Red Hat Bugzilla – Bug 1392742
OpenShift installer always sets --selinux-enabled in sysconfig/docker. Can break working overlay installs.
Last modified: 2018-08-29 14:34:21 EDT
Description of problem: I installed docker 1.12.3-3 the way I wanted it configured. This included configuring overlayfs as the graphdriver which requires setting --selinux-enabled=false. This disables selinux in containers, but that is OK for me. When I install OpenShift 3.4, it overwrites my setting for --selinux-enabled. After the install, containers will no longer start until the flag is restored (or if selinux is disabled entirely). The install should maintain existing docker settings. I suppose if they are known to break OpenShift they could be changed, but that's not the case here. Version-Release number of selected component (if applicable): 3.4.0.22 How reproducible: Always Steps to Reproduce: 1. Install docker 1.12.3-3 outside of OpenShift and configure it for overlay. ere's a good guide: http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/ 2. Verify --selinux-enabled=false 3. Install OpenShift 3.4.0.22 using the byo/config.yml playbook Actual results: sysconfig/docker contains --selinux-enabled and no containers will start after the install. Expected results: config value is maintained
Mike, marking this upcoming release. If this is a regression lets remove that flag and we can treat it as a blocker, if it's not a regression we'll get to it after the release.
Related discussion (docs BZ): https://bugzilla.redhat.com/show_bug.cgi?id=1290487#c8
This is not a regression. 3.3 installer behaves the same way. The discussion Alex links is a good one, but I think the more general issue here is having the installer respect the existing docker config if there is nothing about it that breaks OpenShift. UpcomingRelease sounds fine.
Related: https://github.com/ansible/ansible/issues/18692
https://github.com/openshift/openshift-ansible/pull/3044
@Russell, go through the above PR, seem like introduce a new ansible option - openshift_docker_selinux_enabled, that means user should set "openshift_docker_selinux_enabled=false" in inventory host file to run install with docker overlay setting, am I right?
(In reply to Johnny Liu from comment #6) Johnny, if the user wants to disable the use of selinux within the containers, they would set "openshift_docker_selinux_enabled=false". This will cause docker to not run selinux within the container regardless of the status of selinux on the host.
Mike, could you comment on where we are headed with this and if it meets your original request?
This handles the specific example of enabling/disabling selinux for the containers. My more general concern in this bug was not breaking existing good Docker configurations by overwriting the configuration during OpenShift install. Is OpenShift always "in control" of the Docker configuration? i.e. existing user configuration outside of what OpenShift performs is not supported?
I can live with a restriction, but we should probably document it.
Merged. https://github.com/openshift/openshift-ansible/pull/3044
Verified this bug with openshift-ansible-3.5.3-1.git.0.80c2436.el7.noarch, and PASS. Set openshift_docker_selinux_enabled=false in inventory host file, trigger installation, after it is completed, checking: # cat /etc/sysconfig/docker|grep OPTION OPTIONS=' --log-driver=json-file --log-opt max-size=50m' No "--selinux-enabled" options in docker config file.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0903