Bug 1419697 - atomic-openshift-excluder should exclude selinux packages that break [NEEDINFO]
Summary: atomic-openshift-excluder should exclude selinux packages that break
Keywords:
Status: CLOSED DUPLICATE of bug 1411316
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Scott Dodson
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-06 19:20 UTC by Steven Walter
Modified: 2017-02-07 20:57 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-07 18:41:38 UTC
Target Upstream Version:
sdodson: needinfo? (dwalsh)


Attachments (Terms of Use)

Description Steven Walter 2017-02-06 19:20:47 UTC
Description of problem:

With the changes to selinux (docker-selinux -> container-selinux), and other recent changes, some packages that are installed with a yum update still break the cluster.


The following packages seem to cause the issue:

selinux-policy-devel-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch
selinux-policy-3.13.1-102.el7_3.7.noarch

As soon as these were applied to the cluster, it went down because docker lost all of its SElinux labeling. By running:

yum reinstall -y container-selinux; systemctl restart docker; systemctl restart atomic-openshift-node

The labels were restored.

I have marked this bug for the Installer in order to exclude the packages that break using atomic-openshift-excluder as the selinux issues should be fixed in bugs:

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1413536
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1411316
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1413535

Comment 5 Scott Dodson 2017-02-07 18:41:38 UTC
I'm closing this NOTABUG because it should always be safe to update to the latest selinux-policy and container-selinux and there are bugs open to address problems there. If the docker team decides that we need to exclude selinux-policy and container-selinux from updates we'll revisit this but I think that's an exceptionally risky proposition.

Comment 8 Scott Dodson 2017-02-07 20:56:42 UTC

*** This bug has been marked as a duplicate of bug 1411316 ***


Note You need to log in before you can comment on or make changes to this bug.