Ensure SELinux is permissive on Ceph OSDs

Currently we build the overcloud image with selinux-permissive element
in CI. However, even in environments where selinux-permissive element is
not used, it should be ensured that SELinux is set to permissive mode on
nodes with Ceph OSD [1].

We have no nice way to manage SELinux status via Puppet at the moment,
so i'm resorting to execs, but with proper "onlyif" guards.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1241422

Change-Id: I31bd685ad4800261fd317eef759bcfd285f2ba80

diff --git a/puppet/hieradata/ceph.yaml b/puppet/hieradata/ceph.yaml
index 6eb0e67..18a4862 100644 (file)
--- a/puppet/hieradata/ceph.yaml
+++ b/puppet/hieradata/ceph.yaml
@@ -12,4 +12,6 @@ ceph_pools:
   - vms
   - images
 
-ceph_classes: []
\ No newline at end of file
+ceph_classes: []
+
+ceph_osd_selinux_permissive: true

diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp
index 21fd5f9..38b6a54 100644 (file)
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@@ -30,6 +30,20 @@ if count(hiera('ntp::servers')) > 0 {
   include ::ntp
 }
 
+if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+  exec { 'set selinux to permissive on boot':
+    command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+    onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+    path    => ["/usr/bin", "/usr/sbin"],
+  }
+
+  exec { 'set selinux to permissive':
+    command => "setenforce 0",
+    onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+    path    => ["/usr/bin", "/usr/sbin"],
+  } -> Class['ceph::profile::osd']
+}
+
 include ::ceph::profile::client
 include ::ceph::profile::osd
 

diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 777ebad..1408fea 100644 (file)
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -193,6 +193,20 @@ if hiera('step') >= 2 {
   }
 
   if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
     include ::ceph::profile::client
     include ::ceph::profile::osd
   }

diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 3c5a015..9bad721 100644 (file)
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -494,6 +494,20 @@ MYSQL_HOST=localhost\n",
   }
 
   if str2bool(hiera('enable_ceph_storage', 'false')) {
+    if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+      exec { 'set selinux to permissive on boot':
+        command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+        onlyif  => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+        path    => ["/usr/bin", "/usr/sbin"],
+      }
+
+      exec { 'set selinux to permissive':
+        command => "setenforce 0",
+        onlyif  => "which setenforce && getenforce | grep -i 'enforcing'",
+        path    => ["/usr/bin", "/usr/sbin"],
+      } -> Class['ceph::profile::osd']
+    }
+
     include ::ceph::profile::client
     include ::ceph::profile::osd
   }