Merge "Enable CAP_AUDIT_WRITE for some containers/steps" into stable/wallaby

2023-07-04 13:47:03 +00:00 · 2023-07-04 13:47:03 +00:00 · b4ec2d4ac9
commit b4ec2d4ac9
parent 355e5769ef 5b2a64df0b
15 changed files with 30 additions and 0 deletions
--- a/deployment/aodh/aodh-api-container-puppet.yaml
+++ b/deployment/aodh/aodh-api-container-puppet.yaml
@ -286,6 +286,8 @@ outputs:
        step_3:
          aodh_db_sync:
            image: *aodh_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/barbican/barbican-api-container-puppet.yaml
+++ b/deployment/barbican/barbican-api-container-puppet.yaml
@ -701,6 +701,8 @@ outputs:
            - barbican_api_db_sync:
                start_order: 3
                image: *barbican_api_image
+                cap_add:
+                  - AUDIT_WRITE
                net: host
                detach: false
                user: root
--- a/deployment/cinder/cinder-api-container-puppet.yaml
+++ b/deployment/cinder/cinder-api-container-puppet.yaml
@ -321,6 +321,8 @@ outputs:
        step_3:
          cinder_api_db_sync:
            image: *cinder_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/designate/designate-central-container-puppet.yaml
+++ b/deployment/designate/designate-central-container-puppet.yaml
@ -273,6 +273,8 @@ outputs:
        step_3:
          designate_db_sync:
            image: *designate_central_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -768,6 +768,8 @@ outputs:
        step_3:
          glance_api_db_sync:
            image: &glance_api_image {get_attr: [RoleParametersValue, value, ContainerGlanceApiImage]}
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/gnocchi/gnocchi-api-container-puppet.yaml
+++ b/deployment/gnocchi/gnocchi-api-container-puppet.yaml
@ -362,6 +362,8 @@ outputs:
          gnocchi_db_sync:
            start_order: 0
            image: *gnocchi_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            detach: false
            privileged: false
--- a/deployment/heat/heat-engine-container-puppet.yaml
+++ b/deployment/heat/heat-engine-container-puppet.yaml
@ -260,6 +260,8 @@ outputs:
        step_3:
          heat_engine_db_sync:
            image: &heat_engine_image {get_attr: [RoleParametersValue, value, ContainerHeatEngineImage]}
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/ironic/ironic-api-container-puppet.yaml
+++ b/deployment/ironic/ironic-api-container-puppet.yaml
@ -261,6 +261,8 @@ outputs:
          ironic_db_sync:
            start_order: 1
            image: *ironic_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/ironic/ironic-inspector-container-puppet.yaml
+++ b/deployment/ironic/ironic-inspector-container-puppet.yaml
@ -459,6 +459,8 @@ outputs:
          ironic_inspector_db_sync:
            start_order: 2
            image: *ironic_inspector_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            user: root
            privileged: false
--- a/deployment/manila/manila-api-container-puppet.yaml
+++ b/deployment/manila/manila-api-container-puppet.yaml
@ -310,6 +310,8 @@ outputs:
          manila_api_db_sync:
            user: root
            image: *manila_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            detach: false
            volumes:
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -521,6 +521,8 @@ outputs:
        step_3:
          neutron_db_sync:
            image: &neutron_api_image {get_attr: [RoleParametersValue, value, ContainerNeutronApiImage]}
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/nova/nova-api-container-puppet.yaml
+++ b/deployment/nova/nova-api-container-puppet.yaml
@ -558,6 +558,8 @@ outputs:
          nova_api_db_sync:
            start_order: 0 # Runs before nova-conductor dbsync
            image: &nova_api_image {get_attr: [RoleParametersValue, value, ContainerNovaApiImage]}
+            cap_add:
+              - AUDIT_WRITE
            net: host
            detach: false
            user: root
--- a/deployment/nova/nova-conductor-container-puppet.yaml
+++ b/deployment/nova/nova-conductor-container-puppet.yaml
@ -193,6 +193,8 @@ outputs:
        step_3:
          nova_db_sync:
            image: &nova_conductor_image {get_attr: [RoleParametersValue, value, ContainerNovaConductorImage]}
+            cap_add:
+              - AUDIT_WRITE
            start_order: 3 # Runs after nova-api tasks if installed on this host
            net: host
            detach: false
--- a/deployment/octavia/octavia-api-container-puppet.yaml
+++ b/deployment/octavia/octavia-api-container-puppet.yaml
@ -385,6 +385,8 @@ outputs:
          octavia_db_sync:
            start_order: 0
            image: *octavia_api_image
+            cap_add:
+              - AUDIT_WRITE
            net: host
            privileged: false
            detach: false
--- a/deployment/placement/placement-api-container-puppet.yaml
+++ b/deployment/placement/placement-api-container-puppet.yaml
@ -302,6 +302,8 @@ outputs:
          placement_api_db_sync:
            start_order: 1
            image: &placement_api_image {get_attr: [RoleParametersValue, value, ContainerPlacementImage]}
+            cap_add:
+              - AUDIT_WRITE
            net: host
            detach: false
            user: root