1fc9285125
When SELinux is enforcing, use the docker volume mount flag :z for the docker-puppet tool's bind-mounted volumes in RW mode. Note, if a volume mount with a Z, then the label will be specific to the container, and not be able to be shared between containers. Volumes from /etc/pki mounted RO do not require the context changes. For those RO volumes that do require it, use :ro,z. For deploy-steps, make sure ansible file resources in /var/lib/ are enforced the same SELinux context attributes what docker's :z provides. Partial-bug: #1682179 Related-bug: #1723003 Change-Id: Idc0caa49573bd88e8410d3d4217fd39e9aabf8f2 Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
17 lines
657 B
YAML
17 lines
657 B
YAML
---
|
|
upgrade: ¬es
|
|
- |
|
|
The configuration management related directories managed by the
|
|
tripleo deployment tools and bind-mounted as docker volumes now
|
|
using the `:z` flag, which is a docker's equivalent for
|
|
`chcon -Rt svirt_sandbox_file_t -l s0`. This makes those
|
|
directories available for all containers on the host, in the
|
|
shared mode: `/var/lib/tripleo-config`, `/var/lib/docker-puppet`,
|
|
`/var/lib/kolla/config`, `/etc/puppet`,
|
|
`/usr/share/openstack-puppet/modules/`, `/var/lib/config-data`.
|
|
security: *notes
|
|
fixes:
|
|
- |
|
|
Allow containerized services to be executed on hosts with SELinux
|
|
in the enforcing mode.
|