Only mount selinux sysfs in nova_libvirt container

https://review.openstack.org/500952 initially just did this. Then we assumed every container should have the selinux sysfs. This causes issues with the sshd container used for live-migration. The advice from the selinux experts is that it should not be enabled within containers, so reverting back to the original fix that enables it only in the nova-libvirt container. Closes-bug: 1729405 Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca
2017-10-28 00:06:46 +01:00 · 2017-10-28 00:06:46 +01:00 · 7c8127cf96
commit 7c8127cf96
parent d6a2160b82
2 changed files with 1 additions and 1 deletions
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@ -64,7 +64,6 @@ outputs:
          # Syslog socket
          - /dev/log:/dev/log
          - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
-          - /sys/fs/selinux:/sys/fs/selinux
        - if:
          - internal_tls_enabled
          - - list_join:
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -206,6 +206,7 @@ outputs:
                  - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
                  - /var/log/containers/nova:/var/log/nova
                  - /var/lib/vhost_sockets:/var/lib/vhost_sockets
+                  - /sys/fs/selinux:/sys/fs/selinux
                -
                  if:
                    - use_tls_for_live_migration