[openstack-dev] [tripleo] undercloud containers with SELinux Enforcing

Bogdan Dobrelya bdobreli at redhat.com
Mon Nov 6 13:49:09 UTC 2017

I've made some progress with containerized undercloud deployment guide
and SELinux enforcing ( the bug [0] and the topic [1] ).

Although I'm now completely stuck [2] with fixing t-h-t's 
docker/services to nail the selinux thing fully, including the 
containerized *overclouds* part. The main issue is to make some of the 
host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux 
friendly. Any help is appreciated!

> Hello folks.
> I need your feedback please on SELinux fixes [0] (or rather workarounds) 
> for containerized undercloud feature, which is experimental in Pike.
> [TL;DR] The problem I'm trying to solve is primarily allowing TripleO 
> users to follow the guide [1] w/o telling them "please disable SELinux".
> Especially, given the note "The undercloud is intended to work correctly 
> with SELinux enforcing, and cannot be installed to a system with SELinux 
> disabled".
> I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see 
> [2]) to all of the host paths bind-mounted into containers is not 
> secure, and from SELinux perspective allows everything to all 
> containers. That could be a first step for docker volumes working w/o 
> shutting down SELinux on *hosts* though.
> I plan to use the same approach for the t-h-t docker/services host-prep 
> tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't 
> allow combine with other mount flags, like :ro:z won't work. I look 
> forward for better solutions and ideas!
> [0] https://review.openstack.org/#/q/topic:bug/1682179
> [1] 
> https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html
> [2] 
> https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

[0] https://bugs.launchpad.net/tripleo/+bug/1682179
[1] https://review.openstack.org/#/q/topic:bug/1682179
[2] https://review.openstack.org/#/c/517383/

Best regards,
Bogdan Dobrelya,
Irc #bogdando

More information about the OpenStack-dev mailing list