[openstack-dev] [tripleo] undercloud containers with SELinux Enforcing
bdobreli at redhat.com
Mon Nov 6 17:23:49 UTC 2017
So the rule of thumb I propose is "if a container bind-mounts /run
(/var/run), make it privileged to not mess with SELinux enforcing". I've
yet to found better alternatives to allow containers access the host
Additionally, the patch allows developers of t-h-t docker/services to
not guess and repeat :z flags for generic
/usr/share/openstack-puppet/modules and /var/log/containers/<foo> paths
for services as the wanted context for those will be configured at the
deploy steps tasks , and the docker-puppet.py tool . That kind of
follows DRY the best.
I hope that works.
On 11/6/17 2:49 PM, Bogdan Dobrelya wrote:
> I've made some progress with containerized undercloud deployment guide
> and SELinux enforcing ( the bug  and the topic  ).
> Although I'm now completely stuck  with fixing t-h-t's
> docker/services to nail the selinux thing fully, including the
> containerized *overclouds* part. The main issue is to make some of the
> host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux
> friendly. Any help is appreciated!
>> Hello folks.
>> I need your feedback please on SELinux fixes  (or rather
>> workarounds) for containerized undercloud feature, which is
>> experimental in Pike.
>> [TL;DR] The problem I'm trying to solve is primarily allowing TripleO
>> users to follow the guide  w/o telling them "please disable SELinux".
>> Especially, given the note "The undercloud is intended to work
>> correctly with SELinux enforcing, and cannot be installed to a system
>> with SELinux disabled".
>> I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see
>> ) to all of the host paths bind-mounted into containers is not
>> secure, and from SELinux perspective allows everything to all
>> containers. That could be a first step for docker volumes working w/o
>> shutting down SELinux on *hosts* though.
>> I plan to use the same approach for the t-h-t docker/services
>> host-prep tasks as well. Why not using docker's :z :Z directly? IIUC,
>> it doesn't allow combine with other mount flags, like :ro:z won't
>> work. I look forward for better solutions and ideas!
>>  https://review.openstack.org/#/q/topic:bug/1682179
>  https://bugs.launchpad.net/tripleo/+bug/1682179
>  https://review.openstack.org/#/q/topic:bug/1682179
>  https://review.openstack.org/#/c/517383/
More information about the OpenStack-dev