[ClusterLabs] Possible intrusive change in bundles for 2.0.3

[Ken Gaillot]

Hi all,

It has been discovered that newer versions of selinux-policy prevent
bundles in pacemaker 2.0 from logging. I have a straightforward fix,
but it means that whenever a cluster is upgraded from pre-2.0.3 to
2.0.3 or later, all active bundles will restart once the last older
node leaves the cluster.

This is because the fix passes the "Z" mount flag to docker or podman,
which tells them to create a custom SELinux policy for the bundle's
container and log directory. This is the easiest and most restrictive
solution.

An alternative approach would be for pacemaker to start delivering its
own custom SELinux policy as a separate package. The policy would allow
all pacemaker-launched containers to access all of
/var/log/pacemaker/bundles, which is a bit broader access (not to
mention more of a pain to maintain over the longer term). This would
avoid the restart.

I'm leaning to the in-code solution, but I want to ask if anyone thinks
the bundle restarts on upgrade are a deal-breaker for a minor-minor
release, and would prefer the packaged policy solution.
-- 
Ken Gaillot <kgaillot at redhat.com>