Ensure SELinux is permissive on Ceph OSDs

Currently we build the overcloud image with selinux-permissive element in CI. However, even in environments where selinux-permissive element is not used, it should be ensured that SELinux is set to permissive mode on nodes with Ceph OSD [1]. We have no nice way to manage SELinux status via Puppet at the moment, so i'm resorting to execs, but with proper "onlyif" guards. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1241422 Change-Id: I31bd685ad4800261fd317eef759bcfd285f2ba80
2015-07-13 19:11:54 +02:00 · 2015-07-13 19:11:54 +02:00 · 9ab0050e6e
parent 0405a6b248
commit 9ab0050e6e
4 changed files with 45 additions and 1 deletions
--- a/puppet/hieradata/ceph.yaml
+++ b/puppet/hieradata/ceph.yaml
@ -12,4 +12,6 @@ ceph_pools:
  - vms
  - images

-ceph_classes: []
+ceph_classes: []
+
+ceph_osd_selinux_permissive: true
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@ -30,6 +30,20 @@ if count(hiera('ntp::servers')) > 0 {
  include ::ntp
 }

+if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+  exec { 'set selinux to permissive on boot':
+    command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+    onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+    path    => ["/usr/bin", "/usr/sbin"],
+  }
+
+  exec { 'set selinux to permissive':
+    command => "setenforce 0",
+    onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+    path    => ["/usr/bin", "/usr/sbin"],
+  } -> Class['ceph::profile::osd']
+}
+
 include ::ceph::profile::client
 include ::ceph::profile::osd

--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@ -193,6 +193,20 @@ if hiera('step') >= 2 {
  }

  if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
    include ::ceph::profile::client
    include ::ceph::profile::osd
  }
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@ -494,6 +494,20 @@ MYSQL_HOST=localhost\n",
  }

  if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
    include ::ceph::profile::client
    include ::ceph::profile::osd
  }