Allow to run docker-puppet.py with SELinux enabled

In docker-puppet.py script we try to relable /usr/share/openstack-puppet/modules by adding ":z" suffix in the end. Unfortunatelly this operation is not allowed in docker with enabled SELinux. Docker's error message is: Error response from daemon: error setting label on mount source '/usr/share/openstack-puppet/modules': SELinux relabeling of /usr/share/openstack-puppet/modules is not allowed: "Relabeling content in /usr is not allowed.". It leads to the fact that during the configuration the jobs fails with "Permission denied - /usr/share/openstack-puppet/modules" There is no need to relable that folder since it's read-only. After removing ":z" it is possible to deploy the overcloud with enabled SELinux. Closes-Bug: #1807680 Change-Id: I11c7c5e9594fe0cdb2a114f81033651e411c9e3c (cherry picked from commit dcdf75b94f)
2018-12-08 15:43:21 +01:00 · 2018-12-08 15:43:21 +01:00 · 621b9d91d8
parent 0885d17f05
commit 621b9d91d8
1 changed files with 1 additions and 1 deletions
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@ -300,7 +300,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                '--volume', '/etc/localtime:/etc/localtime:ro',
                '--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name,
                '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z',
-                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z',
+                '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
                '--volume', '%s:/var/lib/config-data/:z' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'),
                '--volume', 'tripleo_logs:/var/log/tripleo/',
                # Syslog socket for puppet logs