Bug 1241422 - SElinux is set as Enforcing in the Ceph OSD nodes
Summary: SElinux is set as Enforcing in the Ceph OSD nodes
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: Director
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ga
: Director
Assignee: Jiri Stransky
QA Contact: Yogev Rabl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-07-09 08:20 UTC by Yogev Rabl
Modified: 2015-08-05 13:58 UTC (History)
7 users (show)

Fixed In Version: openstack-tripleo-heat-templates-0.8.6-37.el7ost
Doc Type: Bug Fix
Doc Text:
SELinux was set to enforcing mode on Ceph OSD nodes. However, according to official Ceph documentation, SELinux should be set to permissive mode on Ceph OSD nodes. This fix sets SELinux to permissive on Ceph OSD nodes.
Clone Of:
Environment:
Last Closed: 2015-08-05 13:58:59 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 201259 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Description Yogev Rabl 2015-07-09 08:20:41 UTC
Description of problem:
Red Hat's official Ceph 1.2.3 and 1.3 installation documentation guides us to set SElinux to permissive mode. 

The implications are not known and actions of the storage might be blocked by SElinux

Version-Release number of selected component (if applicable):
openstack-tripleo-image-elements-0.9.6-5.el7ost.noarch
openstack-heat-templates-0-0.6.20150605git.el7ost.noarch
openstack-tripleo-heat-templates-0.8.6-23.el7ost.noarch
openstack-tripleo-0.0.7-0.1.1664e566.el7ost.noarch
openstack-tripleo-puppet-elements-0.0.1-3.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install Ceph OSD and monitors with OSP Director
2. check SElinux mode 
# getenforce


Actual results:
SElinux is in Enforcing mode

Expected results:
SElinux should be in permissive mode

Additional info:

Comment 3 chris alfonso 2015-07-13 13:07:45 UTC
Jiri, Please update this with the latest status.

Comment 4 Mike Burns 2015-07-13 13:08:31 UTC
This only impacts OSD nodes, not monitor nodes.

Comment 5 Jiri Stransky 2015-07-13 17:22:20 UTC
WIP patch submitted but needs proper testing to be considered working (not moving to ON_DEV yet). https://review.openstack.org/201259

Comment 6 Jiri Stransky 2015-07-14 10:58:11 UTC
Submitted a backport and tested deployment with a Ceph node:

[root@overcloud-cephstorage-0 ~]# cat /etc/selinux/config | grep '^SELINUX='
SELINUX=permissive
[root@overcloud-cephstorage-0 ~]# getenforce 
Permissive

Comment 8 Omri Hochman 2015-07-22 14:45:00 UTC
Verified with openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch : 

[stack@rhos-compute-node-18 ~]$ nova list
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| ID                                   | Name                    | Status | Task State | Power State | Networks              |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| 02a0e351-0b6d-4f3c-b589-926d4a9b3eea | overcloud-cephstorage-0 | ACTIVE | -          | Running     | ctlplane=192.168.0.19 |
| 18cf391e-7afb-4b55-a5dc-06b75cfb4876 | overcloud-compute-0     | ACTIVE | -          | Running     | ctlplane=192.168.0.20 |
| a847401a-a030-4266-aca2-e8d1cf2889b6 | overcloud-controller-0  | ACTIVE | -          | Running     | ctlplane=192.168.0.21 |
| 08f04db2-4eeb-4dac-a2ba-4a120c9d2140 | overcloud-controller-1  | ACTIVE | -          | Running     | ctlplane=192.168.0.22 |
| c52d985e-7e06-4952-a572-fee4349fd922 | overcloud-controller-2  | ACTIVE | -          | Running     | ctlplane=192.168.0.23 |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
[stack@rhos-compute-node-18 ~]$ ssh heat-admin@192.168.0.19
Last login: Tue Jul 21 08:32:54 2015 from 192.168.0.1
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ getenforce
Permissive

Comment 10 errata-xmlrpc 2015-08-05 13:58:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549


Note You need to log in before you can comment on or make changes to this bug.