1- Add specific mounts in nova_libvirt
They are needed in order to get SELinux support within the container
2- Remove now deprecated docker_enable condition
Since this one isn't needed anymore, just drop it.
3- Drop "z" flag from libvirt related mounts
This avoids relabelling issues from non-privileged containers
4- Set specific labels for the container itself.
See note 2 for more details.
Notes:
1- This will require to patch podman-1.6.4 in order to allow to actually
use security-opt when --privileged and/or --pid=host are passed[1].
2- The "container_share_t" filetype will be updated in a follow-up to
the newer version, "container_ro_file_t". This makes backports easier
to older releases that might not be aware of this new type.
The follow-up change is purely cosmetic in order to reflect the
actual behavior of SELinux and has no functional change.
Testing:
The first tests were done using a podman 1.9.3 in order to work around the
mentionned issues.
Newer tests were done using podman 1.6.4 scratch-builds in order to ensure
the reported issues were fixed.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1846364
Depends-On: https://review.opendev.org/735063
Co-Authored-By: Daniel Berrange <berrange@redhat.com>
Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com>
Change-Id: I9e0da2a48c23c35e084bea831fc744b9f053508b
(cherry picked from commit 9f0e5d724f)
909984bbe1