diff --git a/docker/services/ceilometer-agent-central.yaml b/docker/services/ceilometer-agent-central.yaml index 19504e0a98..36d7a6e096 100644 --- a/docker/services/ceilometer-agent-central.yaml +++ b/docker/services/ceilometer-agent-central.yaml @@ -113,7 +113,7 @@ outputs: - - /var/lib/kolla/config_files/ceilometer_agent_central.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_5: @@ -131,7 +131,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/ceilometer/etc/ceilometer/:/etc/ceilometer/:ro - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z command: - '/usr/bin/bootstrap_host_exec' - 'ceilometer_agent_central' diff --git a/docker/services/ceilometer-agent-compute.yaml b/docker/services/ceilometer-agent-compute.yaml index a6798d18e2..a48931e21a 100644 --- a/docker/services/ceilometer-agent-compute.yaml +++ b/docker/services/ceilometer-agent-compute.yaml @@ -101,7 +101,7 @@ outputs: - /var/lib/kolla/config_files/ceilometer_agent_compute.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer/:/var/lib/kolla/config_files/src:ro - /var/run/libvirt:/var/run/libvirt:ro - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -109,6 +109,7 @@ outputs: file: path: /var/log/containers/ceilometer state: directory + setype: svirt_sandbox_file_t - name: ceilometer logs readme copy: dest: /var/log/ceilometer/readme.txt diff --git a/docker/services/ceilometer-agent-notification.yaml b/docker/services/ceilometer-agent-notification.yaml index 47f8a7a0c1..edb0e742c5 100644 --- a/docker/services/ceilometer-agent-notification.yaml +++ b/docker/services/ceilometer-agent-notification.yaml @@ -129,7 +129,7 @@ outputs: - /var/lib/kolla/config_files/ceilometer_agent_notification.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ceilometer/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/panko/:/var/lib/kolla/config_files/src-panko:ro - - /var/log/containers/ceilometer:/var/log/ceilometer + - /var/log/containers/ceilometer:/var/log/ceilometer:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/cinder-api.yaml b/docker/services/cinder-api.yaml index b6562814af..7af3f79304 100644 --- a/docker/services/cinder-api.yaml +++ b/docker/services/cinder-api.yaml @@ -141,8 +141,8 @@ outputs: - - /var/lib/config-data/cinder/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/cinder/etc/cinder/:/etc/cinder/:ro - - /var/log/containers/cinder:/var/log/cinder - - /var/log/containers/httpd/cinder-api:/var/log/httpd + - /var/log/containers/cinder:/var/log/cinder:z + - /var/log/containers/httpd/cinder-api:/var/log/httpd:z command: - '/usr/bin/bootstrap_host_exec' - 'cinder_api' @@ -164,8 +164,8 @@ outputs: - - /var/lib/kolla/config_files/cinder_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/cinder:/var/log/cinder - - /var/log/containers/httpd/cinder-api:/var/log/httpd + - /var/log/containers/cinder:/var/log/cinder:z + - /var/log/containers/httpd/cinder-api:/var/log/httpd:z - if: - internal_tls_enabled @@ -190,8 +190,8 @@ outputs: - - /var/lib/kolla/config_files/cinder_api_cron.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/cinder:/var/log/cinder - - /var/log/containers/httpd/cinder-api:/var/log/httpd + - /var/log/containers/cinder:/var/log/cinder:z + - /var/log/containers/httpd/cinder-api:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: diff --git a/docker/services/cinder-backup.yaml b/docker/services/cinder-backup.yaml index c57cc5a99d..ff9c411790 100644 --- a/docker/services/cinder-backup.yaml +++ b/docker/services/cinder-backup.yaml @@ -142,7 +142,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/cinder:/var/log/cinder:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_4: cinder_backup: @@ -164,11 +164,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/cinder - - /var/log/containers/cinder + - { 'name': /var/lib/cinder, 'setype': svirt_sandbox_file_t } + - { 'name': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t } - name: cinder logs readme copy: dest: /var/log/cinder/readme.txt diff --git a/docker/services/cinder-common.yaml b/docker/services/cinder-common.yaml index 18ae8651be..4618b59a85 100644 --- a/docker/services/cinder-common.yaml +++ b/docker/services/cinder-common.yaml @@ -170,8 +170,8 @@ outputs: - /run/:/run/ - /sys:/sys - /lib/modules:/lib/modules:ro - - /var/lib/cinder:/var/lib/cinder - - /var/log/containers/cinder:/var/log/cinder + - /var/lib/cinder:/var/lib/cinder:z + - /var/log/containers/cinder:/var/log/cinder:z cinder_backup_environment: description: Docker environment for the cinder-backup container (HA or non-HA) diff --git a/docker/services/cinder-scheduler.yaml b/docker/services/cinder-scheduler.yaml index 066e8704f7..5ba5c863c4 100644 --- a/docker/services/cinder-scheduler.yaml +++ b/docker/services/cinder-scheduler.yaml @@ -130,7 +130,7 @@ outputs: - - /var/lib/kolla/config_files/cinder_scheduler.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/cinder/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/cinder:/var/log/cinder:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/congress.yaml b/docker/services/congress.yaml index de43baa0fa..a8df4327cf 100644 --- a/docker/services/congress.yaml +++ b/docker/services/congress.yaml @@ -98,7 +98,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/congress:/var/log/congress + - /var/log/containers/congress:/var/log/congress:z command: ['/bin/bash', '-c', 'chown -R congress:congress /var/log/congress'] step_3: congress_db_sync: @@ -115,7 +115,7 @@ outputs: # This should go away anyway and mount the exact files it # needs or use kolla set_configs.py - /var/lib/config-data/congress/etc/:/etc/ - - /var/log/containers/congress:/var/log/congress + - /var/log/containers/congress:/var/log/congress:z command: "/usr/bin/bootstrap_host_exec congress su congress -s /bin/bash -c 'congress-db-manage --config-file /etc/congress/congress.conf upgrade head'" step_4: congress_api: @@ -130,7 +130,7 @@ outputs: - - /var/lib/kolla/config_files/congress_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/congress/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/congress:/var/log/congress + - /var/log/containers/congress:/var/log/congress:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -138,6 +138,7 @@ outputs: file: path: /var/log/containers/congress state: directory + setype: svirt_sandbox_file_t - name: congress logs readme copy: dest: /var/log/congress/readme.txt diff --git a/docker/services/database/mongodb.yaml b/docker/services/database/mongodb.yaml index 712ff0ca57..fec8a9606e 100644 --- a/docker/services/database/mongodb.yaml +++ b/docker/services/database/mongodb.yaml @@ -112,8 +112,8 @@ outputs: - - /var/lib/kolla/config_files/mongodb.json:/var/lib/kolla/config_files/config.json - /var/lib/config-data/puppet-generated/mongodb/:/var/lib/kolla/config_files/src:ro - /etc/localtime:/etc/localtime:ro - - /var/log/containers/mongodb:/var/log/mongodb - - /var/lib/mongodb:/var/lib/mongodb + - /var/log/containers/mongodb:/var/log/mongodb:z + - /var/lib/mongodb:/var/lib/mongodb:z - if: - internal_tls_enabled - - list_join: @@ -134,8 +134,8 @@ outputs: config_image: *mongodb_config_image volumes: list_concat: - - - /var/lib/mongodb:/var/lib/mongodb - - /var/log/containers/mongodb:/var/log/mongodb + - - /var/lib/mongodb:/var/lib/mongodb:z + - /var/log/containers/mongodb:/var/log/mongodb:z - if: - internal_tls_enabled - - list_join: @@ -148,11 +148,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/mongodb - - /var/lib/mongodb + - { 'path': /var/log/containers/mongodb, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/mongodb, 'setype': svirt_sandbox_file_t } - name: mongodb logs readme copy: dest: /var/log/mongodb/readme.txt diff --git a/docker/services/designate-api.yaml b/docker/services/designate-api.yaml index 5b708032b9..5eaf4fc894 100644 --- a/docker/services/designate-api.yaml +++ b/docker/services/designate-api.yaml @@ -135,7 +135,7 @@ outputs: - - /var/lib/kolla/config_files/designate_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -143,6 +143,7 @@ outputs: file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt diff --git a/docker/services/designate-central.yaml b/docker/services/designate-central.yaml index 8d647b8e37..a490965c20 100644 --- a/docker/services/designate-central.yaml +++ b/docker/services/designate-central.yaml @@ -107,7 +107,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z command: ['/bin/bash', '-c', 'chown -R designate:designate /var/log/designate'] step_3: designate_db_sync: @@ -122,7 +122,7 @@ outputs: - - /var/lib/config-data/designate/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/designate/etc/designate/:/etc/designate/:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z command: "/usr/bin/bootstrap_host_exec designate_central su designate -s /bin/bash -c 'designate-manage --config-file /etc/designate/designate.conf database sync'" step_4: designate_central: @@ -139,7 +139,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_central.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_5: @@ -154,13 +154,14 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/designate/etc/designate/:/etc/designate/:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z command: "/usr/bin/bootstrap_host_exec designate_central su designate -s /bin/bash -c '/bin/designate-manage pool update'" host_prep_tasks: - name: create persistent logs directory file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt diff --git a/docker/services/designate-mdns.yaml b/docker/services/designate-mdns.yaml index 0c91490175..9133bfde7d 100644 --- a/docker/services/designate-mdns.yaml +++ b/docker/services/designate-mdns.yaml @@ -115,7 +115,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_mdns.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -123,6 +123,7 @@ outputs: file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt diff --git a/docker/services/designate-producer.yaml b/docker/services/designate-producer.yaml index a7d09ea6f2..b0d87ae1bb 100644 --- a/docker/services/designate-producer.yaml +++ b/docker/services/designate-producer.yaml @@ -116,7 +116,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_producer.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -124,6 +124,7 @@ outputs: file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt diff --git a/docker/services/designate-sink.yaml b/docker/services/designate-sink.yaml index 51e47ea7bd..b7df6349ef 100644 --- a/docker/services/designate-sink.yaml +++ b/docker/services/designate-sink.yaml @@ -116,7 +116,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_sink.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -124,6 +124,7 @@ outputs: file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt diff --git a/docker/services/designate-worker.yaml b/docker/services/designate-worker.yaml index f4b07e9eb1..08765a6e6e 100644 --- a/docker/services/designate-worker.yaml +++ b/docker/services/designate-worker.yaml @@ -141,7 +141,7 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_worker.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate + - /var/log/containers/designate:/var/log/designate:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS designate_backend_bind9: @@ -156,8 +156,8 @@ outputs: - /run:/run - /var/lib/kolla/config_files/designate_backend_bind9.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/designate/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/designate:/var/log/designate - - /var/named-persistent:/var/named-persistent + - /var/log/containers/designate:/var/log/designate:z + - /var/named-persistent:/var/named-persistent:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -165,6 +165,7 @@ outputs: file: path: /var/log/containers/designate state: directory + setype: svirt_sandbox_file_t - name: designate logs readme copy: dest: /var/log/designate/readme.txt @@ -176,3 +177,4 @@ outputs: file: path: /var/named-persistent state: directory + setype: svirt_sandbox_file_t diff --git a/docker/services/ec2-api.yaml b/docker/services/ec2-api.yaml index 81b4229e13..5e98c1ea7d 100644 --- a/docker/services/ec2-api.yaml +++ b/docker/services/ec2-api.yaml @@ -128,10 +128,10 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/ec2_api:/var/log/ec2api + - /var/log/containers/ec2_api:/var/log/ec2api:z # mount ec2_api_metadata to "ec2api-metadata" only here to fix # permissions of both directories in one go - - /var/log/containers/ec2_api_metadata:/var/log/ec2api-metadata + - /var/log/containers/ec2_api_metadata:/var/log/ec2api-metadata:z command: ['/bin/bash', '-c', 'chown -R ec2api:ec2api /var/log/ec2api /var/log/ec2api-metadata'] step_3: ec2_api_db_sync: @@ -146,7 +146,7 @@ outputs: - - /var/lib/config-data/ec2_api/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/ec2_api/etc/ec2api/:/etc/ec2api/:ro - - /var/log/containers/ec2_api:/var/log/ec2api + - /var/log/containers/ec2_api:/var/log/ec2api:z command: "/usr/bin/bootstrap_host_exec ec2_api su ec2api -s /bin/bash -c '/usr/bin/ec2-api-manage db_sync'" step_4: map_merge: @@ -161,7 +161,7 @@ outputs: - - /var/lib/kolla/config_files/ec2_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ec2_api/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ec2_api:/var/log/ec2api + - /var/log/containers/ec2_api:/var/log/ec2api:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ec2_api_metadata: @@ -175,7 +175,7 @@ outputs: - - /var/lib/kolla/config_files/ec2_api_metadata.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ec2_api/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ec2_api_metadata:/var/log/ec2api + - /var/log/containers/ec2_api_metadata:/var/log/ec2api:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -199,11 +199,12 @@ outputs: host_prep_tasks: - name: create persistent log directories file: - path: /var/log/containers/{{ item }} + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - ec2_api - - ec2_api_metadata + - { 'path': /var/log/containers/ec2_api, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/ec2_api_metadata, 'setype': svirt_sandbox_file_t } - name: ec2_api logs readme copy: dest: /var/log/{{ item }}/readme.txt diff --git a/docker/services/fluentd.yaml b/docker/services/fluentd.yaml index 32d488cdb4..ce29ad6d10 100644 --- a/docker/services/fluentd.yaml +++ b/docker/services/fluentd.yaml @@ -90,17 +90,18 @@ outputs: privileged: true user: root restart: always + security_opt: 'label=disable' healthcheck: test: /openstack/healthcheck volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - - - /var/cache/containers/fluentd:/var/cache/fluentd:rw + - /var/cache/containers/fluentd:/var/cache/fluentd:rw,z - /var/lib/kolla/config_files/fluentd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/fluentd/:/var/lib/kolla/config_files/src:ro - /var/log/containers:/var/log/containers:ro - - /var/log/containers/fluentd:/var/log/fluentd:rw + - /var/log/containers/fluentd:/var/log/fluentd:rw,z - /etc/rsyslog.d:/etc/rsyslog.d:rw environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -109,6 +110,7 @@ outputs: file: path: /var/log/containers/fluentd state: directory + setype: svirt_sandbox_file_t - name: fluentd logs readme copy: dest: /var/log/fluentd/readme.txt @@ -120,6 +122,7 @@ outputs: file: path: /var/cache/containers/fluentd state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index cb160c7e33..71fe674727 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -155,8 +155,8 @@ outputs: user: root volumes: - str_replace: - template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH - params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}} + template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS + params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}, SE_FLAGS: 'shared,z'} command: - '/bin/bash' - '-c' @@ -178,10 +178,10 @@ outputs: - /var/lib/kolla/config_files/gnocchi_db_sync.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - str_replace: - template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH - params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}} - - /var/log/containers/gnocchi:/var/log/gnocchi - - /var/log/containers/httpd/gnocchi-api:/var/log/httpd + template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS + params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}, SE_FLAGS: 'shared,z'} + - /var/log/containers/gnocchi:/var/log/gnocchi:z + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS @@ -198,12 +198,12 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - str_replace: - template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH - params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}} + template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS + params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}, SE_FLAGS: 'shared,z'} - /var/lib/kolla/config_files/gnocchi_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/gnocchi/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/gnocchi:/var/log/gnocchi - - /var/log/containers/httpd/gnocchi-api:/var/log/httpd + - /var/log/containers/gnocchi:/var/log/gnocchi:z + - /var/log/containers/httpd/gnocchi-api:/var/log/httpd:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - if: @@ -218,7 +218,7 @@ outputs: environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - - name: create persistent logs directory + - name: create persistent data and logs directory file: path: "{{ item.path }}" state: directory @@ -226,6 +226,7 @@ outputs: with_items: - { 'path': /var/log/containers/gnocchi, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/containers/httpd/gnocchi-api, 'setype': svirt_sandbox_file_t } + - { 'path': {get_param: GnocchiFileBasePath}, 'setype': svirt_sandbox_file_t } - name: gnocchi logs readme copy: dest: /var/log/gnocchi/readme.txt diff --git a/docker/services/gnocchi-metricd.yaml b/docker/services/gnocchi-metricd.yaml index b822891b3c..50560a4276 100644 --- a/docker/services/gnocchi-metricd.yaml +++ b/docker/services/gnocchi-metricd.yaml @@ -132,8 +132,8 @@ outputs: - /var/log/containers/gnocchi:/var/log/gnocchi:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - str_replace: - template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH - params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}} + template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS + params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}, SE_FLAGS: 'shared,z'} environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -149,6 +149,11 @@ outputs: Log files from gnocchi containers can be found under /var/log/containers/gnocchi and /var/log/containers/httpd/gnocchi-api. ignore_errors: true + - name: create persistent data directory + file: + path: {get_param: GnocchiFileBasePath} + state: directory + setype: svirt_sandbox_file_t - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/gnocchi-statsd.yaml b/docker/services/gnocchi-statsd.yaml index 2156378d6e..60d5e8b864 100644 --- a/docker/services/gnocchi-statsd.yaml +++ b/docker/services/gnocchi-statsd.yaml @@ -132,8 +132,8 @@ outputs: - /var/log/containers/gnocchi:/var/log/gnocchi:z - /etc/ceph:/var/lib/kolla/config_files/src-ceph:ro - str_replace: - template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH - params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}} + template: GNOCCHI_FILE_BASE_PATH:GNOCCHI_FILE_BASE_PATH:SE_FLAGS + params: {GNOCCHI_FILE_BASE_PATH: {get_param: GnocchiFileBasePath}, SE_FLAGS: 'shared,z'} environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -149,6 +149,11 @@ outputs: Log files from gnocchi containers can be found under /var/log/containers/gnocchi and /var/log/containers/httpd/gnocchi-api. ignore_errors: true + - name: create persistent data directory + file: + path: {get_param: GnocchiFileBasePath} + state: directory + setype: svirt_sandbox_file_t - name: ensure ceph configurations exist file: path: /etc/ceph diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml index bac69dd585..b5aadf7ba4 100644 --- a/docker/services/horizon.yaml +++ b/docker/services/horizon.yaml @@ -113,8 +113,8 @@ outputs: # http://paste.openstack.org/show/609819/ command: ['/bin/bash', '-c', 'touch /var/log/horizon/horizon.log && chown -R apache:apache /var/log/horizon && chmod -R a+rx /etc/openstack-dashboard'] volumes: - - /var/log/containers/horizon:/var/log/horizon - - /var/log/containers/httpd/horizon:/var/log/httpd + - /var/log/containers/horizon:/var/log/horizon:z + - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard:/etc/openstack-dashboard step_3: horizon: @@ -128,8 +128,8 @@ outputs: - - /var/lib/kolla/config_files/horizon.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/horizon/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/horizon:/var/log/horizon - - /var/log/containers/httpd/horizon:/var/log/httpd + - /var/log/containers/horizon:/var/log/horizon:z + - /var/log/containers/httpd/horizon:/var/log/httpd:z - /var/www/:/var/www/:ro - if: diff --git a/docker/services/ironic-api.yaml b/docker/services/ironic-api.yaml index 69eb064583..af5b7a0e9c 100644 --- a/docker/services/ironic-api.yaml +++ b/docker/services/ironic-api.yaml @@ -115,8 +115,8 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/ironic_api/etc/ironic:/etc/ironic:ro - - /var/log/containers/ironic:/var/log/ironic - - /var/log/containers/httpd/ironic-api:/var/log/httpd + - /var/log/containers/ironic:/var/log/ironic:z + - /var/log/containers/httpd/ironic-api:/var/log/httpd:z command: "/usr/bin/bootstrap_host_exec ironic_api su ironic -s /bin/bash -c 'ironic-dbsync --config-file /etc/ironic/ironic.conf'" step_4: ironic_api: @@ -133,8 +133,8 @@ outputs: - - /var/lib/kolla/config_files/ironic_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_api/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ironic:/var/log/ironic - - /var/log/containers/httpd/ironic-api:/var/log/httpd + - /var/log/containers/ironic:/var/log/ironic:z + - /var/log/containers/httpd/ironic-api:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/ironic-inspector.yaml b/docker/services/ironic-inspector.yaml index a74feccd08..2303b37915 100644 --- a/docker/services/ironic-inspector.yaml +++ b/docker/services/ironic-inspector.yaml @@ -128,7 +128,7 @@ outputs: get_param: DockerIronicInspectorImage user: root volumes: - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/log/ironic-inspector'] ironic_inspector_init_dnsmasq_dhcp_hostsdir: @@ -136,7 +136,7 @@ outputs: image: *ironic_inspector_image user: root volumes: - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z command: ['/bin/bash', '-c', 'chown -R ironic-inspector:ironic-inspector /var/lib/ironic-inspector/dhcp-hostsdir'] ironic_inspector_db_sync: start_order: 2 @@ -151,7 +151,7 @@ outputs: - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/ironic_inspector/etc/ironic-inspector:/etc/ironic-inspector:ro - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS command: "/usr/bin/bootstrap_host_exec ironic_inspector su ironic-inspector -s /bin/bash -c 'ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade'" @@ -167,7 +167,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/ironic:/var/lib/ironic:shared + - /var/lib/ironic:/var/lib/ironic:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS command: @@ -195,9 +195,9 @@ outputs: - - /var/lib/kolla/config_files/ironic_inspector.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - - /var/lib/ironic:/var/lib/ironic:shared - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared + - /var/lib/ironic:/var/lib/ironic:shared,z + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ironic_inspector_dnsmasq: @@ -215,8 +215,8 @@ outputs: - - /var/lib/kolla/config_files/ironic_inspector_dnsmasq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic_inspector/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/ironic-inspector:/var/log/ironic-inspector - - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared + - /var/log/containers/ironic-inspector:/var/log/ironic-inspector:z + - /var/lib/ironic-inspector/dhcp-hostsdir:/var/lib/ironic-inspector/dhcp-hostsdir:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/ironic-pxe.yaml b/docker/services/ironic-pxe.yaml index a9e2e7eabb..1c7b9ae148 100644 --- a/docker/services/ironic-pxe.yaml +++ b/docker/services/ironic-pxe.yaml @@ -132,7 +132,7 @@ outputs: - - /var/lib/kolla/config_files/ironic_pxe_tftp.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro - - /var/lib/ironic:/var/lib/ironic/:z + - /var/lib/ironic:/var/lib/ironic/:shared,z - /dev/log:/dev/log - /var/log/containers/ironic:/var/log/ironic:z - /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z @@ -150,9 +150,9 @@ outputs: - - /var/lib/kolla/config_files/ironic_pxe_http.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/ironic/:/var/lib/kolla/config_files/src:ro - - /var/lib/ironic:/var/lib/ironic/:shared - - /var/log/containers/ironic:/var/log/ironic - - /var/log/containers/httpd/ironic-pxe:/var/log/httpd + - /var/lib/ironic:/var/lib/ironic/:shared,z + - /var/log/containers/ironic:/var/log/ironic:z + - /var/log/containers/httpd/ironic-pxe:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/logging/files/barbican-api.yaml b/docker/services/logging/files/barbican-api.yaml index 5bbb326ab4..eafbc3bb75 100644 --- a/docker/services/logging/files/barbican-api.yaml +++ b/docker/services/logging/files/barbican-api.yaml @@ -18,8 +18,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &barbican_api_volumes - - /var/log/containers/barbican:/var/log/barbican - - /var/log/containers/httpd/barbican-api:/var/log/httpd + - /var/log/containers/barbican:/var/log/barbican:z + - /var/log/containers/httpd/barbican-api:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -34,11 +34,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/barbican - - /var/log/containers/httpd/barbican-api + - { 'path': /var/log/containers/barbican, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/barbican-api, 'setype': svirt_sandbox_file_t } - name: barbican logs readme copy: dest: /var/log/barbican/readme.txt diff --git a/docker/services/logging/files/glance-api.yaml b/docker/services/logging/files/glance-api.yaml index 519658ee59..2df3c1c5ff 100644 --- a/docker/services/logging/files/glance-api.yaml +++ b/docker/services/logging/files/glance-api.yaml @@ -15,7 +15,7 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &glance_api_volumes - - /var/log/containers/glance:/var/log/glance + - /var/log/containers/glance:/var/log/glance:z docker_config: description: Extra containers needed for logging to files in the host. value: diff --git a/docker/services/logging/files/heat-api-cfn.yaml b/docker/services/logging/files/heat-api-cfn.yaml index b69c7f157a..a0c1c68a04 100644 --- a/docker/services/logging/files/heat-api-cfn.yaml +++ b/docker/services/logging/files/heat-api-cfn.yaml @@ -14,18 +14,19 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: - - /var/log/containers/heat:/var/log/heat - - /var/log/containers/httpd/heat-api-cfn:/var/log/httpd + - /var/log/containers/heat:/var/log/heat:z + - /var/log/containers/httpd/heat-api-cfn:/var/log/httpd:z host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/heat - - /var/log/containers/httpd/heat-api-cfn + - { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/heat-api-cfn, 'setype': svirt_sandbox_file_t } - name: heat logs readme copy: dest: /var/log/heat/readme.txt diff --git a/docker/services/logging/files/heat-api.yaml b/docker/services/logging/files/heat-api.yaml index 13e7763f3f..0950c0a544 100644 --- a/docker/services/logging/files/heat-api.yaml +++ b/docker/services/logging/files/heat-api.yaml @@ -14,18 +14,19 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: - - /var/log/containers/heat:/var/log/heat - - /var/log/containers/httpd/heat-api:/var/log/httpd + - /var/log/containers/heat:/var/log/heat:z + - /var/log/containers/httpd/heat-api:/var/log/httpd:z host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/heat - - /var/log/containers/httpd/heat-api + - { 'path': /var/log/containers/heat, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/heat-api, 'setype': svirt_sandbox_file_t } - name: heat logs readme copy: dest: /var/log/heat/readme.txt diff --git a/docker/services/logging/files/heat-engine.yaml b/docker/services/logging/files/heat-engine.yaml index 9d9ef45290..1d3f8431cd 100644 --- a/docker/services/logging/files/heat-engine.yaml +++ b/docker/services/logging/files/heat-engine.yaml @@ -24,12 +24,12 @@ outputs: image: {get_param: DockerHeatEngineImage} user: root volumes: - - /var/log/containers/heat:/var/log/heat + - /var/log/containers/heat:/var/log/heat:z command: ['/bin/bash', '-c', 'chown -R heat:heat /var/log/heat'] volumes: description: The volumes needed to log to files in the host. value: - - /var/log/containers/heat:/var/log/heat + - /var/log/containers/heat:/var/log/heat:z host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: @@ -37,6 +37,7 @@ outputs: file: path: /var/log/containers/heat state: directory + setype: svirt_sandbox_file_t - name: heat logs readme copy: dest: /var/log/heat/readme.txt diff --git a/docker/services/logging/files/keystone.yaml b/docker/services/logging/files/keystone.yaml index 17d7766632..44c9b3ae0e 100644 --- a/docker/services/logging/files/keystone.yaml +++ b/docker/services/logging/files/keystone.yaml @@ -15,8 +15,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &keystone_volumes - - /var/log/containers/keystone:/var/log/keystone - - /var/log/containers/httpd/keystone:/var/log/httpd + - /var/log/containers/keystone:/var/log/keystone:z + - /var/log/containers/httpd/keystone:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: diff --git a/docker/services/logging/files/neutron-api.yaml b/docker/services/logging/files/neutron-api.yaml index b727460b11..f1613e3e0e 100644 --- a/docker/services/logging/files/neutron-api.yaml +++ b/docker/services/logging/files/neutron-api.yaml @@ -25,8 +25,8 @@ outputs: volumes: description: extra volumes value: &neutron_api_volumes - - /var/log/containers/neutron:/var/log/neutron - - /var/log/containers/httpd/neutron-api:/var/log/httpd + - /var/log/containers/neutron:/var/log/neutron:z + - /var/log/containers/httpd/neutron-api:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -43,11 +43,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/neutron - - /var/log/containers/httpd/neutron-api + - { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/neutron-api, 'setype': svirt_sandbox_file_t } - name: neutron logs readme copy: dest: /var/log/neutron/readme.txt diff --git a/docker/services/logging/files/neutron-common.yaml b/docker/services/logging/files/neutron-common.yaml index 5d2cd6e278..82a094d56e 100644 --- a/docker/services/logging/files/neutron-common.yaml +++ b/docker/services/logging/files/neutron-common.yaml @@ -26,16 +26,17 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: - - /var/log/containers/neutron:/var/log/neutron + - /var/log/containers/neutron:/var/log/neutron:z host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/neutron + - { 'path': /var/log/containers/neutron, 'setype': svirt_sandbox_file_t } - name: neutron logs readme copy: dest: /var/log/neutron/readme.txt diff --git a/docker/services/logging/files/nova-common.yaml b/docker/services/logging/files/nova-common.yaml index ade8157a3e..3f39f1da9c 100644 --- a/docker/services/logging/files/nova-common.yaml +++ b/docker/services/logging/files/nova-common.yaml @@ -44,7 +44,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/nova:/var/log/nova + - /var/log/containers/nova:/var/log/nova:z command: ['/bin/bash', '-c', 'chown -R nova:nova /var/log/nova'] - keys: CONTAINERNAME: {get_attr: [InitLogContainerName, value]} @@ -55,6 +55,7 @@ outputs: file: path: /var/log/containers/nova state: directory + setype: svirt_sandbox_file_t - name: nova logs readme copy: dest: /var/log/nova/readme.txt diff --git a/docker/services/logging/files/nova-metadata.yaml b/docker/services/logging/files/nova-metadata.yaml index ee7e2ac1ff..4ddc995038 100644 --- a/docker/services/logging/files/nova-metadata.yaml +++ b/docker/services/logging/files/nova-metadata.yaml @@ -15,8 +15,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &nova_metadata_volumes - - /var/log/containers/nova:/var/log/nova - - /var/log/containers/httpd/nova-metadata:/var/log/httpd + - /var/log/containers/nova:/var/log/nova:z + - /var/log/containers/httpd/nova-metadata:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -32,11 +32,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/nova - - /var/log/containers/httpd/nova-metadata + - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/nova-metadata, 'setype': svirt_sandbox_file_t } - name: nova logs readme copy: dest: /var/log/nova/readme.txt diff --git a/docker/services/logging/files/nova-placement.yaml b/docker/services/logging/files/nova-placement.yaml index 5f9f7f2f11..da8913bf7f 100644 --- a/docker/services/logging/files/nova-placement.yaml +++ b/docker/services/logging/files/nova-placement.yaml @@ -15,8 +15,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &nova_placement_volumes - - /var/log/containers/nova:/var/log/nova - - /var/log/containers/httpd/nova-placement:/var/log/httpd + - /var/log/containers/nova:/var/log/nova:z + - /var/log/containers/httpd/nova-placement:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -32,11 +32,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/nova - - /var/log/containers/httpd/nova-placement + - { 'path': /var/log/containers/nova, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/nova-placement, 'setype': svirt_sandbox_file_t } - name: nova logs readme copy: dest: /var/log/nova/readme.txt diff --git a/docker/services/logging/files/opendaylight-api.yaml b/docker/services/logging/files/opendaylight-api.yaml index d752802905..25b6cb2221 100644 --- a/docker/services/logging/files/opendaylight-api.yaml +++ b/docker/services/logging/files/opendaylight-api.yaml @@ -13,20 +13,21 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: - - /var/log/containers/opendaylight/karaf/logs:/opt/opendaylight/data/log + - /var/log/containers/opendaylight/karaf/logs:/opt/opendaylight/data/log:z host_prep_tasks: description: Extra ansible tasks needed for logging to files in the host. value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/opendaylight/karaf/logs - - /var/log/opendaylight + - { 'path': /var/log/containers/opendaylight/karaf/logs, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/opendaylight, 'setype': svirt_sandbox_file_t } - name: opendaylight logs readme copy: dest: /var/log/opendaylight/readme.txt content: | Logs from OpenDaylight container can be found at /var/log/containers/opendaylight/karaf/logs/karaf.log - ignore_errors: true \ No newline at end of file + ignore_errors: true diff --git a/docker/services/logging/files/panko-api.yaml b/docker/services/logging/files/panko-api.yaml index ef2e13ede0..e73835d1b4 100644 --- a/docker/services/logging/files/panko-api.yaml +++ b/docker/services/logging/files/panko-api.yaml @@ -18,8 +18,8 @@ outputs: volumes: description: The volumes needed to log to files in the host. value: &panko_api_volumes - - /var/log/containers/panko:/var/log/panko - - /var/log/containers/httpd/panko-api:/var/log/httpd + - /var/log/containers/panko:/var/log/panko:z + - /var/log/containers/httpd/panko-api:/var/log/httpd:z docker_config: description: Extra containers needed for logging to files in the host. value: @@ -34,11 +34,12 @@ outputs: value: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/panko - - /var/log/containers/httpd/panko-api + - { 'path': /var/log/containers/panko, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/panko-api, 'setype': svirt_sandbox_file_t } - name: panko logs readme copy: dest: /var/log/panko/readme.txt diff --git a/docker/services/manila-api.yaml b/docker/services/manila-api.yaml index c25b69f8f4..0b10769353 100644 --- a/docker/services/manila-api.yaml +++ b/docker/services/manila-api.yaml @@ -88,8 +88,8 @@ outputs: image: &manila_api_image {get_param: DockerManilaApiImage} user: root volumes: - - /var/log/containers/manila:/var/log/manila - - /var/log/containers/httpd/manila-api:/var/log/httpd + - /var/log/containers/manila:/var/log/manila:z + - /var/log/containers/httpd/manila-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'chown -R manila:manila /var/log/manila'] step_3: manila_api_db_sync: @@ -103,8 +103,8 @@ outputs: - - /var/lib/config-data/manila/etc/my.cnf.d/tripleo.cnf:/etc/my.cnf.d/tripleo.cnf:ro - /var/lib/config-data/manila/etc/manila/:/etc/manila/:ro - - /var/log/containers/manila:/var/log/manila - - /var/log/containers/httpd/manila-api:/var/log/httpd + - /var/log/containers/manila:/var/log/manila:z + - /var/log/containers/httpd/manila-api:/var/log/httpd:z command: "/usr/bin/bootstrap_host_exec manila_api su manila -s /bin/bash -c '/usr/bin/manila-manage db sync'" step_4: manila_api: @@ -117,18 +117,19 @@ outputs: - - /var/lib/kolla/config_files/manila_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/manila:/var/log/manila - - /var/log/containers/httpd/manila-api:/var/log/httpd + - /var/log/containers/manila:/var/log/manila:z + - /var/log/containers/httpd/manila-api:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: Create persistent manila logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/manila - - /var/log/containers/httpd/manila-api + - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/manila-api, 'setype': svirt_sandbox_file_t } - name: manila logs readme copy: dest: /var/log/manila/readme.txt diff --git a/docker/services/manila-common.yaml b/docker/services/manila-common.yaml index 89a3fbab70..41e5d3b01f 100644 --- a/docker/services/manila-common.yaml +++ b/docker/services/manila-common.yaml @@ -62,8 +62,8 @@ outputs: - /run/:/run/ - /sys:/sys - /lib/modules:/lib/modules:ro - - /var/lib/manila:/var/lib/manila - - /var/log/containers/manila:/var/log/manila + - /var/lib/manila:/var/lib/manila:z + - /var/log/containers/manila:/var/log/manila:z - if: - cephfs_nfs_enabled - diff --git a/docker/services/manila-scheduler.yaml b/docker/services/manila-scheduler.yaml index 0b5fe7003c..ec8a8c5125 100644 --- a/docker/services/manila-scheduler.yaml +++ b/docker/services/manila-scheduler.yaml @@ -103,7 +103,7 @@ outputs: - - /var/lib/kolla/config_files/manila_scheduler.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/manila/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/manila:/var/log/manila + - /var/log/containers/manila:/var/log/manila:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -111,6 +111,7 @@ outputs: file: path: /var/log/containers/manila state: directory + setype: svirt_sandbox_file_t - name: manila logs readme copy: dest: /var/log/manila/readme.txt diff --git a/docker/services/manila-share.yaml b/docker/services/manila-share.yaml index 3529f90008..bf9873a239 100644 --- a/docker/services/manila-share.yaml +++ b/docker/services/manila-share.yaml @@ -122,11 +122,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/manila - - /var/lib/manila + - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t } - name: manila logs readme copy: dest: /var/log/manila/readme.txt diff --git a/docker/services/messaging/notify-rabbitmq.yaml b/docker/services/messaging/notify-rabbitmq.yaml index 845ff7c43c..d48751650c 100644 --- a/docker/services/messaging/notify-rabbitmq.yaml +++ b/docker/services/messaging/notify-rabbitmq.yaml @@ -141,7 +141,7 @@ outputs: - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:z - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - internal_tls_enabled - @@ -181,8 +181,8 @@ outputs: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - internal_tls_enabled - @@ -205,7 +205,7 @@ outputs: config_image: *rabbitmq_config_image volumes: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z metadata_settings: get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: diff --git a/docker/services/messaging/rpc-qdrouterd.yaml b/docker/services/messaging/rpc-qdrouterd.yaml index 6428177d4c..f0f31a2bf2 100644 --- a/docker/services/messaging/rpc-qdrouterd.yaml +++ b/docker/services/messaging/rpc-qdrouterd.yaml @@ -95,7 +95,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/qdrouterd:/var/log/qdrouterd + - /var/log/containers/qdrouterd:/var/log/qdrouterd:z command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd'] qdrouterd: start_order: 1 @@ -110,17 +110,18 @@ outputs: - - /var/lib/kolla/config_files/qdrouterd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/qdrouterd/:/var/lib/kolla/config_files/src:ro - - /var/lib/qdrouterd:/var/lib/qdrouterd - - /var/log/containers/qdrouterd:/var/log/qdrouterd + - /var/lib/qdrouterd:/var/lib/qdrouterd:z + - /var/log/containers/qdrouterd:/var/log/qdrouterd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/qdrouterd - - /var/lib/qdrouterd + - { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t } metadata_settings: get_attr: [QdrouterdBase, role_data, metadata_settings] diff --git a/docker/services/messaging/rpc-rabbitmq.yaml b/docker/services/messaging/rpc-rabbitmq.yaml index 33c1781b20..e6e397ba49 100644 --- a/docker/services/messaging/rpc-rabbitmq.yaml +++ b/docker/services/messaging/rpc-rabbitmq.yaml @@ -141,7 +141,7 @@ outputs: - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /var/lib/rabbitmq:/var/lib/rabbitmq:z - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - internal_tls_enabled - @@ -181,8 +181,8 @@ outputs: - - /var/lib/kolla/config_files/rabbitmq.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq - - /var/log/containers/rabbitmq:/var/log/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z + - /var/log/containers/rabbitmq:/var/log/rabbitmq:z - if: - internal_tls_enabled - @@ -205,7 +205,7 @@ outputs: config_image: *rabbitmq_config_image volumes: - /var/lib/config-data/rabbitmq/etc/rabbitmq/:/etc/rabbitmq/:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z metadata_settings: get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: diff --git a/docker/services/metrics/collectd.yaml b/docker/services/metrics/collectd.yaml index e9637e57c3..d39ec79d86 100644 --- a/docker/services/metrics/collectd.yaml +++ b/docker/services/metrics/collectd.yaml @@ -107,7 +107,7 @@ outputs: - - /var/lib/kolla/config_files/collectd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/collectd/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/collectd:/var/log/collectd:rw + - /var/log/containers/collectd:/var/log/collectd:rw,z - /var/run/openvswitch:/var/run/openvswitch:ro - /var/run/ceph:/var/run/ceph:ro - /var/run/libvirt:/var/run/libvirt:ro @@ -118,6 +118,7 @@ outputs: file: path: /var/log/containers/collectd state: directory + setype: svirt_sandbox_file_t - name: collectd logs readme copy: dest: /var/log/collectd/readme.txt diff --git a/docker/services/metrics/qdr.yaml b/docker/services/metrics/qdr.yaml index b121509466..a5be7724f7 100644 --- a/docker/services/metrics/qdr.yaml +++ b/docker/services/metrics/qdr.yaml @@ -184,7 +184,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/metrics-qdr:/var/log/qdrouterd + - /var/log/containers/metrics-qdr:/var/log/qdrouterd:z command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd'] metrics_qdr: start_order: 1 @@ -199,18 +199,19 @@ outputs: - - /var/lib/kolla/config_files/metrics-qdr.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/metrics-qdr/:/var/lib/kolla/config_files/src:ro - - /var/lib/metrics-qdr:/var/lib/qdrouterd - - /var/log/containers/metrics-qdr:/var/log/qdrouterd + - /var/lib/metrics-qdr:/var/lib/qdrouterd:z + - /var/log/containers/metrics-qdr:/var/log/qdrouterd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/metrics-qdr - - /var/lib/metrics-qdr + - { 'path': /var/log/containers/metrics-qdr, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/metrics-qdr, 'setype': svirt_sandbox_file_t } - name: qrouterd logs readme copy: dest: /var/log/qrouterd/readme-metrics.txt diff --git a/docker/services/mistral-api.yaml b/docker/services/mistral-api.yaml index af2841d698..1b22576cf1 100644 --- a/docker/services/mistral-api.yaml +++ b/docker/services/mistral-api.yaml @@ -113,7 +113,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z command: "/usr/bin/bootstrap_host_exec mistral_api su mistral -s /bin/bash -c 'mistral-db-manage --config-file /etc/mistral/mistral.conf upgrade head'" step_4: mistral_api: @@ -130,7 +130,7 @@ outputs: - - /var/lib/kolla/config_files/mistral_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/mistral/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_5: @@ -146,7 +146,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /var/lib/config-data/mistral/etc/mistral/:/etc/mistral/:ro - - /var/log/containers/mistral:/var/log/mistral + - /var/log/containers/mistral:/var/log/mistral:z # NOTE: dprince this requires that we install openstack-tripleo-common into # the Mistral API image so that we get tripleo* actions command: "/usr/bin/bootstrap_host_exec mistral_api su mistral -s /bin/bash -c 'mistral-db-manage --config-file /etc/mistral/mistral.conf populate'" diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 5911384f88..5c5f1e1931 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -194,8 +194,8 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /run/openvswitch:/run/openvswitch:z - - /var/lib/neutron:/var/lib/neutron:z + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z step_4: neutron_dhcp: start_order: 10 @@ -204,6 +204,7 @@ outputs: pid: host privileged: true restart: always + security_opt: 'label=disable' healthcheck: test: list_join: @@ -222,9 +223,9 @@ outputs: - /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron - - /run/netns:/run/netns:shared + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z + - /run/netns:/run/netns:shared,z - if: - docker_enabled diff --git a/docker/services/neutron-l3.yaml b/docker/services/neutron-l3.yaml index 34d3363a24..2db1af1330 100644 --- a/docker/services/neutron-l3.yaml +++ b/docker/services/neutron-l3.yaml @@ -193,8 +193,8 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /run/openvswitch:/run/openvswitch:z - - /var/lib/neutron:/var/lib/neutron:z + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z step_4: neutron_l3_agent: start_order: 10 @@ -221,9 +221,9 @@ outputs: - /var/lib/kolla/config_files/neutron_l3_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron - - /run/netns:/run/netns:shared + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z + - /run/netns:/run/netns:shared,z - if: - docker_enabled diff --git a/docker/services/neutron-metadata.yaml b/docker/services/neutron-metadata.yaml index 68fd0f6d65..021f115387 100644 --- a/docker/services/neutron-metadata.yaml +++ b/docker/services/neutron-metadata.yaml @@ -130,7 +130,7 @@ outputs: - /var/lib/kolla/config_files/neutron_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /var/lib/neutron:/var/lib/neutron:z + - /var/lib/neutron:/var/lib/neutron:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS metadata_settings: diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index d6af8bbc01..7376e8f672 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -100,7 +100,7 @@ outputs: # on the unix domain socket - /run/openvswitch/db.sock volumes: - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch:z + - /run/openvswitch:/run/openvswitch:shared,z kolla_config: /var/lib/kolla/config_files/neutron_ovs_agent.json: command: /neutron_ovs_agent_launcher.sh @@ -130,6 +130,7 @@ outputs: pid: host user: root privileged: true + security_opt: 'label=disable' command: - puppet - apply @@ -147,10 +148,10 @@ outputs: - /var/lib/kolla/config_files/neutron_ovs_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z - /etc/puppet:/etc/puppet:ro - /usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro - - /var/run/openvswitch/:/var/run/openvswitch/ + - /var/run/openvswitch/:/var/run/openvswitch/:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_4: @@ -160,6 +161,7 @@ outputs: net: host pid: host privileged: true + security_opt: 'label=disable' restart: always healthcheck: test: @@ -180,7 +182,7 @@ outputs: - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /var/lib/docker-config-scripts/neutron_ovs_agent_launcher.sh:/neutron_ovs_agent_launcher.sh:ro - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS metadata_settings: diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index b4192701be..71281c6456 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -228,7 +228,7 @@ outputs: - /lib/modules:/lib/modules:ro - /run:/run - /var/lib/nova:/var/lib/nova:shared,z - - /var/lib/libvirt:/var/lib/libvirt + - /var/lib/libvirt:/var/lib/libvirt:shared,z - /sys/class/net:/sys/class/net - /sys/bus/pci:/sys/bus/pci environment: diff --git a/docker/services/nova-ironic.yaml b/docker/services/nova-ironic.yaml index 9a7f99645e..f4e85aad85 100644 --- a/docker/services/nova-ironic.yaml +++ b/docker/services/nova-ironic.yaml @@ -110,7 +110,7 @@ outputs: privileged: false detach: false volumes: - - /var/lib/nova:/var/lib/nova:z + - /var/lib/nova:/var/lib/nova:shared,z - /var/lib/docker-config-scripts/:/docker-config-scripts/ command: "/docker-config-scripts/nova_statedir_ownership.py" step_5: @@ -139,7 +139,7 @@ outputs: - /run:/run - /dev:/dev - /var/lib/nova/:/var/lib/nova:shared,z - - /var/log/containers/nova:/var/log/nova + - /var/log/containers/nova:/var/log/nova:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index 0c036b221a..cd4a1dc71b 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -340,11 +340,11 @@ outputs: - /sys/fs/cgroup:/sys/fs/cgroup - /var/lib/nova:/var/lib/nova:shared,z - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt - - /var/lib/libvirt:/var/lib/libvirt - - /var/log/containers/libvirt:/var/log/libvirt + - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/lib/libvirt:/var/lib/libvirt:shared,z + - /var/log/containers/libvirt:/var/log/libvirt:z - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - - /var/lib/vhost_sockets:/var/lib/vhost_sockets + - /var/lib/vhost_sockets:/var/lib/vhost_sockets:z - /sys/fs/selinux:/sys/fs/selinux - if: @@ -403,8 +403,8 @@ outputs: - - /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro - /etc/libvirt:/etc/libvirt - - /var/run/libvirt:/var/run/libvirt - - /var/lib/libvirt:/var/lib/libvirt + - /var/run/libvirt:/var/run/libvirt:shared,z + - /var/lib/libvirt:/var/lib/libvirt:shared,z command: - /bin/bash - -c diff --git a/docker/services/octavia-api.yaml b/docker/services/octavia-api.yaml index 69826d031d..6bb8dc12fa 100644 --- a/docker/services/octavia-api.yaml +++ b/docker/services/octavia-api.yaml @@ -125,8 +125,8 @@ outputs: # octavia services, hence the same container image to generate # configuration. - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/ - - /var/log/containers/octavia:/var/log/octavia - - /var/log/containers/httpd/octavia-api:/var/log/httpd + - /var/log/containers/octavia:/var/log/octavia:z + - /var/log/containers/httpd/octavia-api:/var/log/httpd:z command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /etc/octavia/conf.d/octavia-api; chown -R octavia:octavia /var/log/octavia'] step_3: octavia_db_sync: @@ -142,8 +142,8 @@ outputs: - - /var/lib/config-data/octavia/etc/octavia/:/etc/octavia/:ro - /var/lib/config-data/octavia/etc/my.cnf.d/:/etc/my.cnf.d/:ro - - /var/log/containers/octavia:/var/log/octavia - - /var/log/containers/httpd/octavia-api:/var/log/httpd + - /var/log/containers/octavia:/var/log/octavia:z + - /var/log/containers/httpd/octavia-api:/var/log/httpd:z command: "/usr/bin/bootstrap_host_exec octavia_api su octavia -s /bin/bash -c '/usr/bin/octavia-db-manage upgrade head'" step_4: map_merge: @@ -161,8 +161,8 @@ outputs: - - /var/lib/kolla/config_files/octavia_api.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/octavia:/var/log/octavia - - /var/log/containers/httpd/octavia-api:/var/log/httpd + - /var/log/containers/octavia:/var/log/octavia:z + - /var/log/containers/httpd/octavia-api:/var/log/httpd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - if: @@ -187,11 +187,12 @@ outputs: host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/octavia - - /var/log/containers/httpd/octavia-api + - { 'path': /var/log/containers/octavia, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/httpd/octavia-api, 'setype': svirt_sandbox_file_t } - name: octavia logs readme copy: dest: /var/log/octavia/readme.txt diff --git a/docker/services/octavia-health-manager.yaml b/docker/services/octavia-health-manager.yaml index dbf3424150..e89905baf4 100644 --- a/docker/services/octavia-health-manager.yaml +++ b/docker/services/octavia-health-manager.yaml @@ -106,7 +106,7 @@ outputs: # missing here because we use the same config_volume for all # octavia services, hence the same container image to generate # configuration. - - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/ + - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-health-manager; chown -R octavia:octavia /etc/octavia/conf.d/octavia-health-manager'] step_4: octavia_health_manager: @@ -123,7 +123,7 @@ outputs: - - /var/lib/kolla/config_files/octavia_health_manager.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/octavia:/var/log/octavia:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -131,6 +131,7 @@ outputs: file: path: /var/log/containers/octavia state: directory + setype: svirt_sandbox_file_t - name: octavia logs readme copy: dest: /var/log/octavia/readme.txt diff --git a/docker/services/octavia-housekeeping.yaml b/docker/services/octavia-housekeeping.yaml index 96c74f1bd6..5ab9eedd43 100644 --- a/docker/services/octavia-housekeeping.yaml +++ b/docker/services/octavia-housekeeping.yaml @@ -102,7 +102,7 @@ outputs: # missing here because we use the same config_volume for all # octavia services, hence the same container image to generate # configuration. - - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/ + - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-housekeeping; chown -R octavia:octavia /etc/octavia/conf.d/octavia-housekeeping'] step_4: octavia_housekeeping: @@ -119,7 +119,7 @@ outputs: - - /var/lib/kolla/config_files/octavia_housekeeping.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/octavia:/var/log/octavia:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -127,6 +127,7 @@ outputs: file: path: /var/log/containers/octavia state: directory + setype: svirt_sandbox_file_t - name: octavia logs readme copy: dest: /var/log/octavia/readme.txt diff --git a/docker/services/octavia-worker.yaml b/docker/services/octavia-worker.yaml index c45028a842..6798d82d3b 100644 --- a/docker/services/octavia-worker.yaml +++ b/docker/services/octavia-worker.yaml @@ -109,7 +109,7 @@ outputs: # missing here because we use the same config_volume for all # octavia services, hence the same container image to generate # configuration. - - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/ + - /var/lib/config-data/puppet-generated/octavia/etc/octavia:/etc/octavia/:z command: ['/bin/bash', '-c', 'mkdir -p /etc/octavia/conf.d/octavia-worker; chown -R octavia:octavia /etc/octavia/conf.d/octavia-worker'] step_4: octavia_worker: @@ -133,7 +133,7 @@ outputs: - - /var/lib/kolla/config_files/octavia_worker.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/octavia/:/var/lib/kolla/config_files/src:ro - - /var/log/containers/octavia:/var/log/octavia + - /var/log/containers/octavia:/var/log/octavia:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS docker_puppet_tasks: @@ -150,6 +150,7 @@ outputs: file: path: /var/log/containers/octavia state: directory + setype: svirt_sandbox_file_t - name: octavia logs readme copy: dest: /var/log/octavia/readme.txt diff --git a/docker/services/ovn-controller.yaml b/docker/services/ovn-controller.yaml index 701b83c58f..b06882f136 100644 --- a/docker/services/ovn-controller.yaml +++ b/docker/services/ovn-controller.yaml @@ -75,7 +75,7 @@ outputs: # on the unix domain socket - /run/openvswitch/db.sock volumes: - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z kolla_config: /var/lib/kolla/config_files/ovn_controller.json: command: /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock @@ -98,7 +98,7 @@ outputs: - {get_attr: [ContainersCommon, volumes]} - - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z ovn_controller: start_order: 1 image: *ovn_controller_image @@ -122,7 +122,7 @@ outputs: # openvswitch systemd script is fixed to not delete /run/openvswitch # folder in the host when openvswitch service is stopped. - /run:/run - - /var/log/containers/openvswitch:/var/log/openvswitch + - /var/log/containers/openvswitch:/var/log/openvswitch:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: @@ -130,6 +130,7 @@ outputs: file: path: /var/log/containers/openvswitch state: directory + setype: svirt_sandbox_file_t - name: openvswitch logs readme copy: dest: /var/log/openvswitch/readme.txt diff --git a/docker/services/ovn-dbs.yaml b/docker/services/ovn-dbs.yaml index 2685b1b0b2..2f270fd04b 100644 --- a/docker/services/ovn-dbs.yaml +++ b/docker/services/ovn-dbs.yaml @@ -139,9 +139,9 @@ outputs: - - /var/lib/kolla/config_files/ovn_north_db_server.json:/var/lib/kolla/config_files/config.json:ro - /lib/modules:/lib/modules:ro - - /var/lib/openvswitch/ovn:/var/lib/openvswitch - - /var/lib/openvswitch/ovn:/run/openvswitch - - /var/log/containers/openvswitch:/var/log/openvswitch + - /var/lib/openvswitch/ovn:/var/lib/openvswitch:shared,z + - /var/lib/openvswitch/ovn:/run/openvswitch:shared,z + - /var/log/containers/openvswitch:/var/log/openvswitch:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS ovn_south_db_server: @@ -156,9 +156,9 @@ outputs: - - /var/lib/kolla/config_files/ovn_south_db_server.json:/var/lib/kolla/config_files/config.json:ro - /lib/modules:/lib/modules:ro - - /var/lib/openvswitch/ovn:/var/lib/openvswitch - - /var/lib/openvswitch/ovn:/run/openvswitch - - /var/log/containers/openvswitch:/var/log/openvswitch + - /var/lib/openvswitch/ovn:/var/lib/openvswitch:shared,z + - /var/lib/openvswitch/ovn:/run/openvswitch:shared,z + - /var/log/containers/openvswitch:/var/log/openvswitch:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS configure_ovn_north_db_server: @@ -185,18 +185,19 @@ outputs: - - /var/lib/kolla/config_files/ovn_northd.json:/var/lib/kolla/config_files/config.json:ro - /lib/modules:/lib/modules:ro - - /var/lib/openvswitch/ovn:/run/openvswitch - - /var/log/containers/openvswitch:/var/log/openvswitch + - /var/lib/openvswitch/ovn:/run/openvswitch:shared,z + - /var/log/containers/openvswitch:/var/log/openvswitch:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/openvswitch - - /var/lib/openvswitch/ovn + - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t } - name: openvswitch logs readme copy: dest: /var/log/openvswitch/readme.txt diff --git a/docker/services/ovn-metadata.yaml b/docker/services/ovn-metadata.yaml index f9ef2654ed..d7eb9a50e8 100644 --- a/docker/services/ovn-metadata.yaml +++ b/docker/services/ovn-metadata.yaml @@ -111,7 +111,7 @@ outputs: config_image: {get_param: DockerNeutronConfigImage} volumes: - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z kolla_config: /var/lib/kolla/config_files/ovn_metadata_agent.json: command: @@ -152,8 +152,8 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z step_4: setup_ovs_manager: start_order: 0 @@ -172,7 +172,7 @@ outputs: list_concat: - {get_attr: [ContainersCommon, docker_puppet_apply_volumes]} - - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch + - /run/openvswitch:/run/openvswitch:shared,z ovn_metadata_agent: start_order: 1 image: {get_param: DockerOvnMetadataImage} @@ -190,9 +190,9 @@ outputs: - /var/lib/kolla/config_files/ovn_metadata_agent.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro - /lib/modules:/lib/modules:ro - - /run/openvswitch:/run/openvswitch - - /var/lib/neutron:/var/lib/neutron - - /run/netns:/run/netns:shared + - /run/openvswitch:/run/openvswitch:shared,z + - /var/lib/neutron:/var/lib/neutron:shared,z + - /run/netns:/run/netns:shared,z - if: - docker_enabled @@ -214,6 +214,7 @@ outputs: file: path: /var/lib/neutron state: directory + setype: svirt_sandbox_file_t upgrade_tasks: - when: step|int == 0 tags: common diff --git a/docker/services/pacemaker/cinder-backup.yaml b/docker/services/pacemaker/cinder-backup.yaml index e6388bcdbe..1f40129544 100644 --- a/docker/services/pacemaker/cinder-backup.yaml +++ b/docker/services/pacemaker/cinder-backup.yaml @@ -165,7 +165,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/cinder:/var/log/cinder + - /var/log/containers/cinder:/var/log/cinder:z command: ['/bin/bash', '-c', 'chown -R cinder:cinder /var/log/cinder'] step_5: cinder_backup_restart_bundle: @@ -221,11 +221,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/cinder - - /var/log/containers/cinder + - { 'path': /var/lib/cinder, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/cinder, 'setype': svirt_sandbox_file_t } - name: cinder logs readme copy: dest: /var/log/cinder/readme.txt diff --git a/docker/services/pacemaker/database/redis.yaml b/docker/services/pacemaker/database/redis.yaml index f8b1c2a4e8..c5af890583 100644 --- a/docker/services/pacemaker/database/redis.yaml +++ b/docker/services/pacemaker/database/redis.yaml @@ -263,12 +263,13 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/redis - - /var/log/containers/redis - - /var/run/redis + - { 'path': /var/lib/redis, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/redis, 'setype': svirt_sandbox_file_t } + - { 'path': /var/run/redis, 'setype': svirt_sandbox_file_t } - name: redis logs readme copy: dest: /var/log/redis/readme.txt diff --git a/docker/services/pacemaker/manila-share.yaml b/docker/services/pacemaker/manila-share.yaml index d6bb440ce0..cd14a8569c 100644 --- a/docker/services/pacemaker/manila-share.yaml +++ b/docker/services/pacemaker/manila-share.yaml @@ -132,7 +132,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/manila:/var/log/manila + - /var/log/containers/manila:/var/log/manila:z command: ['/bin/bash', '-c', 'chown -R manila:manila /var/log/manila'] step_5: manila_share_restart_bundle: @@ -188,11 +188,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/manila - - /var/lib/manila + - { 'path': /var/log/containers/manila, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/manila, 'setype': svirt_sandbox_file_t } - name: manila logs readme copy: dest: /var/log/manila/readme.txt diff --git a/docker/services/pacemaker/notify-rabbitmq.yaml b/docker/services/pacemaker/notify-rabbitmq.yaml index 89b3023135..95c1d7a028 100644 --- a/docker/services/pacemaker/notify-rabbitmq.yaml +++ b/docker/services/pacemaker/notify-rabbitmq.yaml @@ -157,7 +157,7 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -227,11 +227,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/rabbitmq - - /var/log/containers/rabbitmq + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt diff --git a/docker/services/pacemaker/ovn-dbs.yaml b/docker/services/pacemaker/ovn-dbs.yaml index 36bf20340a..f8057247cd 100644 --- a/docker/services/pacemaker/ovn-dbs.yaml +++ b/docker/services/pacemaker/ovn-dbs.yaml @@ -174,11 +174,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/openvswitch - - /var/lib/openvswitch/ovn + - { 'path': /var/log/containers/openvswitch, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/openvswitch/ovn, 'setype': svirt_sandbox_file_t } - name: openvswitch logs readme copy: dest: /var/log/openvswitch/readme.txt diff --git a/docker/services/pacemaker/rabbitmq.yaml b/docker/services/pacemaker/rabbitmq.yaml index 26d253ecb9..82ddae0d88 100644 --- a/docker/services/pacemaker/rabbitmq.yaml +++ b/docker/services/pacemaker/rabbitmq.yaml @@ -156,7 +156,7 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -226,11 +226,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/rabbitmq - - /var/log/containers/rabbitmq + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt diff --git a/docker/services/pacemaker/rpc-rabbitmq.yaml b/docker/services/pacemaker/rpc-rabbitmq.yaml index d1c80342d2..fcca2c94fc 100644 --- a/docker/services/pacemaker/rpc-rabbitmq.yaml +++ b/docker/services/pacemaker/rpc-rabbitmq.yaml @@ -157,7 +157,7 @@ outputs: - /var/lib/config-data/puppet-generated/rabbitmq/:/var/lib/kolla/config_files/src:ro - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro - - /var/lib/rabbitmq:/var/lib/rabbitmq + - /var/lib/rabbitmq:/var/lib/rabbitmq:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_BOOTSTRAP=True @@ -229,11 +229,12 @@ outputs: host_prep_tasks: - name: create persistent directories file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/lib/rabbitmq - - /var/log/containers/rabbitmq + - { 'path': /var/lib/rabbitmq, 'setype': svirt_sandbox_file_t } + - { 'path': /var/log/containers/rabbitmq, 'setype': svirt_sandbox_file_t } - name: rabbitmq logs readme copy: dest: /var/log/rabbitmq/readme.txt diff --git a/docker/services/qdrouterd.yaml b/docker/services/qdrouterd.yaml index d15fa01289..f7103053ff 100644 --- a/docker/services/qdrouterd.yaml +++ b/docker/services/qdrouterd.yaml @@ -87,7 +87,7 @@ outputs: privileged: false user: root volumes: - - /var/log/containers/qdrouterd:/var/log/qdrouterd + - /var/log/containers/qdrouterd:/var/log/qdrouterd:z command: ['/bin/bash', '-c', 'chown -R qdrouterd:qdrouterd /var/log/qdrouterd'] qdrouterd: start_order: 1 @@ -102,18 +102,19 @@ outputs: - - /var/lib/kolla/config_files/qdrouterd.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/qdrouterd/:/var/lib/kolla/config_files/src:ro - - /var/lib/qdrouterd:/var/lib/qdrouterd - - /var/log/containers/qdrouterd:/var/log/qdrouterd + - /var/lib/qdrouterd:/var/lib/qdrouterd:z + - /var/log/containers/qdrouterd:/var/log/qdrouterd:z environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: - name: create persistent logs directory file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory + setype: "{{ item.setype }}" with_items: - - /var/log/containers/qdrouterd - - /var/lib/qdrouterd + - { 'path': /var/log/containers/qdrouterd, 'setype': svirt_sandbox_file_t } + - { 'path': /var/lib/qdrouterd, 'setype': svirt_sandbox_file_t } - name: qrouterd logs readme copy: dest: /var/log/qrouterd/readme.txt