diff --git a/common/deploy-steps.j2 b/common/deploy-steps.j2 index 78f4533354..ec549fee2d 100644 --- a/common/deploy-steps.j2 +++ b/common/deploy-steps.j2 @@ -219,12 +219,12 @@ resources: - # Write the manifest for baremetal puppet configuration - name: Create /var/lib/tripleo-config directory - file: path=/var/lib/tripleo-config state=directory + file: path=/var/lib/tripleo-config state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true - name: Write the puppet step_config manifest copy: content="{{ '{{' }}puppet_step_config{{ '}}' }}" dest=/var/lib/tripleo-config/puppet_step_config.pp force=yes mode=0600 # this creates a JSON config file for our docker-puppet.py script - name: Create /var/lib/docker-puppet - file: path=/var/lib/docker-puppet state=directory + file: path=/var/lib/docker-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true - name: Write docker-puppet-tasks json files copy: content="{{ '{{' }}puppet_config | to_json{{ '}}' }}" dest=/var/lib/docker-puppet/docker-puppet.json force=yes mode=0600 # FIXME: can we move docker-puppet somewhere so it's installed via a package? @@ -241,7 +241,7 @@ resources: copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="/var/lib/tripleo-config/docker-container-startup-config-{{ '{{' }}item.key{{ '}}' }}.json" force=yes mode=0600 with_dict: "{{ '{{' }}docker_startup_configs{{ '}}' }}" - name: Create /var/lib/kolla/config_files directory - file: path=/var/lib/kolla/config_files state=directory + file: path=/var/lib/kolla/config_files state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true - name: Write kolla config json files copy: content="{{ '{{' }}item.value|to_json{{ '}}' }}" dest="{{ '{{' }}item.key{{ '}}' }}" force=yes mode=0600 with_dict: "{{ '{{' }}kolla_config{{ '}}' }}" diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index a605b3be07..18637f0a29 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -273,10 +273,10 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--env', 'HOSTNAME=%s' % short_hostname(), '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''), '--env', 'STEP=%s' % os.environ.get('STEP', '6'), - '--volume', '%s:/etc/config.pp:ro' % tmp_man.name, - '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro', - '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro', - '--volume', '%s:/var/lib/config-data/:rw' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'), + '--volume', '%s:/etc/config.pp:ro,z' % tmp_man.name, + '--volume', '/etc/puppet/:/tmp/puppet-etc/:ro,z', + '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro,z', + '--volume', '%s:/var/lib/config-data/:z' % os.environ.get('CONFIG_VOLUME_PREFIX', '/var/lib/config-data'), '--volume', 'tripleo_logs:/var/log/tripleo/', # Syslog socket for puppet logs '--volume', '/dev/log:/dev/log', @@ -286,7 +286,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro', '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro', # script injection - '--volume', '%s:%s:rw' % (sh_script, sh_script) ] + '--volume', '%s:%s:z' % (sh_script, sh_script) ] for volume in volumes: if volume: diff --git a/releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml b/releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml new file mode 100644 index 0000000000..24d2148999 --- /dev/null +++ b/releasenotes/notes/containers-selinux-context-13b720cc1d5ec6f2.yaml @@ -0,0 +1,16 @@ +--- +upgrade: ¬es + - | + The configuration management related directories managed by the + tripleo deployment tools and bind-mounted as docker volumes now + using the `:z` flag, which is a docker's equivalent for + `chcon -Rt svirt_sandbox_file_t -l s0`. This makes those + directories available for all containers on the host, in the + shared mode: `/var/lib/tripleo-config`, `/var/lib/docker-puppet`, + `/var/lib/kolla/config`, `/etc/puppet`, + `/usr/share/openstack-puppet/modules/`, `/var/lib/config-data`. +security: *notes +fixes: + - | + Allow containerized services to be executed on hosts with SELinux + in the enforcing mode.