This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2021894 - [RFE][OSP18] Eliminate selinux rule conflicts for containers
Summary: [RFE][OSP18] Eliminate selinux rule conflicts for containers
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: RFEs
Version: 18.0 (Zed)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Cédric Jeanneret
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-10 12:03 UTC by Jesse Pretorius
Modified: 2024-01-04 18:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-01-04 18:11:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1997351 1 urgent CLOSED [13->16.1] Instance are inaccessible after bootstrap controller upgrade 2024-12-20 20:49:18 UTC
Red Hat Bugzilla 2020210 1 urgent CLOSED [FFWD 13 ->16.2] Controller upgrade fails due to inactive rabbitmq (PermissionError: [Errno 13] Permission denied: '/var... 2022-08-08 12:02:54 UTC
Red Hat Bugzilla 2021525 1 medium CLOSED [16.1] openstack overcloud upgrade run times out / HAProxy container fails to start 2022-08-02 13:07:13 UTC
Red Hat Issue Tracker   OSP-10742 0 None None None 2024-01-04 18:11:53 UTC
Red Hat Issue Tracker OSP-31042 0 None None None 2024-01-04 18:12:13 UTC
Red Hat Issue Tracker UPG-4765 0 None None None 2021-11-10 12:07:35 UTC
Red Hat Knowledge Base (Solution) 6305361 0 None None None 2021-11-10 12:27:40 UTC
Red Hat Knowledge Base (Solution) 6497141 0 None None None 2021-11-10 12:05:24 UTC

Description Jesse Pretorius 2021-11-10 12:03:19 UTC 
In OSP we bind-mount host paths into containers. This was done, in part, to ease the transition from non-containerized to containerised services in the OSP10 to OSP13 upgrade.

These bind-mounts have selinux context conflicts between the host and container and therefore require a number of things to be in place:

1. We need to use the :z flag on the bind-mount.
2. We have to have deployment tasks to correct the bind-mounts selinux context that need to run whenever a system autorelabel is done.
3. The pacemaker bundles need to ensure that they have the :z flag.

The trouble with this is that we have a constant conflict between the system and the container context. For example, we cannot set /var/lib/haproxy to container_file_t because a system/core policy already sets it to haproxy_var_lib_t.

We need to figure out a way to resolve these conflicts so that we eliminate the race-condition that occurs during upgrades (which involve a relabel when doing the leapp) and may occur by mistake when a deployer relabels a folder.

Continuing to maintain our current implementation is causing upgrade failures, bugs, a growing number of knowledgebase articles and confusion. It is a growing technical debt which we can eliminate by moving our container usage to something more standard.
Comment 1 Cédric Jeanneret 2021-11-10 12:27:40 UTC 
We can also point to regressions introduced by other SELinux related packages, making our work even harder, such as this one:
https://github.com/redhat-openstack/openstack-selinux/pull/82
Namely, container-selinux takes ownership of the /var/log/containers, and applies a conflicting label (container_log_t) while we were using container_file_t on that location since OSP-15 or so.

There will more likely be other conflicts in the future due to the nested "sefcontext" in tripleo-ansible[1] and tripleo-heat-templates[2] for the very same reason: another core/system policy is introduced upon SELinux package update, breaking our custom rules.


[1] https://opendev.org/openstack/tripleo-ansible/commit/608fdfae85be5e1d6d20d49c62583e48ce5a0bc5
[2] https://opendev.org/openstack/tripleo-heat-templates/commit/d77fe55516ce93a8984108daccbb75b72095503f
Note You need to log in before you can comment on or make changes to this bug.