Fix selinux label issues

Add --security-opt label=disable to all containers
accessing /var/lib/ceph. podman selinux relabeling behavious changed
since version podman-3:4.2.0-1 which prevent some containers to access
files in these subdirectories.

Signed-off-by: Teoman ONAY <tonay@ibm.com>
(cherry picked from commit d25fa6757c93af556c71c3e148835f591bf5b7be)

diff --git a/roles/ceph-crash/templates/ceph-crash.service.j2 b/roles/ceph-crash/templates/ceph-crash.service.j2
index 1a7b0f012f204034f70412c4ac201096fac01dcc..1424eda83673d4ffe45f5a64d794e54afdd9b570 100644 (file)
--- a/roles/ceph-crash/templates/ceph-crash.service.j2
+++ b/roles/ceph-crash/templates/ceph-crash.service.j2
@@ -19,6 +19,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --name ceph-crash-%i \
 -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
 --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+--security-opt label=disable \
 --net=host \
 {% if cluster != 'ceph' %}
 -e CEPH_ARGS="--cluster {{ cluster }}" \

diff --git a/roles/ceph-mds/templates/ceph-mds.service.j2 b/roles/ceph-mds/templates/ceph-mds.service.j2
index fc34cc48c3fb19958eb771a0bdace46b0f59aa72..183dbf87e394fcd734626f882c133878c3b737ab 100644 (file)
--- a/roles/ceph-mds/templates/ceph-mds.service.j2
+++ b/roles/ceph-mds/templates/ceph-mds.service.j2
@@ -25,6 +25,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --memory={{ ceph_mds_docker_memory_limit }} \
   --cpus={{ cpu_limit }} \
   -v /var/lib/ceph/mds:/var/lib/ceph/mds:z \

diff --git a/roles/ceph-mgr/templates/ceph-mgr.service.j2 b/roles/ceph-mgr/templates/ceph-mgr.service.j2
index 3ba9a11d6198626c465f1ad9cda74b4f18216042..aee87a6abbed753cdff5ae3cf4a96efac704ac7e 100644 (file)
--- a/roles/ceph-mgr/templates/ceph-mgr.service.j2
+++ b/roles/ceph-mgr/templates/ceph-mgr.service.j2
@@ -24,6 +24,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --memory={{ ceph_mgr_docker_memory_limit }} \
   --cpus={{ ceph_mgr_docker_cpu_limit }} \
   -v /var/lib/ceph/mgr:/var/lib/ceph/mgr:z,rshared \

diff --git a/roles/ceph-osd/templates/ceph-osd.service.j2 b/roles/ceph-osd/templates/ceph-osd.service.j2
index e862669c56689cfb89a18f7e7ea1af754be2a5f3..c16fbf3de77c0c251b2156310192e46bee551f14 100644 (file)
--- a/roles/ceph-osd/templates/ceph-osd.service.j2
+++ b/roles/ceph-osd/templates/ceph-osd.service.j2
@@ -30,6 +30,7 @@ numactl \
   -d --log-driver journald --conmon-pidfile /%t/%n-pid --cidfile /%t/%n-cid \
 {% endif %}
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
+  --security-opt label=disable \
   --rm \
   --net=host \
   --privileged=true \

diff --git a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2 b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
index 9a40cb4ac6f334e2f8d147b6cb1a648c49178378..79e4bf438c82720cf7942bddf6a95ff92792ef89 100644 (file)
--- a/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
+++ b/roles/ceph-rbd-mirror/templates/ceph-rbd-mirror.service.j2
@@ -26,6 +26,7 @@ ExecStart=/usr/bin/{{ container_binary }} run --rm --net=host \
   --pids-limit={{ 0 if container_binary == 'podman' else -1 }} \
   --memory={{ ceph_rbd_mirror_docker_memory_limit }} \
   --cpus={{ ceph_rbd_mirror_docker_cpu_limit }} \
+  --security-opt label=disable \
   -v /var/lib/ceph/bootstrap-rbd-mirror:/var/lib/ceph/bootstrap-rbd-mirror:Z \
   -v /etc/ceph:/etc/ceph:z \
   -v /var/run/ceph:/var/run/ceph:z \