kolla

enable selinux

Registered by Michal Rostecki

Currently, kolla disables selinux, mostly because of bind mounts to directories like /dev, /sys/fs/cgroup etc.

Docker now supports "Z" and "z" flags for applying svirt_sandbox_file_t. Details here:
http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

Hopefully, that will allow to run kolla containers with selinux enabled.

Blueprint information

Status:
Complete
Approver:
Steven Dake
Priority:
High
Drafter:
Michal Rostecki
Direction:
Approved
Assignee:
Ryan Hallisey
Definition:
Approved
Series goal:
Accepted for newton
Implementation:
Implemented
Milestone target:
milestone icon newton-3
Started by
Steven Dake
Completed by
Steven Dake

Related branches

Sprints

Whiteboard

Michael,

Can you please fill out the Work Items so we can target this for Newton? Thanks! --sdake

Ryan,

Can you take this on? Your a selinux expert and I expect the time investment wouldn't be significant. --sdake

moving to newton-3 expected to be released on 2016-09-02. Please try to finish it before that otherwise it will be moved to Octata. - coolsvap

from my POV, this is implemented - gate runs with selinux enabled. If incorrect please change implementation state.

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.