Bug 1628431 - [Doc] Add recovery steps of SELinux label in restore procedure.
Summary: [Doc] Add recovery steps of SELinux label in restore procedure.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
medium
urgent
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-13 02:54 UTC by Keigo Noha
Modified: 2023-10-06 17:55 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-06-02 01:22:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1637773 0 medium CLOSED A SELinux definition to /var/lib/registry is missing 2023-10-06 17:56:45 UTC
Red Hat Knowledge Base (Solution) 3667261 0 None None None 2018-10-26 01:06:32 UTC

Internal Links: 1637773

Description Keigo Noha 2018-09-13 02:54:10 UTC 
Description of problem:
Add recovery steps of SELinux label in restore procedure. 
Current restore procedure lacks the steps of SELinux labeling to rsynced directories and files.
It causes inconsistency between original node and recovered node.
This inconsistency may cause the issue by SELinux in the future change in undercloud.

c.f. https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/back_up_and_restore_the_director_undercloud/#restore_the_undercloud

As far as I checked, following directories are mapped to usr_tmp_t label.

/var/lib/glance
/var/lib/docker
/var/lib/registry
/var/lib/registry/docker

These directories should be

/var/lib/glance: glance_var_lib_t
/var/lib/docker: container_var_lib_t
/var/lib/registry: var_lib_t
/var/lib/registry/docker: container_var_lib_t

Most of them will be restored with restorecon command but restorecon to /var/lib/registry/docker might not work because predefined selinux policy doesn't exist for /var/lib/registry.
Comment 1 Keigo Noha 2018-12-07 00:24:40 UTC 
Additionally, /etc/puppet needs to run restorecon command.
Comment 2 Keigo Noha 2019-01-16 01:08:18 UTC 
Hi Documentation team,

Do you have any updates on this bugzilla?

Best Regards,
Keigo Noha
Comment 3 Keigo Noha 2019-01-30 00:48:53 UTC 
Hi Documentation team,

Do you have any updates on this bugzilla?

Regards,
Keigo Noha
Comment 8 Dan Macpherson 2019-12-06 14:52:51 UTC 
It looks like the doc has been updated to use tar extraction instead of rsync, so the selinux context should be preserved. And even if it isn't, I don't think this has any effect on the standard operation of director (at least none that the Cloud Ops and Upgrades DFGs have noticed, as well as my own testing).
Comment 9 Chuck Copello 2020-01-27 20:35:35 UTC 
Please confirm that the updated doc clears the request.
Note You need to log in before you can comment on or make changes to this bug.