From ef60d16d9a1ff86ec2087e82f1d26a1b80af77c8 Mon Sep 17 00:00:00 2001 From: Sandeep Yadav Date: Wed, 6 Apr 2022 11:37:30 +0530 Subject: [PATCH] Add :z to volume mount to fix the selinux context. After merge of [1], In Downstream cockpit, triggering ruck_rover.py commands from inside telegraf_py3 container are failing with below error because of selinux issues. ~~~ [root@telegraf_py3 /]# ./usr/local/bin/ruck_rover.py --release osp16-2 --distro rhel-8 --component ui --influx . . OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt [root@telegraf_py3 pki]# ls ls: cannot open directory '.': Permission denied ~~~ We are not hitting above issue if we set selinux to permissive mode(setenforce 0) on host. As per[2], adding z to mount will automatically set the correct selinux context on host directory, docker will do this automatically "chcon -Rt svirt_sandbox_file_t /etc/pki". [1] https://review.rdoproject.org/r/c/rdo-infra/ci-config/+/39335 [2] https://web.archive.org/web/20190728100417/https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/ Change-Id: Ib7a1dd246a7e23aa00b72e911beb87d3b096c137 --- ci-scripts/infra-setup/roles/rrcockpit/files/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci-scripts/infra-setup/roles/rrcockpit/files/docker-compose.yml b/ci-scripts/infra-setup/roles/rrcockpit/files/docker-compose.yml index 08b90eba9..a44f2d96d 100644 --- a/ci-scripts/infra-setup/roles/rrcockpit/files/docker-compose.yml +++ b/ci-scripts/infra-setup/roles/rrcockpit/files/docker-compose.yml @@ -84,7 +84,7 @@ services: - influxdb volumes: - telegraf-volume:/tmp/telegraf_py3 - - /etc/pki/:/etc/pki/ + - /etc/pki/:/etc/pki/:z compare_rpms: build: compare_rpms