Enable selinux in containers

We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3. It will fail if security_inode_copy_up is not found in the kernel symbols: https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661 NB this has been reduced to a warning upstream: 885b29df09 Instead this just bind mounts /sys/fs/selinux in containers-common.yaml. Everything appears to work at initial glance. Pingtest succeeds, and live-migration between baremetal and containerized computes works. Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c Depends-On: I521c5351ad6020911106464bf712cf92e6fb0fca Closes-bug: #1715171
2017-09-05 19:19:17 +01:00 · 2017-09-05 19:19:17 +01:00 · 520f889a31
parent 271a5c62a8
commit 520f889a31
1 changed files with 1 additions and 0 deletions
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@ -64,6 +64,7 @@ outputs:
          # Syslog socket
          - /dev/log:/dev/log
          - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+          - /sys/fs/selinux:/sys/fs/selinux
        - if:
          - internal_tls_enabled
          - - list_join: