Currently we build the overcloud image with selinux-permissive element
in CI. However, even in environments where selinux-permissive element is
not used, it should be ensured that SELinux is set to permissive mode on
nodes with Ceph OSD [1].
We have no nice way to manage SELinux status via Puppet at the moment,
so i'm resorting to execs, but with proper "onlyif" guards.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=
1241422
Change-Id: I31bd685ad4800261fd317eef759bcfd285f2ba80
- vms
- images
-ceph_classes: []
\ No newline at end of file
+ceph_classes: []
+
+ceph_osd_selinux_permissive: true
include ::ntp
}
+if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+}
+
include ::ceph::profile::client
include ::ceph::profile::osd
}
if str2bool(hiera('enable_ceph_storage', 'false')) {
+ if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+ }
+
include ::ceph::profile::client
include ::ceph::profile::osd
}
}
if str2bool(hiera('enable_ceph_storage', 'false')) {
+ if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+ }
+
include ::ceph::profile::client
include ::ceph::profile::osd
}