Fix selinux label issues

Add --security-opt label=disable to all containers accessing /var/lib/ceph. podman selinux relabeling behavious changed since version podman-3:4.2.0-1 which prevent some containers to access files in these subdirectories. Signed-off-by: Teoman ONAY <tonay@ibm.com>
2023-03-14 12:26:56 +01:00 · 2023-03-14 12:26:56 +01:00 · 08516098ed
parent 79af63895b
commit 08516098ed
6 changed files with 6 additions and 5 deletions
--- a/roles/ceph-crash/templates/ceph-crash.service.j2
+++ b/roles/ceph-crash/templates/ceph-crash.service.j2
@ -19,6 +19,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --name ceph-crash-%i \
 -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
 --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
 --security-opt label=disable \
 --net=host \
 -v /var/lib/ceph:/var/lib/ceph:z \
 -v /etc/localtime:/etc/localtime:ro \
--- a/roles/ceph-mds/templates/ceph-mds.service.j2
+++ b/roles/ceph-mds/templates/ceph-mds.service.j2
@ -25,6 +25,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
  -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
  --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
  --security-opt label=disable \
  --memory={{ ceph_mds_docker_memory_limit }} \
  --cpus={{ cpu_limit }} \
  -v /var/lib/ceph:/var/lib/ceph:z \
--- a/roles/ceph-mgr/templates/ceph-mgr.service.j2
+++ b/roles/ceph-mgr/templates/ceph-mgr.service.j2
@ -24,6 +24,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
  -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
  --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
  --security-opt label=disable \
  --memory={{ ceph_mgr_docker_memory_limit }} \
  --cpus={{ ceph_mgr_docker_cpu_limit }} \
  -v /var/lib/ceph:/var/lib/ceph:z,rshared \
--- a/roles/ceph-nfs/templates/ceph-nfs.service.j2
+++ b/roles/ceph-nfs/templates/ceph-nfs.service.j2
@ -23,12 +23,8 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
  -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
  --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
 <<<<<<< HEAD
  -v /var/lib/ceph:/var/lib/ceph:z \
 =======
  --security-opt label=disable \
  -v /var/lib/ceph/bootstrap-rgw/:/var/lib/ceph/bootstrap-rgw:z \
 >>>>>>> c1b541f69 (Fixes selinux relabeling issue for nfs container)
  -v /etc/ceph:/etc/ceph:z \
  -v /var/lib/nfs/ganesha:/var/lib/nfs/ganesha:z \
  -v /etc/ganesha:/etc/ganesha:z \
--- a/roles/ceph-osd/templates/ceph-osd.service.j2
+++ b/roles/ceph-osd/templates/ceph-osd.service.j2
@ -30,6 +30,7 @@ numactl \
  -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
  --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
  --security-opt label=disable \
  --rm \
  --net=host \
  --privileged=true \
--- a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
+++ b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
@ -26,7 +26,8 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
  --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
  --memory={{ ceph_rbd_mirror_docker_memory_limit }} \
  --cpus={{ ceph_rbd_mirror_docker_cpu_limit }} \
-  -v /var/lib/ceph:/var/lib/ceph:z \
+  --security-opt label=disable \
  -v /var/lib/ceph/bootstrap-rbd-mirror:/var/lib/ceph/bootstrap-rbd-mirror:Z \
  -v /etc/ceph:/etc/ceph:z \
  -v /var/run/ceph:/var/run/ceph:z \
  -v /etc/localtime:/etc/localtime:ro \