container_puppet_config: disable SElinux labelling
This is a leftover from container-puppet.py that was missed in the
migration to Ansible. If we don't do that, SElinux will report alerts
because the entrypoint (container-puppet.sh) tries to copy (and
therefore read) the content of /tmp/puppet-tmp which isn't readable per
current OpenStack SElinux podman policies.
While this is done in the policy, let's port the configuration that was
done before in container-puppet.py and this patch will be reverted once
the policy is less restritive.
Change-Id: I5baefe16f313cc17d369c9f16529516fc8d6f6e5
Related-Bug: #1864501
(cherry picked from commit 99448e20fe
)
This commit is contained in:
parent
97791b447b
commit
888f6d72cb
|
@ -266,6 +266,9 @@ class ContainerPuppetManager:
|
|||
'/dev/log:/dev/log:rw']
|
||||
# Defaults
|
||||
default_data = {
|
||||
# the security_opt can be removed once we properly address:
|
||||
# https://bugs.launchpad.net/tripleo/+bug/1864501
|
||||
'security_opt': 'label=disable',
|
||||
'user': 0,
|
||||
'entrypoint': CONTAINER_ENTRYPOINT,
|
||||
'environment': self._get_environment_config()
|
||||
|
|
Loading…
Reference in New Issue