Description of problem: ------------------------- The gluster bricks doesn't have the required SELinux labels on them post deployment. Version-Release number of selected component (if applicable): -------------------------------------------------------------- RHHI-V 1.8.3 ( RHV 4.4.3 ) As well as in RHHI-V 1.8.2 ( RHV 4.4.2 ) This was not checked with RHHI-V 1.8 How reproducible: ------------------ Always Steps to Reproduce: --------------------- 1. Start the RHHI-V deployment from cockpit or CLI 2. After gluster deployment, check for SELinux labels set on the brick Actual results: ---------------- Gluster brick mounts lack proper SELinux labels on them Expected results: ----------------- Gluster brick mounts should have the correct SELinux labels on them --- Additional comment from SATHEESARAN on 2021-01-19 05:24:41 UTC --- This is the ansible playbook that sets the SELinux labels: <snip> - name: Set Gluster specific SeLinux context on the bricks sefcontext: target: "{{ (item.path | realpath | regex_escape()) + '(/.*)?' }}" setype: glusterd_brick_t state: present with_items: "{{ gluster_infra_mount_devices }}" when: gluster_set_selinux_labels| default(false)| bool == true </snip> Console log while executing this task: --------------------------------------- <snip> TASK [gluster.infra/roles/backend_setup : Set Gluster specific SeLinux context on the bricks] *** changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'}) changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'}) changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/engine', 'lvname': 'gluster_lv_engine', 'vgname': 'gluster_vg_sdb'}) changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/data', 'lvname': 'gluster_lv_data', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/vmstore', 'lvname': 'gluster_lv_vmstore', 'vgname': 'gluster_vg_sdc'}) changed: [rhsqa-grafton10.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'}) changed: [rhsqa-grafton11.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'}) changed: [rhsqa-grafton12.lab.eng.blr.redhat.com] => (item={'path': '/gluster_bricks/testvol', 'lvname': 'gluster_lv_testvol', 'vgname': 'gluster_vg_sdd'}) </snip> Checking for SELinux labels on the mount: [root@ ]# ls -lsahZd /gluster_bricks/testvol 0 drwxr-xr-x. 3 root root system_u:object_r:default_t:s0 21 Jan 12 07:48 /gluster_bricks/testvol [root@ ]# semanage fcontext -E /gluster_bricks/testvol fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/data(/.*)?' fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/engine(/.*)?' fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/testvol(/.*)?' fcontext -a -f a -t glusterd_brick_t -r 's0' '\/gluster_bricks\/vmstore(/.*)?'
The issue is due to the usage of regex.escape() in the playbook. When this is removed, I could observe that the bricks have the right set of selinux labels on them. Existing playbook code: ------------------------ <snip> - name: Set Gluster specific SeLinux context on the bricks sefcontext: target: "{{ (item.path | realpath | regex_escape()) + '(/.*)?' }}" <-- usage of regex_escape setype: glusterd_brick_t state: present with_items: "{{ gluster_infra_mount_devices }}" when: gluster_set_selinux_labels| default(false)| bool == true </snip> Proposed change ---------------- <snip> - name: Set Gluster specific SeLinux context on the bricks sefcontext: target: "{{ (item.path | realpath) + '(/.*)?' }}" setype: glusterd_brick_t state: present with_items: "{{ gluster_infra_mount_devices }}" when: gluster_set_selinux_labels| default(false)| bool == true </snip> I have performed all the tests with this modified code and everything looks good.
Upstream PR: https://github.com/gluster/gluster-ansible-infra/pull/118
Verified with gluster-ansible-infra-1.0.19.el8rhgs Post gluster deployment, gluster bricks contain the right SELinux label - glusterd_brick_t [root@ ~]# ls -lZd /gluster_bricks/engine/engine/ drwxr-xr-x. 3 vdsm kvm system_u:object_r:glusterd_brick_t:s0 24 Mar 1 13:05 /gluster_bricks/engine/engine/
Thanks sas, doc_text looks good.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (gluster-ansible bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1182