tripleo

The containerized undercloud is no longer setting selinux permissive on CentOS

Bug #1779005 reported by wes hayutin on 2018-06-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	wes hayutin	tripleo rocky-3

Bug Description

In queens w/ a non-containerized undercloud the undercloud bm node is set to permissive on Centos

https://logs.rdoproject.org/openstack-periodic/periodic-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-queens/627dfff/undercloud/etc/selinux/

It appears that the images generated by rdo-infra are set to Enforcing and TripleO never updates it to permissive.
https://logs.rdoproject.org/74/494674/8/openstack-check/gate-tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset001-master/Z9fa908fbbefd4d5fb4cc1434347a5b1a/undercloud/etc/selinux/

Upstream Infra must infact set to permissive to start with.
http://logs.openstack.org/45/560445/70/check/tripleo-ci-centos-7-scenario002-multinode-oooq-container/eb21736/logs/undercloud/etc/selinux/

More details to come if needed

Tags:

Revision history for this message

Alex Schultz (alex-schultz) wrote on 2018-06-28:

This is likely because we do not manage selinux in the containerized undercloud like we did in instack-undercloud

Changed in tripleo:
status:	New → Triaged
tags:	added: containers

Alex Schultz (alex-schultz) on 2018-06-28

Changed in tripleo:
assignee:	nobody → Alex Schultz (alex-schultz)

OpenStack Infra (hudson-openstack) on 2018-06-28

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-28: Fix proposed to python-tripleoclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/578855

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-28: Fix proposed to tripleo-quickstart-extras (master)

Fix proposed to branch: master
Review: https://review.openstack.org/578857

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-02: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/578842
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=db181732c63fb0b6b79adc94a8adeb644246f3f1
Submitter: Zuul
Branch: master

commit db181732c63fb0b6b79adc94a8adeb644246f3f1
Author: Alex Schultz <email address hidden>
Date: Thu Jun 28 09:08:45 2018 -0600

Add SELinux management to containerized undercloud

    In instack-undercloud we manage the selinux configuration during the
    deployment. This change exposes the configuration as a new tripleo
    service for selinux so we can configure it.

Change-Id: I2109bf62e307df92b6bdb57600c58dd61482f46d
Partial-Bug: #1779005

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-02: Fix merged to python-tripleoclient (master)

Reviewed: https://review.openstack.org/578855
Committed: https://git.openstack.org/cgit/openstack/python-tripleoclient/commit/?id=4aa679e9606d1f30a966eb3935b3a99973c5f59c
Submitter: Zuul
Branch: master

commit 4aa679e9606d1f30a966eb3935b3a99973c5f59c
Author: Alex Schultz <email address hidden>
Date: Thu Jun 28 09:44:15 2018 -0600

Add undercloud_enable_selinux

Expose selinux configuration via the undercloud.conf

    Change-Id: I6973fec9bcc55373f89e5c873ff6ae7050fff432
    Depends-On: I2109bf62e307df92b6bdb57600c58dd61482f46d
    Partial-Bug: #1779005

OpenStack Infra (hudson-openstack) on 2018-07-03

Changed in tripleo:
assignee:	Alex Schultz (alex-schultz) → wes hayutin (weshayutin)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-04: Change abandoned on tripleo-quickstart-extras (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.openstack.org/578857
Reason: The gate is suffering of timeouts, we need to clear it. Please do not restore or recheck this patch, I'll take care of it when gate is stable again.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-05: Fix merged to tripleo-quickstart-extras (master)

Reviewed: https://review.openstack.org/578857
Committed: https://git.openstack.org/cgit/openstack/tripleo-quickstart-extras/commit/?id=5ab1af1e6f31367811fddef527f81710a66e8518
Submitter: Zuul
Branch: master

commit 5ab1af1e6f31367811fddef527f81710a66e8518
Author: Alex Schultz <email address hidden>
Date: Thu Jun 28 09:45:30 2018 -0600

Configure SELinux in the undercloud

By default SELinux will be disabled on underclouds being installed on
CentOS and enabled on RHEL.

    Change-Id: I9dd91302e895dc12814022fbc703f68fd01327d2
    Depends-On: I6973fec9bcc55373f89e5c873ff6ae7050fff432
    Closes-Bug: #1779005

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-14: Fix proposed to tripleo-quickstart-extras (master)

Fix proposed to branch: master
Review: https://review.openstack.org/602703

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-25: Change abandoned on tripleo-quickstart-extras (master)

Change abandoned by Juan Antonio Osorio Robles (<email address hidden>) on branch: master
Review: https://review.openstack.org/602703
Reason: Purging the gate to free up resources and address the timeout issues