Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e73c84a)
Enable selinux in containers
authorOliver Walsh <owalsh@redhat.com>
Tue, 5 Sep 2017 18:19:17 +0000 (19:19 +0100)
committerOliver Walsh <owalsh@redhat.com>
Mon, 11 Sep 2017 21:21:49 +0000 (15:21 -0600)
We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3.
It will fail if security_inode_copy_up is not found in the kernel symbols:
https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661
NB this has been reduced to a warning upstream:
https://github.com/moby/moby/commit/885b29df096db1d6746ece4b3a298a1ffe85716d

Instead this just bind mounts /sys/fs/selinux in containers-common.yaml.

Everything appears to work at initial glance. Pingtest succeeds, and
live-migration between baremetal and containerized computes works.

Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c
Closes-bug: #1715171
(cherry picked from commit 520f889a31f1ea6ee2bad86d1dbb3c0435604d10)

docker/services/containers-common.yaml patch | blob | history

diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml
index 2c894da..9f982f8 100644 (file)
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@@ -64,6 +64,7 @@ outputs:
           # Syslog socket
           - /dev/log:/dev/log
           - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+          - /sys/fs/selinux:/sys/fs/selinux
         - if:
           - internal_tls_enabled
           - - list_join: