Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1241422 - SElinux is set as Enforcing in the Ceph OSD nodes
SElinux is set as Enforcing in the Ceph OSD nodes
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
Director
x86_64 Linux
high Severity high
: ga
: Director
Assigned To: Jiri Stransky
Yogev Rabl
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-07-09 04:20 EDT by Yogev Rabl
Modified: 2015-08-05 09:58 EDT (History)
7 users (show)

See Also:
Fixed In Version: openstack-tripleo-heat-templates-0.8.6-37.el7ost
Doc Type: Bug Fix
Doc Text:
SELinux was set to enforcing mode on Ceph OSD nodes. However, according to official Ceph documentation, SELinux should be set to permissive mode on Ceph OSD nodes. This fix sets SELinux to permissive on Ceph OSD nodes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-05 09:58:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 201259 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 13:49:10 EDT

  None (edit)
Description Yogev Rabl 2015-07-09 04:20:41 EDT 
Description of problem:
Red Hat's official Ceph 1.2.3 and 1.3 installation documentation guides us to set SElinux to permissive mode. 

The implications are not known and actions of the storage might be blocked by SElinux

Version-Release number of selected component (if applicable):
openstack-tripleo-image-elements-0.9.6-5.el7ost.noarch
openstack-heat-templates-0-0.6.20150605git.el7ost.noarch
openstack-tripleo-heat-templates-0.8.6-23.el7ost.noarch
openstack-tripleo-0.0.7-0.1.1664e566.el7ost.noarch
openstack-tripleo-puppet-elements-0.0.1-3.el7ost.noarch


How reproducible:
100%

Steps to Reproduce:
1. Install Ceph OSD and monitors with OSP Director
2. check SElinux mode 
# getenforce


Actual results:
SElinux is in Enforcing mode

Expected results:
SElinux should be in permissive mode

Additional info:
Comment 3 chris alfonso 2015-07-13 09:07:45 EDT 
Jiri, Please update this with the latest status.
Comment 4 Mike Burns 2015-07-13 09:08:31 EDT 
This only impacts OSD nodes, not monitor nodes.
Comment 5 Jiri Stransky 2015-07-13 13:22:20 EDT 
WIP patch submitted but needs proper testing to be considered working (not moving to ON_DEV yet). https://review.openstack.org/201259
Comment 6 Jiri Stransky 2015-07-14 06:58:11 EDT 
Submitted a backport and tested deployment with a Ceph node:

[root@overcloud-cephstorage-0 ~]# cat /etc/selinux/config | grep '^SELINUX='
SELINUX=permissive
[root@overcloud-cephstorage-0 ~]# getenforce 
Permissive
Comment 8 Omri Hochman 2015-07-22 10:45:00 EDT 
Verified with openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch : 

[stack@rhos-compute-node-18 ~]$ nova list
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| ID                                   | Name                    | Status | Task State | Power State | Networks              |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
| 02a0e351-0b6d-4f3c-b589-926d4a9b3eea | overcloud-cephstorage-0 | ACTIVE | -          | Running     | ctlplane=192.168.0.19 |
| 18cf391e-7afb-4b55-a5dc-06b75cfb4876 | overcloud-compute-0     | ACTIVE | -          | Running     | ctlplane=192.168.0.20 |
| a847401a-a030-4266-aca2-e8d1cf2889b6 | overcloud-controller-0  | ACTIVE | -          | Running     | ctlplane=192.168.0.21 |
| 08f04db2-4eeb-4dac-a2ba-4a120c9d2140 | overcloud-controller-1  | ACTIVE | -          | Running     | ctlplane=192.168.0.22 |
| c52d985e-7e06-4952-a572-fee4349fd922 | overcloud-controller-2  | ACTIVE | -          | Running     | ctlplane=192.168.0.23 |
+--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+
[stack@rhos-compute-node-18 ~]$ ssh heat-admin@192.168.0.19
Last login: Tue Jul 21 08:32:54 2015 from 192.168.0.1
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ 
[heat-admin@overcloud-cephstorage-0 ~]$ getenforce
Permissive
Comment 10 errata-xmlrpc 2015-08-05 09:58:59 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.