From 5864167034a20d20d38cd7f513b1319579765538 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Wed, 15 Jul 2020 16:25:14 -0400 Subject: [PATCH] Remove /var/lib/config-data context task The task should not be needed since we set the context in openstack-selinux: https://github.com/redhat-openstack/openstack-selinux/blob/master/local_settings.sh.in#L89 fcontext -N -$1 -t container_file_t \"$LOCALSTATEDIR/lib/config-data(/.*)?\" This task is very expensive at scale and we should avoid these king of things. svirt_sandbox_file_t is an alias to container_file_t, so let's use container_file_t directly to be consistent and not creating confusion. This patch shouldn't be backported to Train because in Train we'll have this task not removed but moved to run only under FFU context. Change-Id: I973a49aec1a263e2a1ec3e5199803c86d6f77b35 Closes-Bug: #1887721 --- common/deploy-steps-playbooks-common.yaml | 24 ----------------------- common/generate-config-tasks.yaml | 2 +- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/common/deploy-steps-playbooks-common.yaml b/common/deploy-steps-playbooks-common.yaml index e977afcb83..a1ff56c16a 100644 --- a/common/deploy-steps-playbooks-common.yaml +++ b/common/deploy-steps-playbooks-common.yaml @@ -43,30 +43,6 @@ tags: - always -- hosts: "{{ deploy_target_host }}" - strategy: tripleo_linear - name: Ensure /var/lib/config-data context - become: true - gather_facts: false - any_errors_fatal: false - ignore_unreachable: true - tasks: - - name: Ensure /var/lib/config-data context - shell: |- - set -o pipefail - if [[ -e /var/lib/config-data ]]; then - chcon -R -t svirt_sandbox_file_t /var/lib/config-data - exit 2 - fi - args: - executable: /bin/bash - warn: no - register: _selinux_config_data - changed_when: _selinux_config_data.rc == 2 - failed_when: _selinux_config_data.rc not in [0,2] - tags: - - always - - hosts: "{{ deploy_target_host }}" name: Render all_nodes data as group_vars for overcloud gather_facts: "{{ gather_facts | default(false) }}" diff --git a/common/generate-config-tasks.yaml b/common/generate-config-tasks.yaml index 4c189f6bb2..7af8993c57 100644 --- a/common/generate-config-tasks.yaml +++ b/common/generate-config-tasks.yaml @@ -8,7 +8,7 @@ path: "/var/lib/tripleo-config/container-puppet-config" mode: 0700 recurse: true - setype: svirt_sandbox_file_t + setype: container_file_t - name: "Generate container puppet configs for step {{ step }}" container_puppet_config: