Avoid "-a" cp option in order to avoid SELinux AVC
Using "cp -a" in a container might lead to SELinux failures, since this option is a shortcut for "-dR --preserve=all". The "all" has the context, and we do not allow SELinux relabelling within containers. Splitting the "-a" to "-dR --preserve" will provide the same end results, but without the relabelling, preventing audit.log to fill up during the deploy. Closes-Bug: #1819459 Change-Id: Ic280ad8e95fcc32986987f5abaa524f171d7c13b
This commit is contained in:
parent
b80abea3b4
commit
c55cf61c99
@ -120,7 +120,7 @@ outputs:
|
||||
# Use bash to run the cp command so that wildcards can be used
|
||||
- '/bin/bash'
|
||||
- '-c'
|
||||
- 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
|
||||
- 'cp -v -dR --preserve -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
|
||||
volumes:
|
||||
- /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw,z
|
||||
- /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro
|
||||
|
Loading…
x
Reference in New Issue
Block a user