Description of problem: The ansible playbook fails during the Ceph NFS installation in the following task : TASK [ceph-nfs : run semanage permissive -a ganesha_t] Version-Release number of selected component (if applicable): ceph-ansible-3.1.2-1.el7cp.noarch ansible-2.4.6.0-1.el7ae.noarch How reproducible: Steps to Reproduce: 1. Install Ceph NFS with ansible 2. Run the ansible-playbook Actual results: Ansible Playbook fails during Ceph NFS installation Expected results: Ansible Playbook should succeed and Ceph NFS should be installed. Additional info: TASK [ceph-nfs : run semanage permissive -a ganesha_t] ******************************************************************************************************** Thursday 06 September 2018 13:37:08 +0000 (0:00:05.039) 0:08:29.869 **** fatal: [magna060]: FAILED! => {"changed": false, "cmd": ["semanage", "permissive", "-a", "ganesha_t"], "delta": "0:00:00.229039", "end": "2018-09-06 13:37:07.733426", "failed": true, "msg": "non-zero return code", "rc": 1, "start": "2018-09-06 13:37:07.504387", "stderr": "ValueError: ganesha_t is not a domain type", "stderr_lines": ["ValueError: ganesha_t is not a domain type"], "stdout": "", "stdout_lines": []} PLAY RECAP **************************************************************************************************************************************************** magna060 : ok=217 changed=12 unreachable=0 failed=1 INSTALLER STATUS ********************************************************************************************************************************************** Install Ceph OSD : Complete (0:02:41) Install Ceph RGW : Complete (0:02:18) Install Ceph NFS : In Progress (0:03:23) This phase can be restarted by running: roles/ceph-nfs/tasks/main.yml
How reproducible: 2 out of 4 test setup encountered this issue
This is not a bug. [ubuntu@magna060 ~]$ yum info selinux-policy Loaded plugins: fastestmirror, langpacks, priorities, product-id, search-disabled-repos, subscription-manager Installed Packages Name : selinux-policy Arch : noarch Version : 3.13.1 Release : 222.el7 Size : 6.3 k Repo : installed From repo : rhel-7-server-htb-rpms Summary : SELinux policy configuration URL : http://oss.tresys.com/repos/refpolicy/ License : GPLv2+ Description : SELinux Reference Policy - modular. : Based off of reference policy: Checked out revision 2.20091117 The currently installed selinux-policy package is a beta from RHEL 7.6. We will need to correct it but this invalidates the test against the currently supported platform RHEL-7.5 We checked the package and have observed changes to the ganesha domain. I will file a BZ to address that with selinux-policy for reference the correct package to test with is selinux-policy-3.13.1-192.el7
We need to update our ansible scripts to support the policy changes made in RHEL 7.6. As of RHEL 7.6, the ganesha_t is no longer a domain type and so running the command that sets the domain as permissive fails there. The nfs.ganesha daemon will run unconfined in RHEL 7.6 instead -- this should be pretty much the same as making its domain permissive. We should be safe simply ignoring this failure in the ansible scripts (i.e. adding failed_when: false).
this fix will be in the next upstream stable-3.1 release (v3.1.5)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3530