Enable virt_sandbox_use_netlink SELinux boolean for port healthchecks

As healthchecks are using "ss" command, we need to allow contaier_t
to access a tcp diagnostic socket, at least for the port healthchecks.

This follows change I9ebdf09c36fd2c69d05128b584593b41d9144e56, triggered
by the neutron healthchecks. A second pass was necessary in order to
further check the calls of ss.

Change-Id: I27e4c860948667abc2c21df5ec9e01627f58465a
Related-Bug: #1810512
This commit is contained in:
Cédric Jeanneret 2019-01-11 08:19:18 +01:00
parent 653856c58f
commit d70d128aa0
19 changed files with 116 additions and 7 deletions

View File

@ -563,7 +563,14 @@ outputs:
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
- null
environment: *kolla_env
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -117,6 +117,11 @@ outputs:
Log files from ceilometer containers can be found under
/var/log/containers/ceilometer.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -155,6 +155,11 @@ outputs:
Log files from ceilometer containers can be found under
/var/log/containers/ceilometer.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -161,7 +161,14 @@ outputs:
port: {get_attr: [CinderBase, role_data, config_settings, 'cinder::rabbit_port']}
volumes: {get_attr: [CinderCommon, cinder_backup_volumes]}
environment: {get_attr: [CinderCommon, cinder_backup_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_backup_host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [CinderCommon, cinder_backup_host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
post_upgrade_tasks:
- when: step|int == 1
import_role:

View File

@ -148,6 +148,11 @@ outputs:
Log files from cinder containers can be found under
/var/log/containers/cinder and /var/log/containers/httpd/cinder-api.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -168,7 +168,14 @@ outputs:
port: {get_attr: [CinderBase, role_data, config_settings, 'cinder::rabbit_port']}
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -161,7 +161,14 @@ outputs:
- {get_param: HeatEngineOptEnvVars}
-
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks: {get_attr: [HeatEngineLogging, host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [HeatEngineLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
post_upgrade_tasks:
- when: step|int == 1

View File

@ -119,6 +119,11 @@ outputs:
Log files from manila containers can be found under
/var/log/containers/manila and /var/log/containers/httpd/manila-api.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
post_upgrade_tasks:
- when: step|int == 1

View File

@ -133,6 +133,11 @@ outputs:
Log files from mistral containers can be found under
/var/log/containers/mistral.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -133,6 +133,11 @@ outputs:
Log files from mistral containers can be found under
/var/log/containers/mistral.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -189,6 +189,11 @@ outputs:
path: /usr/share/openstack-octavia-amphora-images
state: directory
setype: svirt_sandbox_file_t
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -264,6 +264,11 @@ outputs:
- name: is Instance HA enabled
set_fact:
instance_ha_enabled: {get_param: EnableInstanceHA}
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
- name: install Instance HA recovery script
when: instance_ha_enabled|bool
block:

View File

@ -139,7 +139,14 @@ outputs:
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [NovaLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -138,7 +138,14 @@ outputs:
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [NovaLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -162,6 +162,11 @@ outputs:
Log files from nova containers can be found under
/var/log/containers/nova and /var/log/containers/httpd/nova-*.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -139,7 +139,14 @@ outputs:
- /run:/run
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
host_prep_tasks:
list_concat:
- {get_attr: [NovaLogging, host_prep_tasks]}
- - name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block:

View File

@ -160,6 +160,11 @@ outputs:
- python2-openstackclient
- openssl
when: {get_param: EnablePackageInstall}
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
post_upgrade_tasks:
- when: step|int == 1

View File

@ -138,6 +138,11 @@ outputs:
Log files from openvswitch containers can be found under
/var/log/containers/openvswitch.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks: []
post_upgrade_tasks:
- when: step|int == 1

View File

@ -146,6 +146,11 @@ outputs:
Log files from sahara containers can be found under
/var/log/containers/sahara.
ignore_errors: true
- name: enable virt_sandbox_use_netlink for healthcheck
seboolean:
name: virt_sandbox_use_netlink
persistent: yes
state: yes
upgrade_tasks:
- when: step|int == 3
block: