Add custom seccomp profile for ephemeral heat

This profile is similar to 'unconfined' would allow all syscalls that cause issues with older podman versions. Change-Id: Ibc8746762e9d5de2a2ed0afe92b53591c66d00a4
2022-09-19 15:02:23 +05:30 · 2022-09-19 15:02:23 +05:30 · ad6bc22f21
parent 6d8fe0aba5
commit ad6bc22f21
1 changed files with 18 additions and 0 deletions
--- a/deployment/heat/heat-ephemeral-container-ansible.yaml
+++ b/deployment/heat/heat-ephemeral-container-ansible.yaml
@ -111,6 +111,24 @@ outputs:
                container_image: {get_attr: [RoleParametersValue, value, ContainerHeatApiImage]}
                container_image_latest: "localhost/tripleo/openstack-heat-api:ephemeral"
      external_deploy_tasks:
+        - name: Create custom seccomp to allow syscalls
+          when:
+            - step|int == 1
+            - not ansible_check_mode|bool
+          block:
+            - name: Create directory for seccomp profile
+              become: true
+              file:
+                mode: '0755'
+                owner: root
+                path: /var/lib/kubelet/seccomp
+                state: directory
+            - name: Create seccomp_allow.json
+              become: true
+              copy:
+                dest: /var/lib/kubelet/seccomp/seccomp_allow.json
+                content: |
+                  {"defaultAction": "SCMP_ACT_ALLOW", "syscalls": []}
        - name: Manage clouds.yaml file for ephemeral Heat
          when:
            - step|int == 1