb 100644 --- a/docker/services/novajoin.yaml +++ b/docker/services/novajoin.yaml @@ -182,7 +182,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/novajoin_server.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/novajoin/etc/novajoin/join.conf:/etc/novajoin/join.conf:Z + - /var/lib/config-data/novajoin/etc/novajoin/join.conf:/etc/novajoin/join.conf:z - /etc/ipa/:/etc/ipa/:ro - /etc/novajoin/krb5.keytab:/etc/novajoin/krb5.keytab:ro environment: diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml index 156bf1fe26..20c3a618a7 100644 --- a/docker/services/pacemaker/database/mysql.yaml +++ b/docker/services/pacemaker/database/mysql.yaml @@ -178,7 +178,7 @@ outputs: # Kolla does only non-recursive chown command: ['chown', '-R', 'mysql:', '/var/lib/mysql'] volumes: - - /var/lib/mysql:/var/lib/mysql + - /var/lib/mysql:/var/lib/mysql:z mysql_bootstrap: start_order: 1 detach: false @@ -294,7 +294,7 @@ outputs: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro - /dev/shm:/dev/shm:rw - - /var/lib/mysql:/var/lib/mysql:rw + - /var/lib/mysql:/var/lib/mysql:rw,z environment: # NOTE: this should force this container to re-run on each # update (scale-out, etc.) @@ -305,11 +305,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/mysql - - /var/lib/mysql + - {'path':/var/log/containers/mysql, 'setype': 'svirt_sandbox_file_t'} + - {'path': /var/lib/mysql, 'setype': 'svirt_sandbox_file_t'} - name: mysql logs readme copy: dest: /var/log/mariadb/readme.txt diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index b88de0b442..649b35c0a6 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -299,10 +299,11 @@ outputs: - {get_attr: [HAProxyBase, role_data, host_prep_tasks]} - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/haproxy + - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t } metadata_settings: get_attr: [HAProxyBase, role_data, metadata_settings] update_tasks: diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml index 5a29f7fc44..fbd5d012b5 100644 --- a/docker/services/swift-proxy.yaml +++ b/docker/services/swift-proxy.yaml @@ -242,11 +242,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /srv/node - - /var/log/swift + - { 'path': /srv/node, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t } - name: Create swift logging symlink file: src: /var/log/swift diff --git a/docker/services/swift-ringbuilder.yaml b/docker/services/swift-ringbuilder.yaml index b3df892e55..658eea08ab 100644 --- a/docker/services/swift-ringbuilder.yaml +++ b/docker/services/swift-ringbuilder.yaml @@ -113,5 +113,5 @@ outputs: - '-c' - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups' volumes: - - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw + - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw,z - /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml index f177017f14..7cb82218e4 100644 --- a/docker/services/swift-storage.yaml +++ b/docker/services/swift-storage.yaml @@ -208,7 +208,7 @@ outputs: user: root command: ['chown', '-R', 'swift:', '/srv/node'] volumes: - - /srv/node:/srv/node + - /srv/node:/srv/node:z # FIXME (cschwede): remove this once the pid file setting is disabled swift_rsync_fix: image: {get_param: DockerSwiftObjectImage} @@ -217,7 +217,7 @@ outputs: detach: false command: ['/bin/bash', '-c', 'sed -i "/pid file/d" /var/lib/kolla/config_files/src/etc/rsyncd.conf'] volumes: - - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:rw + - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:rw,z step_4: swift_account_auditor: image: *swift_account_image @@ -230,9 +230,9 @@ outputs: - - /var/lib/kolla/config_files/swift_account_auditor.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro - - /srv/node:/srv/node + - /srv/node:/srv/node:z - /dev:/dev - - /var/cache/swift:/var/cache/swift + - /var/cache/swift:/var/cache/swift:z environment: &kolla_env - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS swift_account_reaper: @@ -246,9 +246,9 @@ outputs: - - /var/lib/kolla/config_files/swift_account_reaper.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/swift/:/var/lib/kolla/config_files/src:ro - - /srv/node:/srv/node + - /srv/node:/srv/node:z - /dev:/dev - - /var/cache/swift:/var/cache/swift + - /var/cache/swift:/var/cache/swift:z environment: *kolla_env swift_account_replicator: image: *swift_account_image @@ -441,13 +441,14 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /srv/node - - /var/cache/swift - - /var/log/swift - - /var/log/containers + - { 'path': /srv/node, 'setype': svirt_sandbox_file_t } + - { 'path': /var/cache/swift, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/swift, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers, 'setype': svirt_sandbox_file_t } - name: Set swift_use_local_disks fact set_fact: swift_use_local_disks: {get_param: SwiftUseLocalDir}