From e832c9e30802b905611a39beabdfdcc46cfa9bdc Mon Sep 17 00:00:00 2001
From: Teoman ONAY <tonay@ibm.com>
Date: Tue, 14 Mar 2023 12:26:56 +0100
Subject: [PATCH] Fix selinux label issues

Add --security-opt label=disable to all containers
accessing /var/lib/ceph. podman selinux relabeling behavious changed
since version podman-3:4.2.0-1 which prevent some containers to access
files in these subdirectories.

Signed-off-by: Teoman ONAY <tonay@ibm.com>
---
 roles/ceph-crash/templates/ceph-crash.service.j2           | 1 +
 roles/ceph-mds/templates/ceph-mds.service.j2               | 1 +
 roles/ceph-mgr/templates/ceph-mgr.service.j2               | 1 +
 roles/ceph-nfs/templates/ceph-nfs.service.j2               | 4 ----
 roles/ceph-osd/templates/ceph-osd.service.j2               | 1 +
 roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 | 3 ++-
 6 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/roles/ceph-crash/templates/ceph-crash.service.j2 b/roles/ceph-crash/templates/ceph-crash.service.j2
index 578675d1d..8b54a722c 100644
--- a/roles/ceph-crash/templates/ceph-crash.service.j2
+++ b/roles/ceph-crash/templates/ceph-crash.service.j2
@@ -19,6 +19,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --name ceph-crash-%i \
 -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
 --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+--security-opt label=disable \
 --net=host \
 -v /var/lib/ceph:/var/lib/ceph:z \
 -v /etc/localtime:/etc/localtime:ro \
diff --git a/roles/ceph-mds/templates/ceph-mds.service.j2 b/roles/ceph-mds/templates/ceph-mds.service.j2
index 59338e8fa..0924b0d2f 100644
--- a/roles/ceph-mds/templates/ceph-mds.service.j2
+++ b/roles/ceph-mds/templates/ceph-mds.service.j2
@@ -25,6 +25,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --memory={{ ceph_mds_docker_memory_limit }} \
   --cpus={{ cpu_limit }} \
   -v /var/lib/ceph:/var/lib/ceph:z \
diff --git a/roles/ceph-mgr/templates/ceph-mgr.service.j2 b/roles/ceph-mgr/templates/ceph-mgr.service.j2
index 338fbe793..16472334c 100644
--- a/roles/ceph-mgr/templates/ceph-mgr.service.j2
+++ b/roles/ceph-mgr/templates/ceph-mgr.service.j2
@@ -24,6 +24,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --memory={{ ceph_mgr_docker_memory_limit }} \
   --cpus={{ ceph_mgr_docker_cpu_limit }} \
   -v /var/lib/ceph:/var/lib/ceph:z,rshared \
diff --git a/roles/ceph-nfs/templates/ceph-nfs.service.j2 b/roles/ceph-nfs/templates/ceph-nfs.service.j2
index 82c0c1c8a..452b39e13 100644
--- a/roles/ceph-nfs/templates/ceph-nfs.service.j2
+++ b/roles/ceph-nfs/templates/ceph-nfs.service.j2
@@ -23,12 +23,8 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
-<<<<<<< HEAD
-  -v /var/lib/ceph:/var/lib/ceph:z \
-=======
   --security-opt label=disable \
   -v /var/lib/ceph/bootstrap-rgw/:/var/lib/ceph/bootstrap-rgw:z \
->>>>>>> c1b541f69 (Fixes selinux relabeling issue for nfs container)
   -v /etc/ceph:/etc/ceph:z \
   -v /var/lib/nfs/ganesha:/var/lib/nfs/ganesha:z \
   -v /etc/ganesha:/etc/ganesha:z \
diff --git a/roles/ceph-osd/templates/ceph-osd.service.j2 b/roles/ceph-osd/templates/ceph-osd.service.j2
index c0bb78fd2..3f8ab6d98 100644
--- a/roles/ceph-osd/templates/ceph-osd.service.j2
+++ b/roles/ceph-osd/templates/ceph-osd.service.j2
@@ -30,6 +30,7 @@ numactl \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --rm \
   --net=host \
   --privileged=true \
diff --git a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
index 22e6b49ec..79e4bf438 100644
--- a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
+++ b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
@@ -26,7 +26,8 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
   --memory={{ ceph_rbd_mirror_docker_memory_limit }} \
   --cpus={{ ceph_rbd_mirror_docker_cpu_limit }} \
-  -v /var/lib/ceph:/var/lib/ceph:z \
+  --security-opt label=disable \
+  -v /var/lib/ceph/bootstrap-rbd-mirror:/var/lib/ceph/bootstrap-rbd-mirror:Z \
   -v /etc/ceph:/etc/ceph:z \
   -v /var/run/ceph:/var/run/ceph:z \
   -v /etc/localtime:/etc/localtime:ro \