Allow to run docker-puppet.py with SELinux enabled

In docker-puppet.py script we try to relable
/usr/share/openstack-puppet/modules by adding ":z" suffix
in the end.

Unfortunatelly this operation is not allowed in docker with
enabled SELinux. Docker's error message is:

Error response from daemon: error setting label on mount source
'/usr/share/openstack-puppet/modules': SELinux relabeling of
/usr/share/openstack-puppet/modules is not allowed:
"Relabeling content in /usr is not allowed.".

It leads to the fact that during the configuration the jobs fails
with "Permission denied - /usr/share/openstack-puppet/modules"

There is no need to relable that folder since it's read-only.
After removing ":z" it is possible to deploy the overcloud with
enabled SELinux.

Closes-Bug: #1807680

Change-Id: I11c7c5e9594fe0cdb2a114f81033651e411c9e3c
This commit is contained in:
Mike Fedosin 2018-12-08 15:43:21 +01:00
parent 64b95749e4
commit dcdf75b94f

View File

@ -64,7 +64,7 @@ if not os.path.exists(config_volume_prefix):
os.makedirs(config_volume_prefix) os.makedirs(config_volume_prefix)
if container_cli == 'docker': if container_cli == 'docker':
cli_dcmd = ['--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z'] cli_dcmd = ['--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro']
env = {} env = {}
# FIXME: add log=log once we have paunch 4.0.1 in Pypi and promoted in RDO # FIXME: add log=log once we have paunch 4.0.1 in Pypi and promoted in RDO
RUNNER = containers_runner.DockerRunner( RUNNER = containers_runner.DockerRunner(
@ -88,12 +88,8 @@ else:
# puppet modules but our containers now also include puppet-tripleo so we # puppet modules but our containers now also include puppet-tripleo so we
# could use either # could use either
if os.environ.get('MOUNT_HOST_PUPPET', 'true') == 'true': if os.environ.get('MOUNT_HOST_PUPPET', 'true') == 'true':
if container_cli == 'docker':
cli_dcmd.extend(['--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z'])
elif container_cli == 'podman':
cli_dcmd.extend(['--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro']) cli_dcmd.extend(['--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro'])
# this is to match what we do in deployed-server # this is to match what we do in deployed-server
def short_hostname(): def short_hostname():
subproc = subprocess.Popen(['hostname', '-s'], subproc = subprocess.Popen(['hostname', '-s'],