Open Stack

So the rule of thumb I propose is "if a container bind-mounts /run 
(/var/run), make it privileged to not mess with SELinux enforcing". I've 
yet to found better alternatives to allow containers access the host 
sockets.

Additionally, the patch allows developers of t-h-t docker/services to 
not guess and repeat :z flags for generic
/var/lib/<config-data-related>, /etc/puppet/, 
/usr/share/openstack-puppet/modules and /var/log/containers/<foo> paths 
for services as the wanted context for those will be configured at the 
deploy steps tasks [0], and the docker-puppet.py tool [1]. That kind of 
follows DRY the best.

I hope that works.

[0] https://review.openstack.org/#/c/513669/11/common/deploy-steps.j2
[1] https://review.openstack.org/#/c/513669/12/docker/docker-puppet.py@277

On 11/6/17 2:49 PM, Bogdan Dobrelya wrote:
> Hi.
> I've made some progress with containerized undercloud deployment guide
> and SELinux enforcing ( the bug [0] and the topic [1] ).
> 
> Although I'm now completely stuck [2] with fixing t-h-t's 
> docker/services to nail the selinux thing fully, including the 
> containerized *overclouds* part. The main issue is to make some of the 
> host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux 
> friendly. Any help is appreciated!
> 
>> Hello folks.
>> I need your feedback please on SELinux fixes [0] (or rather 
>> workarounds) for containerized undercloud feature, which is 
>> experimental in Pike.
>>
>> [TL;DR] The problem I'm trying to solve is primarily allowing TripleO 
>> users to follow the guide [1] w/o telling them "please disable SELinux".
>>
>> Especially, given the note "The undercloud is intended to work 
>> correctly with SELinux enforcing, and cannot be installed to a system 
>> with SELinux disabled".
>>
>> I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see 
>> [2]) to all of the host paths bind-mounted into containers is not 
>> secure, and from SELinux perspective allows everything to all 
>> containers. That could be a first step for docker volumes working w/o 
>> shutting down SELinux on *hosts* though.
>>
>> I plan to use the same approach for the t-h-t docker/services 
>> host-prep tasks as well. Why not using docker's :z :Z directly? IIUC, 
>> it doesn't allow combine with other mount flags, like :ro:z won't 
>> work. I look forward for better solutions and ideas!
>>
>> [0] https://review.openstack.org/#/q/topic:bug/1682179
>> [1] 
>> https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html 
>>
>> [2] 
>> https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ 
>>
> 
> [0] https://bugs.launchpad.net/tripleo/+bug/1682179
> [1] https://review.openstack.org/#/q/topic:bug/1682179
> [2] https://review.openstack.org/#/c/517383/
> 
> 


-- 
Best regards,
Bogdan Dobrelya,
Irc #bogdando