Bug 1295949 - [RH Ceph 1.3.2] ceph-selinux should be installed during ceph-deploy install
[RH Ceph 1.3.2] ceph-selinux should be installed during ceph-deploy install
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 1.3.2
Assigned To: Bara Ancincova
: Documentation, ZStream
Depends On:
Blocks: 1299303
  Show dependency treegraph
Reported: 2016-01-05 16:26 EST by Vasu Kulkarni
Modified: 2016-03-01 03:22 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
.Support for SELinux has been added With this release, the SELinux policy for Red Hat Ceph Storage has been added. SELinux provides another security layer by enforcing Mandatory Access Control (MAC) mechanism over all processes. To learn more about SELinux, see the https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/index.html[SELinux User's and Administrator's Guide] for Red Hat Enterprise Linux 7. SELinux support for Ceph is not enabled by default. To use it, install the `ceph-selinux` package. For detailed information about this process, see the https://access.redhat.com/documentation/en/red-hat-ceph-storage/version-1.3/red-hat-ceph-storage-13-installation-guide-for-rhel-x86-64/#install-selinux[SELinux] section in the Red Hat Ceph Storage https://access.redhat.com/documentation/en/red-hat-ceph-storage/1.3/installation-guide-for-rhel-x86-64/installation-guide-for-rhel-x86-64[Installation Guide for Red Hat Enterprise Linux]. NOTE: All Ceph daemons will be down for the time the `ceph-selinux` package is being installed. Therefore, your cluster node will not be able to serve any data at this point. This operation is necessary in order to update the metadata of the files located on the underlying file system and to make Ceph daemons run with the correct context. This operation may take several minutes depending on the size and speed of the underlying storage.
Story Points: ---
Clone Of:
Last Closed: 2016-03-01 03:22:49 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vasu Kulkarni 2016-01-05 16:26:54 EST
Description of problem:

Starting with 1.3.2 ceph-selinux is shipped in tools, if its available ceph-deploy should also install the rpm instead of user installing it manually, in all our docs we use ceph-deploy to install and user doesn't knows about individual package names.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 2 Federico Lucifredi 2016-01-06 20:53:04 EST
It should be installed by default, but it should also not be in informing mode by default, the customers will need to switch to SElinux enforcing explicitly in 1.3.2.
Comment 3 Ken Dreyer (Red Hat) 2016-01-07 12:12:55 EST
Boris, I'm wondering if we should make ceph-mon and ceph-osd Require: ceph-selinux. Thoughts?
Comment 4 Boris Ranto 2016-01-08 03:40:08 EST
I believe the original agreement was to let users explicitly install the ceph-selinux package. I don't think we want to have it installed "by default" in 1.3.x. It would make updates on high-storage machines take a very very long time which can be expected between major releases but can generate a lot of fuss between minor releases 

Also, artificially disabling Ceph SELinux policy after installation sounds weird to me and would require several additional changes, not just adding new requires -- the SELinux modules get disabled by 'semanage module --disable <module>'. Otherwise, the denials are always reported (if SELinux is not turned off in kernel altogether), The denials might not be enforced if SELinux is in permissive mode. They will still be reported, though.

All in all, I believe the best solution for the minor release is to keep ceph-selinux a separate package not installed by default and let the users decide whether they want to use it (with all the consequences -- long installation times, etc).
Comment 5 Alfredo Deza 2016-01-08 08:50:48 EST
ceph-deploy is already able to install individual packages on remote nodes. In the case of ceph-selinux this would look like:

    ceph-deploy pkg --install ceph-selinux {nodes}

So if we want to make it optional, this ticket should be closed since it is already optional via ceph-deploy.
Comment 6 Ken Dreyer (Red Hat) 2016-01-08 13:09:55 EST
Oh right, I forgot about the perf hit when selinux tries to label everything on the OSDs.

I agree with Alfredo's and Boris's recommendations in Comment 4 and Comment 5. It would be less surprising to users if we switched ceph-selinux to be mandatory in the RHCS 2.0 release.
Comment 7 Vasu Kulkarni 2016-01-08 16:47:25 EST
I am fine if this has to be installed separately, In that case we will have to document the optional cli command that Alfredo mentioned in our install guide and some additional notes about ceph-selinux.

I will let federico comment as well and I am fine to move this to doc bz.
Comment 8 Harish NV Rao 2016-01-13 07:23:44 EST
Vasu, I am setting target release as 1.3.2 for this defect and making this as doc defect. Please feel free to change if required.
Comment 12 Vasu Kulkarni 2016-01-19 12:51:15 EST
It looks good to me, the upgrade section might not be relevant to this bug for now, but probably users going from 1.3.1 to 1.3.2 can still refer SELinux section if they want selinux to be enforced.
Comment 14 Tanay Ganguly 2016-02-03 03:56:20 EST

The content looks good to me.
The Original Bug can be Verified.

But while verifying i found one new issue:

This is pointing correctly, and opening the page 'Execute the Pre-Installation Procedure'. But there is an hyperlink in the Paragraph "Create a Ceph Deploy User",

This is not pointing correctly.

After clicking its pointing to "Installation Guide for RHEL (x86_64)"
Rather it should point to "Create a Ceph Deploy User"

Please ping me if you couldn't understand what i meant.
Comment 16 Tanay Ganguly 2016-02-03 05:50:24 EST
Marking it as Verified

Note You need to log in before you can comment on or make changes to this bug.