So the rule of thumb I propose is "if a container bind-mounts /run
(/var/run), make it privileged to not mess with SELinux enforcing". I've
yet to found better alternatives to allow containers access the host
sockets.
Additionally, the patch allows developers of t-h-t docker/services to
not guess and repeat :z flags for generic
/var/lib/<config-data-related>, /etc/puppet/,
/usr/share/openstack-puppet/modules and /var/log/containers/<foo> paths
for services as the wanted context for those will be configured at the
deploy steps tasks [0], and the docker-puppet.py tool [1]. That kind of
follows DRY the best.
I hope that works.
[0] https://review.openstack.org/#/c/513669/11/common/deploy-steps.j2
[1] https://review.openstack.org/#/c/513669/12/docker/docker-puppet.py@277
On 11/6/17 2:49 PM, Bogdan Dobrelya wrote:
Hi.
I've made some progress with containerized undercloud deployment guide
and SELinux enforcing ( the bug [0] and the topic [1] ).
Although I'm now completely stuck [2] with fixing t-h-t's
docker/services to nail the selinux thing fully, including the
containerized *overclouds* part. The main issue is to make some of the
host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux
friendly. Any help is appreciated!
Hello folks.
I need your feedback please on SELinux fixes [0] (or rather
workarounds) for containerized undercloud feature, which is
experimental in Pike.
[TL;DR] The problem I'm trying to solve is primarily allowing TripleO
users to follow the guide [1] w/o telling them "please disable SELinux".
Especially, given the note "The undercloud is intended to work
correctly with SELinux enforcing, and cannot be installed to a system
with SELinux disabled".
I understand that putting "chcon -Rt svirt_sandbox_file_t -l s0" (see
[2]) to all of the host paths bind-mounted into containers is not
secure, and from SELinux perspective allows everything to all
containers. That could be a first step for docker volumes working w/o
shutting down SELinux on *hosts* though.
I plan to use the same approach for the t-h-t docker/services
host-prep tasks as well. Why not using docker's :z :Z directly? IIUC,
it doesn't allow combine with other mount flags, like :ro:z won't
work. I look forward for better solutions and ideas!
[0] https://review.openstack.org/#/q/topic:bug/1682179
[1]
https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html
[2]
https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/
[0] https://bugs.launchpad.net/tripleo/+bug/1682179
[1] https://review.openstack.org/#/q/topic:bug/1682179
[2] https://review.openstack.org/#/c/517383/
--
Best regards,
Bogdan Dobrelya,
Irc #bogdando
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
