diff --git a/common/common-container-config-scripts.yaml b/common/common-container-config-scripts.yaml index 41ea793a5f..f4fa1cb3b9 100644 --- a/common/common-container-config-scripts.yaml +++ b/common/common-container-config-scripts.yaml @@ -1,3 +1,11 @@ +- name: Create fcontext entry for container-config-scripts + sefcontext: + target: "/var/lib/container-config-scripts(/.*)?" + setype: container_file_t + state: present + tags: + - container_config_scripts + - name: Create /var/lib/container-config-scripts become: true file: diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index c6ebddecaa..8a6c9712bf 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -107,6 +107,11 @@ outputs: cinder_common_host_prep_tasks: description: Common host prep tasks for cinder-volume and cinder-backup services value: &cinder_common_host_prep_tasks + - name: create fcontext entry for cinder data + sefcontext: + target: "/var/lib/cinder(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml index 6bad2bd670..0857571b73 100644 --- a/deployment/database/mysql-container-puppet.yaml +++ b/deployment/database/mysql-container-puppet.yaml @@ -261,6 +261,11 @@ outputs: deploy_steps_tasks: get_attr: [MysqlBase, role_data, deploy_steps_tasks] host_prep_tasks: + - name: create fcontext entry for mysql data + sefcontext: + target: "/var/lib/mysql(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 88c4f9a86e..a495675080 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -242,6 +242,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext entry for redis data + sefcontext: + target: "/var/run/redis(/.*)?" # conflicts with equivalency rule '/run /var/run' - have to use /var/run here... + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index 02f762131e..c250aee07a 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -590,6 +590,11 @@ outputs: vars: modules: - name: iscsi_tcp + - name: create fcontext entry for ironic data + sefcontext: + target: "/var/lib/ironic(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 5cefaf870f..733002e340 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -519,6 +519,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for ironic-inspector data + sefcontext: + target: "/var/lib/ironic-inspector/dhcp-hostsdir(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index c35ee162e8..84872b102b 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -144,6 +144,15 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for iscsi + sefcontext: + target: "{{ item.path }}(/.*)?" + setype: "{{ item.setype }}" + state: present + with_items: + - { 'path': /etc/iscsi, 'setype': container_file_t } + - { 'path': /etc/target, 'setype': container_file_t } + - { 'path': /var/lib/iscsi, 'setype': container_file_t } - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 9828b095b0..9dec235c0f 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -178,6 +178,11 @@ outputs: volumes: {get_attr: [ManilaShareCommon, manila_share_volumes]} environment: {get_attr: [ManilaShareCommon, manila_share_environment]} host_prep_tasks: + - name: create fcontext entry for manila data + sefcontext: + target: "/var/lib/manila(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml index a230cda174..969a5fe7a1 100644 --- a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml +++ b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml @@ -140,6 +140,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qdrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent logs directory file: path: "{{ item.path }}" diff --git a/deployment/qdr/qdrouterd-container-puppet.yaml b/deployment/qdr/qdrouterd-container-puppet.yaml index a0173bd268..c3913b2009 100644 --- a/deployment/qdr/qdrouterd-container-puppet.yaml +++ b/deployment/qdr/qdrouterd-container-puppet.yaml @@ -130,6 +130,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index 7949f26170..edf4aa7817 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -389,6 +389,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: creat fcontext entry for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index cccce7a036..89c5a9ded2 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -324,6 +324,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml index 1e8cda5218..98ce849dce 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml @@ -221,6 +221,11 @@ outputs: # update (scale-out, etc.) TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index b82d5de136..4533670939 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -324,6 +324,11 @@ outputs: ca: ipa - null host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml index 498b1f0439..56f23e55b1 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml @@ -223,6 +223,11 @@ outputs: metadata_settings: get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 50a7e0956d..063c0c2fc6 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -602,6 +602,10 @@ outputs: - {} host_prep_tasks: + # NOTE: we can't set fcontext for swift locations since they are + # already set in openstack-selinux package. In order to work around + # this specific case, the following change is being pushed: + # https://github.com/redhat-openstack/openstack-selinux/pull/73 - name: create persistent directories file: path: "{{ item.path }}"