Description: 'overcloud deploy' overrides any change made to the selinux configuration on the undercloud and reverts it to whatever is in the overcloud templates. Version: openstack-tripleo-heat-templates-11.3.2-0.20200405044623.ec9970c.el8ost.noarch Reproducer: 1. deploy undercloud with undercloud_enable_selinux = false in the [DEFAULT] section of undercloud.conf 2. verify selinux is in permissive mode 3. deploy/redeploy the overcloud 4. verify selinux is back to enforcing # journalctl (undercloud) Apr 24 02:04:02 undercloud-0.redhat.local python3[6260]: ansible-selinux Invoked with policy=targeted state=enforcing configfile=/etc/selinux/config # /var/lib/mistral/overcloud/ansible.log 2020-04-24 02:04:01,812 p=23979 u=mistral | PLAY [Manage SELinux and generate /etc/hosts] ********************************** 2020-04-24 02:04:01,872 p=23979 u=mistral | TASK [Set selinux state] ******************************************************* 2020-04-24 02:04:01,872 p=23979 u=mistral | Friday 24 April 2020 02:04:01 -0400 (0:00:00.450) 0:00:16.516 ********** 2020-04-24 02:04:02,909 p=23979 u=mistral | ok: [controller-2] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"} 2020-04-24 02:04:02,910 p=23979 u=mistral | ok: [controller-0] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"} 2020-04-24 02:04:02,910 p=23979 u=mistral | ok: [compute-0] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"} 2020-04-24 02:04:02,912 p=23979 u=mistral | ok: [compute-1] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"} 2020-04-24 02:04:02,963 p=23979 u=mistral | changed: [undercloud] => {"changed": true, "configfile": "/etc/selinux/config", "msg": "SELinux state changed from 'permissive' to 'enforcing', Config SELinux state changed from 'permissive' to 'enforcing'", "policy": "targeted", "reboot_required": false, "state": "enforcing"} 2020-04-24 02:04:03,016 p=23979 u=mistral | ok: [controller-1] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"} This seems to happen because we target 'hosts: all' with this task: common/deploy-steps.j2 SELINUX_MODE: {get_param: SELinuxMode} - hosts: all name: Manage SELinux and generate /etc/hosts gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" any_errors_fatal: yes tasks: - name: Set selinux state selinux: policy: targeted state: SELINUX_MODE imho: 1. we shouldn't touch the undercloud during a overcloud deploy (so hosts: DEPLOY_TARGET_HOST) 2. otherwise we should collect SELINUX_MODE on the undercloud so to turn this into a noop
1. deploy undercloud with undercloud_enable_selinux = false in the [DEFAULT] section of undercloud.conf 2. verify selinux is in permissive mode 3. deploy/redeploy the overcloud 4. verify selinux is still in permissive mode
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3148