Bug 1295949
| Summary: | [RH Ceph 1.3.2] ceph-selinux should be installed during ceph-deploy install | ||
|---|---|---|---|
| Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Vasu Kulkarni <vakulkar> |
| Component: | Documentation | Assignee: | Bara Ancincova <bancinco> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ceph-qe-bugs <ceph-qe-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.3.2 | CC: | adeza, asriram, bancinco, branto, ceph-eng-bugs, flucifre, hnallurv, jowilkin, kdreyer, ngoswami, tganguly, vakulkar |
| Target Milestone: | rc | Keywords: | Documentation, ZStream |
| Target Release: | 1.3.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
.Support for SELinux has been added
With this release, the SELinux policy for Red Hat Ceph Storage has been added. SELinux provides another security layer by enforcing Mandatory Access Control (MAC) mechanism over all processes. To learn more about SELinux, see the https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html[SELinux User's and Administrator's Guide] for Red Hat Enterprise Linux 7.
SELinux support for Ceph is not enabled by default. To use it, install the `ceph-selinux` package. For detailed information about this process, see the https://access.redhat.com/documentation/en/red-hat-ceph-storage/version-1.3/red-hat-ceph-storage-13-installation-guide-for-rhel-x86-64/#install-selinux[SELinux] section in the Red Hat Ceph Storage https://access.redhat.com/documentation/en/red-hat-ceph-storage/1.3/installation-guide-for-rhel-x86-64/installation-guide-for-rhel-x86-64[Installation Guide for Red Hat Enterprise Linux].
NOTE: All Ceph daemons will be down for the time the `ceph-selinux` package is being installed. Therefore, your cluster node will not be able to serve any data at this point. This operation is necessary in order to update the metadata of the files located on the underlying file system and to make Ceph daemons run with the correct context. This operation may take several minutes depending on the size and speed of the underlying storage.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-01 08:22:49 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1299303 | ||
|
Description
Vasu Kulkarni
2016-01-05 21:26:54 UTC
It should be installed by default, but it should also not be in informing mode by default, the customers will need to switch to SElinux enforcing explicitly in 1.3.2. Boris, I'm wondering if we should make ceph-mon and ceph-osd Require: ceph-selinux. Thoughts? I believe the original agreement was to let users explicitly install the ceph-selinux package. I don't think we want to have it installed "by default" in 1.3.x. It would make updates on high-storage machines take a very very long time which can be expected between major releases but can generate a lot of fuss between minor releases Also, artificially disabling Ceph SELinux policy after installation sounds weird to me and would require several additional changes, not just adding new requires -- the SELinux modules get disabled by 'semanage module --disable <module>'. Otherwise, the denials are always reported (if SELinux is not turned off in kernel altogether), The denials might not be enforced if SELinux is in permissive mode. They will still be reported, though. All in all, I believe the best solution for the minor release is to keep ceph-selinux a separate package not installed by default and let the users decide whether they want to use it (with all the consequences -- long installation times, etc). ceph-deploy is already able to install individual packages on remote nodes. In the case of ceph-selinux this would look like:
ceph-deploy pkg --install ceph-selinux {nodes}
So if we want to make it optional, this ticket should be closed since it is already optional via ceph-deploy.
Oh right, I forgot about the perf hit when selinux tries to label everything on the OSDs. I agree with Alfredo's and Boris's recommendations in Comment 4 and Comment 5. It would be less surprising to users if we switched ceph-selinux to be mandatory in the RHCS 2.0 release. I am fine if this has to be installed separately, In that case we will have to document the optional cli command that Alfredo mentioned in our install guide and some additional notes about ceph-selinux. I will let federico comment as well and I am fine to move this to doc bz. Vasu, I am setting target release as 1.3.2 for this defect and making this as doc defect. Please feel free to change if required. It looks good to me, the upgrade section might not be relevant to this bug for now, but probably users going from 1.3.1 to 1.3.2 can still refer SELinux section if they want selinux to be enforced. Bara, The content looks good to me. The Original Bug can be Verified. But while verifying i found one new issue: http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage-Installation_Guide_RHEL%20%28html-single%29/lastSuccessfulBuild/artifact/index.html#execute-pre-installation This is pointing correctly, and opening the page 'Execute the Pre-Installation Procedure'. But there is an hyperlink in the Paragraph "Create a Ceph Deploy User", This is not pointing correctly. After clicking its pointing to "Installation Guide for RHEL (x86_64)" Rather it should point to "Create a Ceph Deploy User" Please ping me if you couldn't understand what i meant. Marking it as Verified |