Bug 1148998 - Contribute SELinux policy for Celery workers and celerybeat upstream
Summary: Contribute SELinux policy for Celery workers and celerybeat upstream
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: Master
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: pulp-bugs
QA Contact: pulp-qe-list
Depends On:
TreeView+ depends on / blocked
Reported: 2014-10-02 21:15 UTC by Brian Bouterse
Modified: 2015-02-28 22:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-02-28 22:38:05 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Pulp Redmine 563 0 None None None Never

Description Brian Bouterse 2014-10-02 21:15:01 UTC
The SELinux policy is 100% downstream, and it should be contributed back upstream. Some portion of this policy is is specific to Pulp tasks, and some portion of the policy are specific to celery startup behavior on systemd and upstart.

The upstream celery contribution should create containers celery_worker_t and celery_celerybeat_t. Our downstream policy should extend these with the Pulp specific extensions.

We also should define a separate context for celery versus celerybeat.

Comment 1 Brian Bouterse 2014-10-16 19:47:10 UTC
Two things that should be done along with this work:

1. Have the downstream derivative contexts named pulp_worker_t and pulp_celerybeat_t and reserve the celery_worker_t and celery_beat_t reserved for upstream. It would be wrong for pulp to claim the celery context in the SELinux namespace

2. Move all pulp-celery statements into pulp-server, and delete pulp-server. It's ok for one policy to install multiple contexts. It will install faster, and require less automation maintenance.

Comment 2 Brian Bouterse 2015-02-28 22:38:05 UTC
Moved to https://pulp.plan.io/issues/563

Note You need to log in before you can comment on or make changes to this bug.