Bug 1628431

Summary: [Doc] Add recovery steps of SELinux label in restore procedure.
Product: Red Hat OpenStack Reporter: Keigo Noha <knoha>
Component: documentationAssignee: RHOS Documentation Team <rhos-docs>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: urgent Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: ccopello, dcadzow, dmacpher, rhos-docs, srevivo
Target Milestone: ---Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-02 01:22:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Keigo Noha 2018-09-13 02:54:10 UTC 
Description of problem:
Add recovery steps of SELinux label in restore procedure. 
Current restore procedure lacks the steps of SELinux labeling to rsynced directories and files.
It causes inconsistency between original node and recovered node.
This inconsistency may cause the issue by SELinux in the future change in undercloud.

c.f. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/back_up_and_restore_the_director_undercloud/#restore_the_undercloud

As far as I checked, following directories are mapped to usr_tmp_t label.

/var/lib/glance
/var/lib/docker
/var/lib/registry
/var/lib/registry/docker

These directories should be

/var/lib/glance: glance_var_lib_t
/var/lib/docker: container_var_lib_t
/var/lib/registry: var_lib_t
/var/lib/registry/docker: container_var_lib_t

Most of them will be restored with restorecon command but restorecon to /var/lib/registry/docker might not work because predefined selinux policy doesn't exist for /var/lib/registry.
Comment 1 Keigo Noha 2018-12-07 00:24:40 UTC 
Additionally, /etc/puppet needs to run restorecon command.
Comment 2 Keigo Noha 2019-01-16 01:08:18 UTC 
Hi Documentation team,

Do you have any updates on this bugzilla?

Best Regards,
Keigo Noha
Comment 3 Keigo Noha 2019-01-30 00:48:53 UTC 
Hi Documentation team,

Do you have any updates on this bugzilla?

Regards,
Keigo Noha
Comment 8 Dan Macpherson 2019-12-06 14:52:51 UTC 
It looks like the doc has been updated to use tar extraction instead of rsync, so the selinux context should be preserved. And even if it isn't, I don't think this has any effect on the standard operation of director (at least none that the Cloud Ops and Upgrades DFGs have noticed, as well as my own testing).
Comment 9 Chuck Copello 2020-01-27 20:35:35 UTC 
Please confirm that the updated doc clears the request.