Enable virt_sandbox_use_netlink SELinux boolean for port healthchecks
As healthchecks are using "ss" command, we need to allow contaier_t to access a tcp diagnostic socket, at least for the port healthchecks. This follows change I9ebdf09c36fd2c69d05128b584593b41d9144e56, triggered by the neutron healthchecks. A second pass was necessary in order to further check the calls of ss. Change-Id: I27e4c860948667abc2c21df5ec9e01627f58465a Related-Bug: #1810512
This commit is contained in:
parent
653856c58f
commit
d70d128aa0
|
@ -563,7 +563,14 @@ outputs:
|
|||
- /usr/lib64/libnethsm.so:/usr/lib64/libnethsm.so
|
||||
- null
|
||||
environment: *kolla_env
|
||||
host_prep_tasks: {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [BarbicanApiLogging, host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -117,6 +117,11 @@ outputs:
|
|||
Log files from ceilometer containers can be found under
|
||||
/var/log/containers/ceilometer.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -155,6 +155,11 @@ outputs:
|
|||
Log files from ceilometer containers can be found under
|
||||
/var/log/containers/ceilometer.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -161,7 +161,14 @@ outputs:
|
|||
port: {get_attr: [CinderBase, role_data, config_settings, 'cinder::rabbit_port']}
|
||||
volumes: {get_attr: [CinderCommon, cinder_backup_volumes]}
|
||||
environment: {get_attr: [CinderCommon, cinder_backup_environment]}
|
||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_backup_host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [CinderCommon, cinder_backup_host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
import_role:
|
||||
|
|
|
@ -148,6 +148,11 @@ outputs:
|
|||
Log files from cinder containers can be found under
|
||||
/var/log/containers/cinder and /var/log/containers/httpd/cinder-api.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -168,7 +168,14 @@ outputs:
|
|||
port: {get_attr: [CinderBase, role_data, config_settings, 'cinder::rabbit_port']}
|
||||
volumes: {get_attr: [CinderCommon, cinder_volume_volumes]}
|
||||
environment: {get_attr: [CinderCommon, cinder_volume_environment]}
|
||||
host_prep_tasks: {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [CinderCommon, cinder_volume_host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -161,7 +161,14 @@ outputs:
|
|||
- {get_param: HeatEngineOptEnvVars}
|
||||
-
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks: {get_attr: [HeatEngineLogging, host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [HeatEngineLogging, host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks: []
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
|
|
|
@ -119,6 +119,11 @@ outputs:
|
|||
Log files from manila containers can be found under
|
||||
/var/log/containers/manila and /var/log/containers/httpd/manila-api.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks: []
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
|
|
|
@ -133,6 +133,11 @@ outputs:
|
|||
Log files from mistral containers can be found under
|
||||
/var/log/containers/mistral.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -133,6 +133,11 @@ outputs:
|
|||
Log files from mistral containers can be found under
|
||||
/var/log/containers/mistral.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -189,6 +189,11 @@ outputs:
|
|||
path: /usr/share/openstack-octavia-amphora-images
|
||||
state: directory
|
||||
setype: svirt_sandbox_file_t
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -264,6 +264,11 @@ outputs:
|
|||
- name: is Instance HA enabled
|
||||
set_fact:
|
||||
instance_ha_enabled: {get_param: EnableInstanceHA}
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
- name: install Instance HA recovery script
|
||||
when: instance_ha_enabled|bool
|
||||
block:
|
||||
|
|
|
@ -139,7 +139,14 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -138,7 +138,14 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -162,6 +162,11 @@ outputs:
|
|||
Log files from nova containers can be found under
|
||||
/var/log/containers/nova and /var/log/containers/httpd/nova-*.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -139,7 +139,14 @@ outputs:
|
|||
- /run:/run
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NovaLogging, host_prep_tasks]}
|
||||
- - name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
|
@ -160,6 +160,11 @@ outputs:
|
|||
- python2-openstackclient
|
||||
- openssl
|
||||
when: {get_param: EnablePackageInstall}
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks: []
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
|
|
|
@ -138,6 +138,11 @@ outputs:
|
|||
Log files from openvswitch containers can be found under
|
||||
/var/log/containers/openvswitch.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks: []
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
|
|
|
@ -146,6 +146,11 @@ outputs:
|
|||
Log files from sahara containers can be found under
|
||||
/var/log/containers/sahara.
|
||||
ignore_errors: true
|
||||
- name: enable virt_sandbox_use_netlink for healthcheck
|
||||
seboolean:
|
||||
name: virt_sandbox_use_netlink
|
||||
persistent: yes
|
||||
state: yes
|
||||
upgrade_tasks:
|
||||
- when: step|int == 3
|
||||
block:
|
||||
|
|
Loading…
Reference in New Issue