I need your feedback please on SELinux fixes  (or rather workarounds)
for containerized undercloud feature, which is experimental in Pike.
[TL;DR] The problem I'm trying to solve is primarily allowing TripleO
users to follow the guide  w/o telling them "please disable SELinux".
Especially, given the note "The undercloud is intended to work correctly
with SELinux enforcing, and cannot be installed to a system with SELinux
I understand that putting "chcon -Rt svirtsandboxfile_t -l s0" (see
) to all of the host paths bind-mounted into containers is not
secure, and from SELinux perspective allows everything to all
containers. That could be a first step for docker volumes working w/o
shutting down SELinux on *hosts* though.
I plan to use the same approach for the t-h-t docker/services host-prep
tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't
allow combine with other mount flags, like :ro:z won't work. I look
forward for better solutions and ideas!
OpenStack Development Mailing List (not for usage questions)