openstack/octavia
Code Issues Proposed changes

Fix TCP HMs on UDP pools with SELinux

Browse Source 
SELinux denied some specific TCP ports when using TCP-based HMs in UDP
pools (keepalived).
Enable a SELinux boolean keepalived_connect_any which allows keepalived
to connect to any port.

Closes-Bug: #2023751
Change-Id: Ie611ba9fde7b399989d847dd0c61dd3a158652bc
(cherry picked from commit 294bd406f3)
(cherry picked from commit c0ceebebbf)
This commit is contained in:
Gregory Thiemonge 2023-06-14 04:32:08 -04:00
parent 5a225adf58
commit 4d52ce9c5c
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
elements/amphora-selinux/post-install.d/50-selinux-policies
View File

@ -17,3 +17,6 @@ enable_selinux_bool () {
enable_selinux_bool os_haproxy_enable_nsfs enable_selinux_bool os_haproxy_enable_nsfs
enable_selinux_bool os_haproxy_ping enable_selinux_bool os_haproxy_ping
enable_selinux_bool cluster_use_execmem enable_selinux_bool cluster_use_execmem
# Allows keepalived to connect to any ports (required by TCP-based HMs on UDP
# pools)
enable_selinux_bool keepalived_connect_any

7
releasenotes/notes/fix-selinux-tcp-hm-on-udp-pools-89c3b8db89e359ba.yaml Normal file
View File

@ -0,0 +1,7 @@
---
fixes:
- |
Fixed an SELinux issues with TCP-based health-monitor on UDP pools, some
specific monitoring ports were denied by SELinux. The Amphora image now
enables the ``keepalived_connect_any`` SELinux boolean that allows
connections to any ports.