From 520f889a31f1ea6ee2bad86d1dbb3c0435604d10 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Tue, 5 Sep 2017 19:19:17 +0100 Subject: [PATCH] Enable selinux in containers We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3. It will fail if security_inode_copy_up is not found in the kernel symbols: https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661 NB this has been reduced to a warning upstream: https://github.com/moby/moby/commit/885b29df096db1d6746ece4b3a298a1ffe85716d Instead this just bind mounts /sys/fs/selinux in containers-common.yaml. Everything appears to work at initial glance. Pingtest succeeds, and live-migration between baremetal and containerized computes works. Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c Depends-On: I521c5351ad6020911106464bf712cf92e6fb0fca Closes-bug: #1715171 --- docker/services/containers-common.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 2c894da5da..9f982f8bce 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -64,6 +64,7 @@ outputs: # Syslog socket - /dev/log:/dev/log - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + - /sys/fs/selinux:/sys/fs/selinux - if: - internal_tls_enabled - - list_join: