Bug 1392742

Summary: OpenShift installer always sets --selinux-enabled in sysconfig/docker. Can break working overlay installs.
Product: OpenShift Container Platform Reporter: Mike Fiedler <mifiedle>
Component: InstallerAssignee: Russell Teague <rteague>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: adellape, aos-bugs, jlee, jokerman, mifiedle, mmccomas, rteague, tdawson, vlaad
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Add new option 'openshift_docker_selinux_enabled' Reason: Allow user to override default installation docker options setting of '--selinux-enabled'. Result: Placing 'openshift_docker_selinux_enabled=false' in user inventory file will remove --selinux-enabled docker option.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-12 18:48:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Fiedler 2016-11-08 06:13:20 UTC 
Description of problem:

I installed docker 1.12.3-3 the way I wanted it configured.   This included configuring overlayfs as the graphdriver which requires setting --selinux-enabled=false.   This disables selinux in containers, but that is OK for me.

When I install OpenShift 3.4, it overwrites my setting for --selinux-enabled.   After the install, containers will no longer start until the flag is restored (or if selinux is disabled entirely).

The install should maintain existing docker settings.  I suppose if they are known to break OpenShift they could be changed, but that's not the case here.


Version-Release number of selected component (if applicable): 3.4.0.22


How reproducible: Always


Steps to Reproduce:
1. Install docker 1.12.3-3 outside of OpenShift and configure it for overlay.  ere's a good guide:  http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/
2. Verify --selinux-enabled=false
3. Install OpenShift 3.4.0.22 using the byo/config.yml playbook


Actual results:

sysconfig/docker contains --selinux-enabled and no containers will start after the install.

Expected results:

config value is maintained
Comment 1 Scott Dodson 2016-11-08 16:09:08 UTC 
Mike, marking this upcoming release. If this is a regression lets remove that flag and we can treat it as a blocker, if it's not a regression we'll get to it after the release.
Comment 2 Alex Dellapenta 2016-11-08 16:29:55 UTC 
Related discussion (docs BZ):

https://bugzilla.redhat.com/show_bug.cgi?id=1290487#c8
Comment 3 Mike Fiedler 2016-11-09 02:00:52 UTC 
This is not a regression.   3.3 installer behaves the same way.   

The discussion Alex links is a good one, but I think the more general issue here is having the installer respect the existing docker config if there is nothing about it that breaks OpenShift.   UpcomingRelease sounds fine.
Comment 4 Russell Teague 2016-12-12 20:21:37 UTC 
Related: https://github.com/ansible/ansible/issues/18692
Comment 5 Russell Teague 2017-01-05 14:50:54 UTC 
https://github.com/openshift/openshift-ansible/pull/3044
Comment 6 Johnny Liu 2017-01-06 11:29:56 UTC 
@Russell, go through the above PR, seem like introduce a new ansible option - openshift_docker_selinux_enabled, that means user should set "openshift_docker_selinux_enabled=false" in inventory host file to run install with docker overlay setting, am I right?
Comment 7 Russell Teague 2017-01-09 18:28:16 UTC 
(In reply to Johnny Liu from comment #6)
Johnny, if the user wants to disable the use of selinux within the containers, they would set "openshift_docker_selinux_enabled=false".  This will cause docker to not run selinux within the container regardless of the status of selinux on the host.
Comment 8 Russell Teague 2017-01-09 18:31:11 UTC 
Mike, could you comment on where we are headed with this and if it meets your original request?
Comment 9 Mike Fiedler 2017-01-09 18:33:34 UTC 
This handles the specific example of enabling/disabling selinux for the containers.  My more general concern in this bug was not breaking existing good Docker configurations by overwriting the configuration during OpenShift install.

Is OpenShift always "in control" of the Docker configuration?  i.e. existing user configuration outside of what OpenShift performs is not supported?
Comment 10 Mike Fiedler 2017-01-09 18:34:28 UTC 
I can live with a restriction, but we should probably document it.
Comment 11 Russell Teague 2017-01-24 18:26:13 UTC 
Merged. https://github.com/openshift/openshift-ansible/pull/3044
Comment 12 Johnny Liu 2017-02-03 07:39:35 UTC 
Verified this bug with openshift-ansible-3.5.3-1.git.0.80c2436.el7.noarch, and PASS.

Set openshift_docker_selinux_enabled=false in inventory host file, trigger installation, after it is completed, checking:

# cat /etc/sysconfig/docker|grep OPTION
OPTIONS=' --log-driver=json-file --log-opt max-size=50m'

No "--selinux-enabled" options in docker config file.
Comment 15 errata-xmlrpc 2017-04-12 18:48:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0903