Browse Source

Merge "Modify how libvirt related containers use SELinux" into stable/ussuri

changes/93/750793/1
Zuul 3 weeks ago
committed by Gerrit Code Review
parent
commit
e92a51d754
3 changed files with 16 additions and 20 deletions
  1. +1
    -1
      deployment/nova/nova-compute-container-puppet.yaml
  2. +14
    -18
      deployment/nova/nova-libvirt-container-puppet.yaml
  3. +1
    -1
      deployment/nova/nova-migration-target-container-puppet.yaml

+ 1
- 1
deployment/nova/nova-compute-container-puppet.yaml View File

@@ -855,7 +855,7 @@ outputs:
- /lib/modules:/lib/modules:ro
- /run:/run
- /var/lib/iscsi:/var/lib/iscsi:z
- /var/lib/libvirt:/var/lib/libvirt:shared,z
- /var/lib/libvirt:/var/lib/libvirt:shared
- /sys/class/net:/sys/class/net
- /sys/bus/pci:/sys/bus/pci
- /boot:/boot:ro


+ 14
- 18
deployment/nova/nova-libvirt-container-puppet.yaml View File

@@ -312,11 +312,6 @@ conditions:
- {get_param: QemuCACert}
- ''

docker_enabled:
equals:
- {get_param: ContainerCli}
- 'docker'

nova_nfs_enabled:
or:
- and:
@@ -685,7 +680,7 @@ outputs:
- /dev:/dev
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /var/run/libvirt:/var/run/libvirt:shared,z
- /var/run/libvirt:/var/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt
- /etc/libvirt/qemu:/etc/libvirt/qemu:ro
- /var/log/libvirt/qemu:/var/log/libvirt/qemu
@@ -700,7 +695,10 @@ outputs:
pid: host
pids_limit: {get_param: ContainerNovaLibvirtPidsLimit}
privileged: true
security_opt: label=disable
security_opt:
- label=level:s0
- label=type:spc_t
- label=filetype:container_share_t
restart: always
depends_on:
- tripleo_nova_virtlogd.service
@@ -721,17 +719,14 @@ outputs:
- /run:/run
- /sys/fs/cgroup:/sys/fs/cgroup
- /etc/libvirt:/etc/libvirt
- /var/run/libvirt:/var/run/libvirt:shared,z
- /var/lib/libvirt:/var/lib/libvirt:shared,z
- /var/run/libvirt:/var/run/libvirt:shared
- /var/cache/libvirt:/var/cache/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
- /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro
- /var/lib/vhost_sockets:/var/lib/vhost_sockets
- /var/lib/nova:/var/lib/nova:shared
-
if:
- docker_enabled
-
- /sys/fs/selinux:/sys/fs/selinux
- null
- /sys/fs/selinux:/sys/fs/selinux
- /etc/selinux/config:/etc/selinux/config:ro
-
if:
- use_tls_for_live_migration
@@ -803,8 +798,8 @@ outputs:
-
- /var/lib/config-data/puppet-generated/nova_libvirt/etc/nova:/etc/nova:ro
- /etc/libvirt:/etc/libvirt
- /var/run/libvirt:/var/run/libvirt:shared,z
- /var/lib/libvirt:/var/lib/libvirt:shared,z
- /var/run/libvirt:/var/run/libvirt:shared
- /var/lib/libvirt:/var/lib/libvirt:shared
command:
- /bin/bash
- -c
@@ -838,12 +833,13 @@ outputs:
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
setype: "{{ item.setype | default(omit) }}"
with_items:
- { 'path': /etc/libvirt, 'setype': container_file_t }
- { 'path': /etc/libvirt/secrets, 'setype': container_file_t }
- { 'path': /etc/libvirt/qemu, 'setype': container_file_t }
- { 'path': /var/lib/libvirt, 'setype': container_file_t }
- { 'path': /var/cache/libvirt }
- { 'path': /var/lib/nova, 'setype': container_file_t }
- { 'path': /var/run/libvirt, 'setype': virt_var_run_t }
- { 'path': /var/log/libvirt, 'setype': container_file_t }


+ 1
- 1
deployment/nova/nova-migration-target-container-puppet.yaml View File

@@ -176,7 +176,7 @@ outputs:
- /var/lib/kolla/config_files/nova-migration-target.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_libvirt:/var/lib/kolla/config_files/src:ro
- /etc/ssh/:/host-ssh/:ro
- /var/run/libvirt:/var/run/libvirt:shared,z
- /var/run/libvirt:/var/run/libvirt:shared
- /var/lib/nova:/var/lib/nova:shared
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS


Loading…
Cancel
Save