Bug #49239
closedcephadm cannot deploy OSDs with selinux-policy-minimum
0%
Description
When the following conditions are true:
- A host has
selinux-policy-targeted, - We mount the host's
/sysinto a privileged container, - The container has
SELINUXTYPE=targetedin/etc/selinux/config, - The container does not have an
selinux-policy-targetedpackage installed (a result of https://github.com/ceph/ceph-container/pull/1798),
then SELinux-enabled applications like restorecon or DNF do not work inside the container.
Some ideas we considered:
A) Always install the selinux-policy-targeted package inside the container image.
B) Set SELINUXTYPE=minimum in /etc/selinux/config within the container.
C) Stop mounting the host's /sys into the container (like ceph-ansible + Nautilus does), probably not a good idea if Sage added it in https://github.com/ceph/ceph/commit/3ccab99d15e6498b949eca8f133fb3b947c7b629
D) Stop calling restorecon in the container (see https://github.com/ceph/ceph/pull/31421 for discussion about this feature), like Rook does
E) Mount the container's /sys/fs/selinux to an empty directory, similar to workaround elsewhere (https://github.com/containers/toolbox/pull/337 , https://github.com/cgwalters/coretoolbox/commit/3c74c64f8edd588852b59b39f8c0f616bfae624b)
Updated by Sebastian Wagner about 3 years ago
- Project changed from Ceph to Orchestrator
Updated by Ken Dreyer about 3 years ago
- Status changed from New to Pending Backport
Updated by Ken Dreyer about 3 years ago
Follow-on fix for systems that do not have /usr/share/empty (eg. SUSE): https://github.com/ceph/ceph/pull/39424
And another follow-on fix: https://github.com/ceph/ceph/pull/39490
All three PRs (39398, 39424, and 39490) and must be backported together.
Updated by Ken Dreyer about 3 years ago
JuanMi's backport at https://github.com/ceph/ceph/pull/39636
Updated by Sebastian Wagner about 3 years ago
- Status changed from Pending Backport to Resolved