summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOliver Walsh <owalsh@redhat.com>2017-09-05 19:19:17 +0100
committerOliver Walsh <owalsh@redhat.com>2017-09-11 15:21:49 -0600
commit185071236718ca1bfbb46a857cef1a8e0a5c14c0 (patch)
treeca11ef2aa7b3033fbfb88b0fc0082b81e15d8259
parente73c84ad5685df4cdca70d9ad255635de2cf63f7 (diff)
Enable selinux in containers
We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3. It will fail if security_inode_copy_up is not found in the kernel symbols: https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661 NB this has been reduced to a warning upstream: https://github.com/moby/moby/commit/885b29df096db1d6746ece4b3a298a1ffe85716d Instead this just bind mounts /sys/fs/selinux in containers-common.yaml. Everything appears to work at initial glance. Pingtest succeeds, and live-migration between baremetal and containerized computes works. Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c Closes-bug: #1715171 (cherry picked from commit 520f889a31f1ea6ee2bad86d1dbb3c0435604d10)
-rw-r--r--docker/services/containers-common.yaml1
1 files changed, 1 insertions, 0 deletions
diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml
index 2c894da5..9f982f8b 100644
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@@ -64,6 +64,7 @@ outputs:
# Syslog socket
- /dev/log:/dev/log
- /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+ - /sys/fs/selinux:/sys/fs/selinux
- if:
- internal_tls_enabled
- - list_join: