diff --git a/common/common-container-config-scripts.yaml b/common/common-container-config-scripts.yaml index 41ea793a5f..f4fa1cb3b9 100644 --- a/common/common-container-config-scripts.yaml +++ b/common/common-container-config-scripts.yaml @@ -1,3 +1,11 @@ +- name: Create fcontext entry for container-config-scripts + sefcontext: + target: "/var/lib/container-config-scripts(/.*)?" + setype: container_file_t + state: present + tags: + - container_config_scripts + - name: Create /var/lib/container-config-scripts become: true file: diff --git a/deployment/cinder/cinder-common-container-puppet.yaml b/deployment/cinder/cinder-common-container-puppet.yaml index 563a2538a7..8831e369cd 100644 --- a/deployment/cinder/cinder-common-container-puppet.yaml +++ b/deployment/cinder/cinder-common-container-puppet.yaml @@ -107,6 +107,11 @@ outputs: cinder_common_host_prep_tasks: description: Common host prep tasks for cinder-volume and cinder-backup services value: &cinder_common_host_prep_tasks + - name: create fcontext entry for cinder data + sefcontext: + target: "/var/lib/cinder(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/mysql-container-puppet.yaml b/deployment/database/mysql-container-puppet.yaml index ce0953b650..7be61b2977 100644 --- a/deployment/database/mysql-container-puppet.yaml +++ b/deployment/database/mysql-container-puppet.yaml @@ -261,6 +261,11 @@ outputs: deploy_steps_tasks: get_attr: [MysqlBase, role_data, deploy_steps_tasks] host_prep_tasks: + - name: create fcontext entry for mysql data + sefcontext: + target: "/var/lib/mysql(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index 81f50244ee..a8e7c94296 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -240,6 +240,11 @@ outputs: - {get_param: RedisCertificateKeySize} ca: ipa host_prep_tasks: + - name: create fcontext entry for redis data + sefcontext: + target: "/var/run/redis(/.*)?" # conflicts with equivalency rule '/run /var/run' - have to use /var/run here... + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-conductor-container-puppet.yaml b/deployment/ironic/ironic-conductor-container-puppet.yaml index 4356541ec4..765415070b 100644 --- a/deployment/ironic/ironic-conductor-container-puppet.yaml +++ b/deployment/ironic/ironic-conductor-container-puppet.yaml @@ -586,6 +586,11 @@ outputs: vars: modules: - name: iscsi_tcp + - name: create fcontext entry for ironic data + sefcontext: + target: "/var/lib/ironic(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/ironic/ironic-inspector-container-puppet.yaml b/deployment/ironic/ironic-inspector-container-puppet.yaml index 50e7dc34df..e2f813916b 100644 --- a/deployment/ironic/ironic-inspector-container-puppet.yaml +++ b/deployment/ironic/ironic-inspector-container-puppet.yaml @@ -519,6 +519,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for ironic-inspector data + sefcontext: + target: "/var/lib/ironic-inspector/dhcp-hostsdir(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/iscsid/iscsid-container-puppet.yaml b/deployment/iscsid/iscsid-container-puppet.yaml index ae960d73c5..7794e74264 100644 --- a/deployment/iscsid/iscsid-container-puppet.yaml +++ b/deployment/iscsid/iscsid-container-puppet.yaml @@ -144,6 +144,15 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for iscsi + sefcontext: + target: "{{ item.path }}(/.*)?" + setype: "{{ item.setype }}" + state: present + with_items: + - { 'path': /etc/iscsi, 'setype': container_file_t } + - { 'path': /etc/target, 'setype': container_file_t } + - { 'path': /var/lib/iscsi, 'setype': container_file_t } - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/manila/manila-share-container-puppet.yaml b/deployment/manila/manila-share-container-puppet.yaml index 80197300af..4bd59dc3f4 100644 --- a/deployment/manila/manila-share-container-puppet.yaml +++ b/deployment/manila/manila-share-container-puppet.yaml @@ -178,6 +178,11 @@ outputs: volumes: {get_attr: [ManilaShareCommon, manila_share_volumes]} environment: {get_attr: [ManilaShareCommon, manila_share_environment]} host_prep_tasks: + - name: create fcontext entry for manila data + sefcontext: + target: "/var/lib/manila(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml index a09002a19f..f8ea27f92d 100644 --- a/deployment/messaging/rpc-qdrouterd-container-puppet.yaml +++ b/deployment/messaging/rpc-qdrouterd-container-puppet.yaml @@ -140,6 +140,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qdrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent logs directory file: path: "{{ item.path }}" diff --git a/deployment/qdr/qdrouterd-container-puppet.yaml b/deployment/qdr/qdrouterd-container-puppet.yaml index b026304042..aec6dde51b 100644 --- a/deployment/qdr/qdrouterd-container-puppet.yaml +++ b/deployment/qdr/qdrouterd-container-puppet.yaml @@ -130,6 +130,11 @@ outputs: environment: KOLLA_CONFIG_STRATEGY: COPY_ALWAYS host_prep_tasks: + - name: create fcontext entry for qrouterd data + sefcontext: + target: "/var/lib/qdrouterd(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index 023b345c00..eecdb48e57 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -387,6 +387,11 @@ outputs: - {get_param: RabbitmqCertificateKeySize} ca: ipa host_prep_tasks: + - name: creat fcontext entry for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 5032b1702d..6515268491 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -322,6 +322,11 @@ outputs: - {get_param: RabbitmqMessageCertificateKeySize} ca: ipa host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml index 1bf7005ff2..615173ab83 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml @@ -221,6 +221,11 @@ outputs: # update (scale-out, etc.) TRIPLEO_DEPLOY_IDENTIFIER: {get_param: DeployIdentifier} host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index 2136e64193..17298357bd 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -322,6 +322,11 @@ outputs: - {get_param: RpcCertificateKeySize} ca: ipa host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml index 14caaf0375..48aceb9306 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml @@ -223,6 +223,11 @@ outputs: metadata_settings: get_attr: [RabbitmqBase, role_data, metadata_settings] host_prep_tasks: + - name: create fcontext for rabbitmq data + sefcontext: + target: "/var/lib/rabbitmq(/.*)?" + setype: container_file_t + state: present - name: create persistent directories file: path: "{{ item.path }}" diff --git a/deployment/swift/swift-storage-container-puppet.yaml b/deployment/swift/swift-storage-container-puppet.yaml index 0cf06adceb..0c8068e4f5 100644 --- a/deployment/swift/swift-storage-container-puppet.yaml +++ b/deployment/swift/swift-storage-container-puppet.yaml @@ -602,6 +602,10 @@ outputs: - {} host_prep_tasks: + # NOTE: we can't set fcontext for swift locations since they are + # already set in openstack-selinux package. In order to work around + # this specific case, the following change is being pushed: + # https://github.com/redhat-openstack/openstack-selinux/pull/73 - name: create persistent directories file: path: "{{ item.path }}"