From: Adam King <adking@redhat.com>
Date: Thu, 24 Mar 2022 13:59:10 +0000 (-0400)
Subject: cephadm: pass "--security-opt label=disable" to node-exporter container
X-Git-Tag: v16.2.8~20^2~9
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a8ad07eb8a64b134689db1e3b088fbef24794512;p=ceph.git

cephadm: pass "--security-opt label=disable" to node-exporter container

in order to support setting '--path.procfs=/host/proc','--path.sysfs=/host/sys',
'--path.rootfs=/rootfs' for node-exporter we need to disable selinux separation
between the node-exporter container and the host to avoid selinux denials

Signed-off-by: Adam King <adking@redhat.com>
(cherry picked from commit 6d4591723ba89dada9814118e2c14e08d4e4179a)
---

diff --git a/src/cephadm/cephadm b/src/cephadm/cephadm
index 343347580911..37e91f2c40cd 100755
--- a/src/cephadm/cephadm
+++ b/src/cephadm/cephadm
@@ -2749,6 +2749,11 @@ def get_container(ctx: CephadmContext,
             # by ubuntu 18.04 kernel!)
         ]
         container_args.extend(monitoring_args)
+        if daemon_type == 'node-exporter':
+            # in order to support setting '--path.procfs=/host/proc','--path.sysfs=/host/sys',
+            # '--path.rootfs=/rootfs' for node-exporter we need to disable selinux separation
+            # between the node-exporter container and the host to avoid selinux denials
+            container_args.extend(['--security-opt', 'label=disable'])
     elif daemon_type == 'crash':
         ceph_args = ['-n', name]
     elif daemon_type in Ceph.daemons: