Turn off SELinux separation for containers MON and RGW

Initially MONs and RGW binded /etc/pki/ca-trust/extracted using the :z flag
(introduced to solve an OSP TripleO issue on RHEL - #3638) but using
this flag prevents local services (like sssd) running on the host from accessing
the certificates/files in that folder.

Signed-off-by: Teoman ONAY <tonay@redhat.com>
pull/7114/head
Teoman ONAY 2022-03-07 10:31:14 +01:00 committed by Guillaume Abrioux
parent 266b6e739c
commit 7e8ce2567e
3 changed files with 25 additions and 15 deletions

View File

@ -34,3 +34,11 @@
mode: 0644 mode: 0644
state: present state: present
create: yes create: yes
- name: restore certificates selinux context
when:
- ansible_facts['os_family'] == 'RedHat'
- inventory_hostname in groups.get(mon_group_name, [])
or inventory_hostname in groups.get(rgw_group_name, [])
command: /usr/sbin/restorecon -RF /etc/pki/ca-trust/extracted
changed_when: false

View File

@ -27,13 +27,14 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --name ceph-mon-%i \
--pids-limit={{ 0 if container_binary == 'podman' else -1 }} \ --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
--memory={{ ceph_mon_docker_memory_limit }} \ --memory={{ ceph_mon_docker_memory_limit }} \
--cpus={{ ceph_mon_docker_cpu_limit }} \ --cpus={{ ceph_mon_docker_cpu_limit }} \
-v /var/lib/ceph:/var/lib/ceph:z,rshared \ --security-opt label=disable \
-v /etc/ceph:/etc/ceph:z \ -v /var/lib/ceph:/var/lib/ceph:rshared \
-v /var/run/ceph:/var/run/ceph:z \ -v /etc/ceph:/etc/ceph \
-v /etc/localtime:/etc/localtime:ro \ -v /var/run/ceph:/var/run/ceph \
-v /var/log/ceph:/var/log/ceph:z \ -v /etc/localtime:/etc/localtime \
{% if ansible_facts['distribution'] == 'RedHat' -%} -v /var/log/ceph:/var/log/ceph \
-v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:z \ {% if ansible_facts['os_family'] == 'RedHat' -%}
-v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted \
{% endif -%} {% endif -%}
{% if mon_docker_privileged | bool -%} {% if mon_docker_privileged | bool -%}
--privileged \ --privileged \

View File

@ -27,22 +27,23 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
--pids-limit={{ 0 if container_binary == 'podman' else -1 }} \ --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
--memory={{ ceph_rgw_docker_memory_limit }} \ --memory={{ ceph_rgw_docker_memory_limit }} \
--cpus={{ cpu_limit }} \ --cpus={{ cpu_limit }} \
--security-opt label=disable \
{% if ceph_rgw_docker_cpuset_cpus is defined -%} {% if ceph_rgw_docker_cpuset_cpus is defined -%}
--cpuset-cpus="{{ ceph_rgw_docker_cpuset_cpus }}" \ --cpuset-cpus="{{ ceph_rgw_docker_cpuset_cpus }}" \
{% endif -%} {% endif -%}
{% if ceph_rgw_docker_cpuset_mems is defined -%} {% if ceph_rgw_docker_cpuset_mems is defined -%}
--cpuset-mems="{{ ceph_rgw_docker_cpuset_mems }}" \ --cpuset-mems="{{ ceph_rgw_docker_cpuset_mems }}" \
{% endif -%} {% endif -%}
-v /var/lib/ceph:/var/lib/ceph:z \ -v /var/lib/ceph:/var/lib/ceph \
-v /etc/ceph:/etc/ceph:z \ -v /etc/ceph:/etc/ceph \
-v /var/run/ceph:/var/run/ceph:z \ -v /var/run/ceph:/var/run/ceph \
-v /etc/localtime:/etc/localtime:ro \ -v /etc/localtime:/etc/localtime \
-v /var/log/ceph:/var/log/ceph:z \ -v /var/log/ceph:/var/log/ceph \
{% if ansible_facts['distribution'] == 'RedHat' -%} {% if ansible_facts['os_family'] == 'RedHat' -%}
-v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:z \ -v /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted \
{% endif -%} {% endif -%}
{% if radosgw_frontend_ssl_certificate -%} {% if radosgw_frontend_ssl_certificate -%}
-v {{ radosgw_frontend_ssl_certificate }}:{{ radosgw_frontend_ssl_certificate }}:ro \ -v {{ radosgw_frontend_ssl_certificate }}:{{ radosgw_frontend_ssl_certificate }} \
{% endif -%} {% endif -%}
-e CEPH_DAEMON=RGW \ -e CEPH_DAEMON=RGW \
-e CLUSTER={{ cluster }} \ -e CLUSTER={{ cluster }} \