Description of problem: Red Hat's official Ceph 1.2.3 and 1.3 installation documentation guides us to set SElinux to permissive mode. The implications are not known and actions of the storage might be blocked by SElinux Version-Release number of selected component (if applicable): openstack-tripleo-image-elements-0.9.6-5.el7ost.noarch openstack-heat-templates-0-0.6.20150605git.el7ost.noarch openstack-tripleo-heat-templates-0.8.6-23.el7ost.noarch openstack-tripleo-0.0.7-0.1.1664e566.el7ost.noarch openstack-tripleo-puppet-elements-0.0.1-3.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Install Ceph OSD and monitors with OSP Director 2. check SElinux mode # getenforce Actual results: SElinux is in Enforcing mode Expected results: SElinux should be in permissive mode Additional info:
Jiri, Please update this with the latest status.
This only impacts OSD nodes, not monitor nodes.
WIP patch submitted but needs proper testing to be considered working (not moving to ON_DEV yet). https://review.openstack.org/201259
Submitted a backport and tested deployment with a Ceph node: [root@overcloud-cephstorage-0 ~]# cat /etc/selinux/config | grep '^SELINUX=' SELINUX=permissive [root@overcloud-cephstorage-0 ~]# getenforce Permissive
Verified with openstack-tripleo-heat-templates-0.8.6-44.el7ost.noarch : [stack@rhos-compute-node-18 ~]$ nova list +--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+ | ID | Name | Status | Task State | Power State | Networks | +--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+ | 02a0e351-0b6d-4f3c-b589-926d4a9b3eea | overcloud-cephstorage-0 | ACTIVE | - | Running | ctlplane=192.168.0.19 | | 18cf391e-7afb-4b55-a5dc-06b75cfb4876 | overcloud-compute-0 | ACTIVE | - | Running | ctlplane=192.168.0.20 | | a847401a-a030-4266-aca2-e8d1cf2889b6 | overcloud-controller-0 | ACTIVE | - | Running | ctlplane=192.168.0.21 | | 08f04db2-4eeb-4dac-a2ba-4a120c9d2140 | overcloud-controller-1 | ACTIVE | - | Running | ctlplane=192.168.0.22 | | c52d985e-7e06-4952-a572-fee4349fd922 | overcloud-controller-2 | ACTIVE | - | Running | ctlplane=192.168.0.23 | +--------------------------------------+-------------------------+--------+------------+-------------+-----------------------+ [stack@rhos-compute-node-18 ~]$ ssh heat-admin.0.19 Last login: Tue Jul 21 08:32:54 2015 from 192.168.0.1 [heat-admin@overcloud-cephstorage-0 ~]$ [heat-admin@overcloud-cephstorage-0 ~]$ [heat-admin@overcloud-cephstorage-0 ~]$ [heat-admin@overcloud-cephstorage-0 ~]$ getenforce Permissive
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1549