diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index a1236d2a45..9908a67052 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -847,7 +847,7 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/iscsi:/var/lib/iscsi:z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/lib/libvirt:/var/lib/libvirt:shared - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci - /boot:/boot:ro diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index e73ae32b62..f132a610cf 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -307,11 +307,6 @@ conditions: - {get_param: QemuCACert} - '' - docker_enabled: - equals: - - {get_param: ContainerCli} - - 'docker' - nova_nfs_enabled: or: - and: @@ -680,7 +675,7 @@ outputs: - /dev:/dev - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared - /var/lib/libvirt:/var/lib/libvirt - /etc/libvirt/qemu:/etc/libvirt/qemu:ro - /var/log/libvirt/qemu:/var/log/libvirt/qemu @@ -694,7 +689,10 @@ outputs: net: host pid: host privileged: true - security_opt: label=disable + security_opt: + - label=level:s0 + - label=type:spc_t + - label=filetype:container_share_t restart: always depends_on: - tripleo_nova_virtlogd.service @@ -715,17 +713,14 @@ outputs: - /run:/run - /sys/fs/cgroup:/sys/fs/cgroup - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/cache/libvirt:/var/cache/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/lib/vhost_sockets:/var/lib/vhost_sockets:z - /var/lib/nova:/var/lib/nova:shared - - - if: - - docker_enabled - - - - /sys/fs/selinux:/sys/fs/selinux - - null + - /sys/fs/selinux:/sys/fs/selinux + - /etc/selinux/config:/etc/selinux/config:ro - if: - use_tls_for_live_migration @@ -797,8 +792,8 @@ outputs: - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt:shared,z - - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared + - /var/lib/libvirt:/var/lib/libvirt:shared command: - /bin/bash - -c @@ -832,12 +827,13 @@ outputs: file: path: "{{ item.path }}" state: directory - setype: "{{ item.setype }}" + setype: "{{ item.setype | default(omit) }}" with_items: - { 'path': /etc/libvirt, 'setype': container_file_t } - { 'path': /etc/libvirt/secrets, 'setype': container_file_t } - { 'path': /etc/libvirt/qemu, 'setype': container_file_t } - { 'path': /var/lib/libvirt, 'setype': container_file_t } + - { 'path': /var/cache/libvirt } - { 'path': /var/lib/nova, 'setype': container_file_t } - { 'path': /var/run/libvirt, 'setype': virt_var_run_t } - { 'path': /var/log/libvirt, 'setype': container_file_t } diff --git a/deployment/nova/nova-migration-target-container-puppet.yaml b/deployment/nova/nova-migration-target-container-puppet.yaml index 09c5a00c75..d4574b9298 100644 --- a/deployment/nova/nova-migration-target-container-puppet.yaml +++ b/deployment/nova/nova-migration-target-container-puppet.yaml @@ -176,7 +176,7 @@ outputs: - /var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro - /etc/ssh/:/host-ssh/:ro - - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/run/libvirt:/var/run/libvirt:shared - /var/lib/nova:/var/lib/nova:shared environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS