Modify how libvirt related containers use SELinux
1- Add specific mounts in nova_libvirt They are needed in order to get SELinux support within the container 2- Remove now deprecated docker_enable condition Since this one isn't needed anymore, just drop it. 3- Drop "z" flag from libvirt related mounts This avoids relabelling issues from non-privileged containers 4- Set specific labels for the container itself. See note 2 for more details. Notes: 1- This will require to patch podman-1.6.4 in order to allow to actually use security-opt when --privileged and/or --pid=host are passed[1]. 2- The "container_share_t" filetype will be updated in a follow-up to the newer version, "container_ro_file_t". This makes backports easier to older releases that might not be aware of this new type. The follow-up change is purely cosmetic in order to reflect the actual behavior of SELinux and has no functional change. Testing: The first tests were done using a podman 1.9.3 in order to work around the mentionned issues. Newer tests were done using podman 1.6.4 scratch-builds in order to ensure the reported issues were fixed. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1846364 Depends-On: https://review.opendev.org/736255 Co-Authored-By: Daniel Berrange <berrange@redhat.com> Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com> Change-Id: I9e0da2a48c23c35e084bea831fc744b9f053508b (cherry picked from commit9f0e5d724f
) (cherry picked from commit909984bbe1
) (cherry picked from commit16f0010621
)
This commit is contained in:
parent
80d36e645c
commit
73fb306893
|
@ -823,7 +823,7 @@ outputs:
|
|||
- /lib/modules:/lib/modules:ro
|
||||
- /run:/run
|
||||
- /var/lib/iscsi:/var/lib/iscsi:z
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared,z
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared
|
||||
- /sys/class/net:/sys/class/net
|
||||
- /sys/bus/pci:/sys/bus/pci
|
||||
- /boot:/boot:ro
|
||||
|
|
|
@ -307,11 +307,6 @@ conditions:
|
|||
- {get_param: QemuCACert}
|
||||
- ''
|
||||
|
||||
docker_enabled:
|
||||
equals:
|
||||
- {get_param: ContainerCli}
|
||||
- 'docker'
|
||||
|
||||
nova_nfs_enabled:
|
||||
or:
|
||||
- and:
|
||||
|
@ -680,7 +675,7 @@ outputs:
|
|||
- /dev:/dev
|
||||
- /run:/run
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
- /var/run/libvirt:/var/run/libvirt:shared,z
|
||||
- /var/run/libvirt:/var/run/libvirt:shared
|
||||
- /var/lib/libvirt:/var/lib/libvirt
|
||||
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
|
||||
- /var/log/libvirt/qemu:/var/log/libvirt/qemu
|
||||
|
@ -694,7 +689,10 @@ outputs:
|
|||
net: host
|
||||
pid: host
|
||||
privileged: true
|
||||
security_opt: label=disable
|
||||
security_opt:
|
||||
- label=level:s0
|
||||
- label=type:spc_t
|
||||
- label=filetype:container_share_t
|
||||
restart: always
|
||||
cpuset_cpus: {get_attr: [RoleParametersValue, value, container_cpuset_cpus]}
|
||||
depends_on:
|
||||
|
@ -716,17 +714,14 @@ outputs:
|
|||
- /run:/run
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup
|
||||
- /etc/libvirt:/etc/libvirt
|
||||
- /var/run/libvirt:/var/run/libvirt:shared,z
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared,z
|
||||
- /var/run/libvirt:/var/run/libvirt:shared
|
||||
- /var/cache/libvirt:/var/cache/libvirt:shared
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared
|
||||
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
|
||||
- /var/lib/vhost_sockets:/var/lib/vhost_sockets
|
||||
- /var/lib/nova:/var/lib/nova:shared
|
||||
-
|
||||
if:
|
||||
- docker_enabled
|
||||
-
|
||||
- /sys/fs/selinux:/sys/fs/selinux
|
||||
- null
|
||||
- /sys/fs/selinux:/sys/fs/selinux
|
||||
- /etc/selinux/config:/etc/selinux/config:ro
|
||||
-
|
||||
if:
|
||||
- use_tls_for_live_migration
|
||||
|
@ -798,8 +793,8 @@ outputs:
|
|||
-
|
||||
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
|
||||
- /etc/libvirt:/etc/libvirt
|
||||
- /var/run/libvirt:/var/run/libvirt:shared,z
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared,z
|
||||
- /var/run/libvirt:/var/run/libvirt:shared
|
||||
- /var/lib/libvirt:/var/lib/libvirt:shared
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
|
@ -840,12 +835,13 @@ outputs:
|
|||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
setype: "{{ item.setype }}"
|
||||
setype: "{{ item.setype | default(omit) }}"
|
||||
with_items:
|
||||
- { 'path': /etc/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /etc/libvirt/secrets, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /etc/libvirt/qemu, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/lib/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/cache/libvirt }
|
||||
- { 'path': /var/lib/nova, 'setype': svirt_sandbox_file_t }
|
||||
- { 'path': /var/run/libvirt, 'setype': virt_var_run_t }
|
||||
- { 'path': /var/log/libvirt, 'setype': svirt_sandbox_file_t }
|
||||
|
|
Loading…
Reference in New Issue