Bug 1419697

Summary: atomic-openshift-excluder should exclude selinux packages that break
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: InstallerAssignee: Scott Dodson <sdodson>
Status: CLOSED DUPLICATE QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, dwalsh, erich, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-07 18:41:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steven Walter 2017-02-06 19:20:47 UTC 
Description of problem:

With the changes to selinux (docker-selinux -> container-selinux), and other recent changes, some packages that are installed with a yum update still break the cluster.


The following packages seem to cause the issue:

selinux-policy-devel-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

As soon as these were applied to the cluster, it went down because docker lost all of its SElinux labeling. By running:

yum reinstall -y container-selinux; systemctl restart docker; systemctl restart atomic-openshift-node

The labels were restored.

I have marked this bug for the Installer in order to exclude the packages that break using atomic-openshift-excluder as the selinux issues should be fixed in bugs:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1413536
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1411316
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1413535
Comment 5 Scott Dodson 2017-02-07 18:41:38 UTC 
I'm closing this NOTABUG because it should always be safe to update to the latest selinux-policy and container-selinux and there are bugs open to address problems there. If the docker team decides that we need to exclude selinux-policy and container-selinux from updates we'll revisit this but I think that's an exceptionally risky proposition.
Comment 8 Scott Dodson 2017-02-07 20:56:42 UTC 

*** This bug has been marked as a duplicate of bug 1411316 ***
Comment 10 Red Hat Bugzilla 2023-09-14 03:53:14 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days