[TRAIN-ONLY] Ensure OVN directory content is podman-compatible

When running an FFU from an OVN enabled Queens (osp-13) environment, it may happen some files in the /var/lib/openvswitch/ovn locations are tagged with openvswitch_var_lib_t instead of container_file_t. While most of the other mounts are mounted from other containers, mostly managed via tripleo-heat-templates, that specific location seems to be used only by pacemaker managed services. Those services are missing the "z" flag allowing to relabel the content. While https://review.opendev.org/c/openstack/puppet-tripleo/+/808774 is adding this missing flag for master and stable/wallaby, we can't do this for stable/train since the modification of pacemaker resources will create a complete outage. In order to avoid such an issue, we'd rather silently relabel things. This is possible for OVN since the recursion depth is only 1 level, and the amount of files located there is really, really low (less than a dozen). Also, doing this during step_2 should ensure we don't prevent any host preparation, and should ensure all is ready on time for the actual data usage. Change-Id: I9b73a5833276fac080615d6f01d5b813631a662f Resolve-Bug: #1943459
2021-09-14 16:28:42 +02:00
parent 153dd67dbd
commit bb3e0234a4
5 changed files with 44 additions and 4 deletions
--- a/deployment/ovn/ovn-controller-container-puppet.yaml
+++ b/deployment/ovn/ovn-controller-container-puppet.yaml
@@ -355,6 +355,14 @@ outputs:
            name: neutron-cleanup
            enabled: yes
      upgrade_tasks:
+        - name: Ensure correct label recursively on ovn directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/lib/openvswitch/ovn"
+            recursive: true
+            setype: "svirt_sandbox_file_t"
+            state: directory
        # system_upgrade
        - name: ovn_controller system_upgrade_prepare step 1
          tags:
--- a/deployment/ovn/ovn-dbs-cluster-ansible.yaml
+++ b/deployment/ovn/ovn-dbs-cluster-ansible.yaml
@@ -252,8 +252,8 @@ outputs:
            setype: "{{ item.setype }}"
            mode: "{{ item.mode|default(omit) }}"
          loop:
-            - { 'path': /var/log/containers/openvswitch, 'setype': container_file_t, 'mode': '0750' }
-            - { 'path': /var/lib/openvswitch/ovn, 'setype': container_file_t }
+            - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
+            - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t }
      deploy_steps_tasks:
        - name: Prepare OVN cluster
          when: step|int == 1
@@ -309,4 +309,12 @@ outputs:
            - not is_ovn_dbs_bootstrap_node | bool
          block: *ovn_dbs_start_containers
      update_tasks: []
-      upgrade_tasks: []
+      upgrade_tasks:
+        - name: Ensure correct label recursively on ovn directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/lib/openvswitch/ovn"
+            recursive: true
+            setype: "svirt_sandbox_file_t"
+            state: directory
--- a/deployment/ovn/ovn-dbs-container-puppet.yaml
+++ b/deployment/ovn/ovn-dbs-container-puppet.yaml
@@ -205,4 +205,12 @@ outputs:
          with_items:
            - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
            - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t }
-      upgrade_tasks: []
+      upgrade_tasks:
+        - name: Ensure correct label recursively on ovn directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/lib/openvswitch/ovn"
+            recursive: true
+            setype: "svirt_sandbox_file_t"
+            state: directory
--- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
+++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
@@ -498,6 +498,14 @@ outputs:
              vars:
                tripleo_upgrade_key: ovn_dbs_short_node_names_override
              when: ovn_dbs_short_node_names_upgraded | length == ovn_dbs_short_node_names | length
+        - name: Ensure correct label recursively on ovn directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/lib/openvswitch/ovn"
+            recursive: true
+            setype: "svirt_sandbox_file_t"
+            state: directory
        - name: Retag the pacemaker image if containerized
          when:
            - step|int == 3
--- a/deployment/ovn/ovn-metadata-container-puppet.yaml
+++ b/deployment/ovn/ovn-metadata-container-puppet.yaml
@@ -407,3 +407,11 @@ outputs:
                comparisons:
                  '*': ignore
              when: ini_read_result is changed
+        - name: Ensure correct label recursively on ovn directory
+          when:
+            - step|int == 2
+          file:
+            path: "/var/lib/openvswitch/ovn"
+            recursive: true
+            setype: "svirt_sandbox_file_t"
+            state: directory