[openstack-dev] [tripleo] undercloud containers with SELinux Enforcing

Bogdan Dobrelya bdobreli at redhat.com
Mon Oct 23 09:50:18 UTC 2017

Hello folks.
I need your feedback please on SELinux fixes [0] (or rather workarounds) 
for containerized undercloud feature, which is experimental in Pike.

[TL;DR] The problem I'm trying to solve is primarily allowing TripleO 
users to follow the guide [1] w/o telling them "please disable SELinux".

Especially, given the note "The undercloud is intended to work correctly 
with SELinux enforcing, and cannot be installed to a system with SELinux 

I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see 
[2]) to all of the host paths bind-mounted into containers is not 
secure, and from SELinux perspective allows everything to all 
containers. That could be a first step for docker volumes working w/o 
shutting down SELinux on *hosts* though.

I plan to use the same approach for the t-h-t docker/services host-prep 
tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't 
allow combine with other mount flags, like :ro:z won't work. I look 
forward for better solutions and ideas!

[0] https://review.openstack.org/#/q/topic:bug/1682179

Best regards,
Bogdan Dobrelya,
Irc #bogdando

More information about the OpenStack-dev mailing list