[openstack-dev] [tripleo] undercloud containers with SELinux Enforcing
bdobreli at redhat.com
Mon Nov 6 13:49:09 UTC 2017
I've made some progress with containerized undercloud deployment guide
and SELinux enforcing ( the bug  and the topic  ).
Although I'm now completely stuck  with fixing t-h-t's
docker/services to nail the selinux thing fully, including the
containerized *overclouds* part. The main issue is to make some of the
host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux
friendly. Any help is appreciated!
> Hello folks.
> I need your feedback please on SELinux fixes  (or rather workarounds)
> for containerized undercloud feature, which is experimental in Pike.
> [TL;DR] The problem I'm trying to solve is primarily allowing TripleO
> users to follow the guide  w/o telling them "please disable SELinux".
> Especially, given the note "The undercloud is intended to work correctly
> with SELinux enforcing, and cannot be installed to a system with SELinux
> I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see
> ) to all of the host paths bind-mounted into containers is not
> secure, and from SELinux perspective allows everything to all
> containers. That could be a first step for docker volumes working w/o
> shutting down SELinux on *hosts* though.
> I plan to use the same approach for the t-h-t docker/services host-prep
> tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't
> allow combine with other mount flags, like :ro:z won't work. I look
> forward for better solutions and ideas!
>  https://review.openstack.org/#/q/topic:bug/1682179
More information about the OpenStack-dev