Bug 1917661

Summary: Gluster bricks lack proper SELinux labels post gluster deployment
Product: [Red Hat Storage] Red Hat Gluster Storage Reporter: SATHEESARAN <sasundar>
Component: gluster-ansibleAssignee: Gobinda Das <godas>
Status: CLOSED ERRATA QA Contact: SATHEESARAN <sasundar>
Severity: high Docs Contact:
Priority: medium    
Version: rhgs-3.5CC: godas, puebele, rcyriac, rhs-bugs, sabose, sasundar, shilpsha
Target Milestone: ---   
Target Release: RHGS 3.5.z Async Update   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, gluster bricks lacked the required SELinux label as the SELinux labels were applied on the incorrect brick names. With this update, gluster-ansible task is fixed to apply the SELinux label on the correct names of brick directories.
 Story Points: ---
Clone Of: 1917659 Environment:
rhhiv
Last Closed: 2021-04-14 07:57:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1917659    

Description SATHEESARAN 2021-01-19 05:25:55 UTC 
Description of problem:
-------------------------
The gluster bricks doesn't have the required SELinux labels on them post deployment. 

Version-Release number of selected component (if applicable):
--------------------------------------------------------------
RHHI-V 1.8.3 ( RHV 4.4.3 )
As well as in RHHI-V 1.8.2 ( RHV 4.4.2 )
This was not checked with RHHI-V 1.8

How reproducible:
------------------
Always

Steps to Reproduce:
---------------------
1. Start the RHHI-V deployment from cockpit or CLI
2. After gluster deployment, check for SELinux labels set on the brick

Actual results:
----------------
Gluster brick mounts lack proper SELinux labels on them

Expected results:
-----------------
Gluster brick mounts should have the correct SELinux labels on them

--- Additional comment from SATHEESARAN on 2021-01-19 05:24:41 UTC ---

This is the ansible playbook that sets the SELinux labels:

<snip>
- name: Set Gluster specific SeLinux context on the bricks
  sefcontext:
     target: "{{ (item.path | realpath | regex_escape()) + '(/.*)?' }}"
     setype: glusterd_brick_t
     state: present
  with_items: "{{ gluster_infra_mount_devices }}"
  when: gluster_set_selinux_labels| default(false)| bool == true
</snip>

Console log while executing this task:
---------------------------------------
<snip>
TASK [gluster.infra/roles/backend_setup : Set Gluster specific SeLinux context on the bricks] ***
changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'})
changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'})
changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'})
changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'})
changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'})
changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'})
changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'})
</snip>

Checking for SELinux labels on the mount:
[root@ ]# ls -lsahZd /gluster_bricks/testvol
0 drwxr-xr-x. 3 root root system_u:object_r:default_t:s0 21 Jan 12 07:48 /gluster_bricks/testvol

[root@ ]# semanage fcontext -E /gluster_bricks/testvol
fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/data(/.*)?'
fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/engine(/.*)?'
fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/testvol(/.*)?'
fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/vmstore(/.*)?'
Comment 2 SATHEESARAN 2021-02-25 11:37:59 UTC 
The issue is due to the usage of regex.escape() in the playbook.
When this is removed, I could observe that the bricks have the right set of selinux labels on them.


Existing playbook code:
------------------------
<snip>
- name: Set Gluster specific SeLinux context on the bricks
  sefcontext:
     target: "{{ (item.path | realpath | regex_escape()) + '(/.*)?' }}"   <-- usage of regex_escape
     setype: glusterd_brick_t
     state: present
  with_items: "{{ gluster_infra_mount_devices }}"
  when: gluster_set_selinux_labels| default(false)| bool == true
</snip>


Proposed change
----------------
<snip>
- name: Set Gluster specific SeLinux context on the bricks
  sefcontext:
     target: "{{ (item.path | realpath) + '(/.*)?' }}"
     setype: glusterd_brick_t
     state: present
  with_items: "{{ gluster_infra_mount_devices }}"
  when: gluster_set_selinux_labels| default(false)| bool == true
</snip>

I have performed all the tests with this modified code and everything looks good.
Comment 3 Gobinda Das 2021-03-01 05:24:30 UTC 
Upstream PR: https://github.com/gluster/gluster-ansible-infra/pull/118
Comment 7 SATHEESARAN 2021-03-01 13:18:03 UTC 
Verified with gluster-ansible-infra-1.0.19.el8rhgs

Post gluster deployment, gluster bricks contain the right SELinux label - glusterd_brick_t

[root@ ~]# ls -lZd /gluster_bricks/engine/engine/
drwxr-xr-x. 3 vdsm kvm system_u:object_r:glusterd_brick_t:s0 24 Mar  1 13:05 /gluster_bricks/engine/engine/
Comment 9 Gobinda Das 2021-03-04 06:39:11 UTC 
Thanks sas, doc_text looks good.
Comment 15 errata-xmlrpc 2021-04-14 07:57:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (gluster-ansible bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1182