Re: [atomic-devel] SELinux labelling when running Pulp in containers

[Nick Coghlan <ncoghlan gmail com>]

On 3 September 2015 at 22:08, Mark Lamourine <markllama redhat com> wrote:
>> * pulpapi - web service for main REST API
>
> You have both the pulp content web service and the admin API in one? That's what I've done so far, but I'd love to split them as they have completely different functions and different users.

I copied the overall structure from Michael Hrivnak's post on the Pulp
developer blog. The only part I tried to change was replacing the host
directories with a data container.

> I haven't gotten to crane yet.
>
> Nick, we should talk.  I have something similar, though less extensive that I've been working on.  I haven't gotten the API and crane separated and I avoided using the data volume and volumes-from for a number of reasons.  Mine are running now in kubernetes with the goal of getting it into atomicapp.

Given the labeling challenges I've encountered with the volume mounts,
letting Kubernetes deal with labeling everything correctly sounds like
a good idea to me. I'll keep running with pure Docker and
non-enforcing SELinux for now, but will probably switch to Kubernetes
at some point.

>> >> The first 3 containers have no dependencies, the others all mount
>> >> volumes from pulp_data, and have network links to pulp_db and
>> >> pulp_qpid. All the containers also mount "/dev/log:Z" from the host.
>
> Interesting. Only the worker and content web server should need access to the content.  The workers put it in and the web server offers it out.  The rest communicate only through messaging or access to the database.

I think the "mount everything everywhere" structure may have just been
chosen for simplicity in the original shell script, and then I
inherited it from there.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan gmail com   |   Brisbane, Australia