Bug 2021894

Summary: [RFE][OSP18] Eliminate selinux rule conflicts for containers
Product: Red Hat OpenStack Reporter: Jesse Pretorius <jpretori>
Component: RFEsAssignee: Cédric Jeanneret <cjeanner>
Status: CLOSED MIGRATED QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 18.0 (Zed)CC: bdobreli, cjeanner, grosenbe, jpichon, markmc, pweeks, ramishra
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-04 18:11:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jesse Pretorius 2021-11-10 12:03:19 UTC 
In OSP we bind-mount host paths into containers. This was done, in part, to ease the transition from non-containerized to containerised services in the OSP10 to OSP13 upgrade.

These bind-mounts have selinux context conflicts between the host and container and therefore require a number of things to be in place:

1. We need to use the :z flag on the bind-mount.
2. We have to have deployment tasks to correct the bind-mounts selinux context that need to run whenever a system autorelabel is done.
3. The pacemaker bundles need to ensure that they have the :z flag.

The trouble with this is that we have a constant conflict between the system and the container context. For example, we cannot set /var/lib/haproxy to container_file_t because a system/core policy already sets it to haproxy_var_lib_t.

We need to figure out a way to resolve these conflicts so that we eliminate the race-condition that occurs during upgrades (which involve a relabel when doing the leapp) and may occur by mistake when a deployer relabels a folder.

Continuing to maintain our current implementation is causing upgrade failures, bugs, a growing number of knowledgebase articles and confusion. It is a growing technical debt which we can eliminate by moving our container usage to something more standard.
Comment 1 Cédric Jeanneret 2021-11-10 12:27:40 UTC 
We can also point to regressions introduced by other SELinux related packages, making our work even harder, such as this one:
https://github.com/redhat-openstack/openstack-selinux/pull/82
Namely, container-selinux takes ownership of the /var/log/containers, and applies a conflicting label (container_log_t) while we were using container_file_t on that location since OSP-15 or so.

There will more likely be other conflicts in the future due to the nested "sefcontext" in tripleo-ansible[1] and tripleo-heat-templates[2] for the very same reason: another core/system policy is introduced upon SELinux package update, breaking our custom rules.


[1] https://opendev.org/openstack/tripleo-ansible/commit/608fdfae85be5e1d6d20d49c62583e48ce5a0bc5
[2] https://opendev.org/openstack/tripleo-heat-templates/commit/d77fe55516ce93a8984108daccbb75b72095503f