1827532 – 'overcloud deploy' overrides the selinux policy/state set on the undercloud

Bug 1827532 - 'overcloud deploy' overrides the selinux policy/state set on the undercloud

Summary: 'overcloud deploy' overrides the selinux policy/state set on the undercloud

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	16.0 (Train)
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	beta
Target Release:	16.1 (Train on RHEL 8.2)
Assignee:	Alex Schultz
QA Contact:	David Rosenfeld
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-24 06:30 UTC by Luca Miccini
Modified:	2020-07-29 07:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-11.3.2-0.20200512073440.5450ec4.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-29 07:52:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	724195	0	None	MERGED	Split out selinux management	2020-07-22 23:27:15 UTC
Red Hat Product Errata	RHBA-2020:3148	0	None	None	None	2020-07-29 07:52:31 UTC

Description Luca Miccini 2020-04-24 06:30:53 UTC

Description:

'overcloud deploy' overrides any change made to the selinux configuration on the undercloud and reverts it to whatever is in the overcloud templates.


Version:

openstack-tripleo-heat-templates-11.3.2-0.20200405044623.ec9970c.el8ost.noarch


Reproducer:

1. deploy undercloud with undercloud_enable_selinux = false in the [DEFAULT] section of undercloud.conf
2. verify selinux is in permissive mode
3. deploy/redeploy the overcloud
4. verify selinux is back to enforcing



# journalctl (undercloud)

Apr 24 02:04:02 undercloud-0.redhat.local python3[6260]: ansible-selinux Invoked with policy=targeted state=enforcing configfile=/etc/selinux/config

# /var/lib/mistral/overcloud/ansible.log

2020-04-24 02:04:01,812 p=23979 u=mistral |  PLAY [Manage SELinux and generate /etc/hosts] **********************************
2020-04-24 02:04:01,872 p=23979 u=mistral |  TASK [Set selinux state] *******************************************************
2020-04-24 02:04:01,872 p=23979 u=mistral |  Friday 24 April 2020  02:04:01 -0400 (0:00:00.450)       0:00:16.516 **********
2020-04-24 02:04:02,909 p=23979 u=mistral |  ok: [controller-2] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
2020-04-24 02:04:02,910 p=23979 u=mistral |  ok: [controller-0] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
2020-04-24 02:04:02,910 p=23979 u=mistral |  ok: [compute-0] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
2020-04-24 02:04:02,912 p=23979 u=mistral |  ok: [compute-1] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
2020-04-24 02:04:02,963 p=23979 u=mistral |  changed: [undercloud] => {"changed": true, "configfile": "/etc/selinux/config", "msg": "SELinux state changed from 'permissive' to 'enforcing', Config SELinux state changed from 'permissive' to 'enforcing'", "policy": "targeted", "reboot_required": false, "state": "enforcing"}
2020-04-24 02:04:03,016 p=23979 u=mistral |  ok: [controller-1] => {"changed": false, "configfile": "/etc/selinux/config", "msg": "", "policy": "targeted", "reboot_required": false, "state": "enforcing"}


This seems to happen because we target 'hosts: all' with this task: 

common/deploy-steps.j2

            SELINUX_MODE: {get_param: SELinuxMode}

            - hosts: all
              name: Manage SELinux and generate /etc/hosts
              gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
              any_errors_fatal: yes
              tasks:
                - name: Set selinux state
                  selinux:
                    policy: targeted
                    state: SELINUX_MODE


imho:

1. we shouldn't touch the undercloud during a overcloud deploy (so hosts: DEPLOY_TARGET_HOST)
2. otherwise we should collect SELINUX_MODE on the undercloud so to turn this into a noop

Comment 6 Jad Haj Yahya 2020-07-23 07:45:48 UTC

1. deploy undercloud with undercloud_enable_selinux = false in the [DEFAULT] section of undercloud.conf
2. verify selinux is in permissive mode
3. deploy/redeploy the overcloud
4. verify selinux is still in permissive mode

Comment 8 errata-xmlrpc 2020-07-29 07:52:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148

Note You need to log in before you can comment on or make changes to this bug.