cephadm: pass "--security-opt label=disable" to node-exporter container

in order to support setting '--path.procfs=/host/proc','--path.sysfs=/host/sys',
'--path.rootfs=/rootfs' for node-exporter we need to disable selinux separation
between the node-exporter container and the host to avoid selinux denials

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 6d4591723ba89dada9814118e2c14e08d4e4179a)

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 3433475809118b072042b3b272c9bf7cd4498b63..37e91f2c40cdd34566ff885c0c517cae97b2df3e 100755 (executable)
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2749,6 +2749,11 @@ def get_container(ctx: CephadmContext,
             # by ubuntu 18.04 kernel!)
         ]
         container_args.extend(monitoring_args)
+        if daemon_type == 'node-exporter':
+            # in order to support setting '--path.procfs=/host/proc','--path.sysfs=/host/sys',
+            # '--path.rootfs=/rootfs' for node-exporter we need to disable selinux separation
+            # between the node-exporter container and the host to avoid selinux denials
+            container_args.extend(['--security-opt', 'label=disable'])
     elif daemon_type == 'crash':
         ceph_args = ['-n', name]
     elif daemon_type in Ceph.daemons: