From b3277ed2ca4df1fb1bf23565a9104d6b047e1ac1 Mon Sep 17 00:00:00 2001 From: Oliver Walsh Date: Sat, 28 Oct 2017 00:06:46 +0100 Subject: Only mount selinux sysfs in nova_libvirt container https://review.openstack.org/500952 initially just did this. Then we assumed every container should have the selinux sysfs. This causes issues with the sshd container used for live-migration. The advice from the selinux experts is that it should not be enabled within containers, so reverting back to the original fix that enables it only in the nova-libvirt container. Closes-bug: 1729405 Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca (cherry picked from commit 7c8127cf96a281dd5cee96e1a68bc0508b9ba4e7) --- docker/services/containers-common.yaml | 1 - docker/services/nova-libvirt.yaml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) (limited to 'docker/services') diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 9f982f8b..2c894da5 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -64,7 +64,6 @@ outputs: # Syslog socket - /dev/log:/dev/log - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro - - /sys/fs/selinux:/sys/fs/selinux - if: - internal_tls_enabled - - list_join: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index df168945..e585cb6c 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -206,6 +206,7 @@ outputs: - /var/log/libvirt/qemu:/var/log/libvirt/qemu:ro - /var/log/containers/nova:/var/log/nova - /var/lib/vhost_sockets:/var/lib/vhost_sockets + - /sys/fs/selinux:/sys/fs/selinux - if: - use_tls_for_live_migration -- cgit 1.2.3-korg