Description of problem: Starting with 1.3.2 ceph-selinux is shipped in tools, if its available ceph-deploy should also install the rpm instead of user installing it manually, in all our docs we use ceph-deploy to install and user doesn't knows about individual package names. Version-Release number of selected component (if applicable): 1.3.2 How reproducible: n/a Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
It should be installed by default, but it should also not be in informing mode by default, the customers will need to switch to SElinux enforcing explicitly in 1.3.2.
Boris, I'm wondering if we should make ceph-mon and ceph-osd Require: ceph-selinux. Thoughts?
I believe the original agreement was to let users explicitly install the ceph-selinux package. I don't think we want to have it installed "by default" in 1.3.x. It would make updates on high-storage machines take a very very long time which can be expected between major releases but can generate a lot of fuss between minor releases Also, artificially disabling Ceph SELinux policy after installation sounds weird to me and would require several additional changes, not just adding new requires -- the SELinux modules get disabled by 'semanage module --disable <module>'. Otherwise, the denials are always reported (if SELinux is not turned off in kernel altogether), The denials might not be enforced if SELinux is in permissive mode. They will still be reported, though. All in all, I believe the best solution for the minor release is to keep ceph-selinux a separate package not installed by default and let the users decide whether they want to use it (with all the consequences -- long installation times, etc).
ceph-deploy is already able to install individual packages on remote nodes. In the case of ceph-selinux this would look like: ceph-deploy pkg --install ceph-selinux {nodes} So if we want to make it optional, this ticket should be closed since it is already optional via ceph-deploy.
Oh right, I forgot about the perf hit when selinux tries to label everything on the OSDs. I agree with Alfredo's and Boris's recommendations in Comment 4 and Comment 5. It would be less surprising to users if we switched ceph-selinux to be mandatory in the RHCS 2.0 release.
I am fine if this has to be installed separately, In that case we will have to document the optional cli command that Alfredo mentioned in our install guide and some additional notes about ceph-selinux. I will let federico comment as well and I am fine to move this to doc bz.
Vasu, I am setting target release as 1.3.2 for this defect and making this as doc defect. Please feel free to change if required.
It looks good to me, the upgrade section might not be relevant to this bug for now, but probably users going from 1.3.1 to 1.3.2 can still refer SELinux section if they want selinux to be enforced.
Bara, The content looks good to me. The Original Bug can be Verified. But while verifying i found one new issue: http://10.34.3.139:8080/view/Ceph/job/doc-Red_Hat_Ceph_Storage-Installation_Guide_RHEL%20%28html-single%29/lastSuccessfulBuild/artifact/index.html#execute-pre-installation This is pointing correctly, and opening the page 'Execute the Pre-Installation Procedure'. But there is an hyperlink in the Paragraph "Create a Ceph Deploy User", This is not pointing correctly. After clicking its pointing to "Installation Guide for RHEL (x86_64)" Rather it should point to "Create a Ceph Deploy User" Please ping me if you couldn't understand what i meant.
Marking it as Verified