aboutsummaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJiri Stransky <jistr@redhat.com>2015-07-13 19:11:54 +0200
committerJiri Stransky <jistr@redhat.com>2015-07-13 19:11:54 +0200
commit9ab0050e6ec6ace2deb7712d7fde7a12bc466b75 (patch)
tree9c8323fece58f04eecc8f77fee5213c54c387251 /puppet
parent0405a6b248a8328edc1ca050be7e33f436b29c77 (diff)
Ensure SELinux is permissive on Ceph OSDs
Currently we build the overcloud image with selinux-permissive element in CI. However, even in environments where selinux-permissive element is not used, it should be ensured that SELinux is set to permissive mode on nodes with Ceph OSD [1]. We have no nice way to manage SELinux status via Puppet at the moment, so i'm resorting to execs, but with proper "onlyif" guards. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1241422 Change-Id: I31bd685ad4800261fd317eef759bcfd285f2ba80
Diffstat (limited to 'puppet')
-rw-r--r--puppet/hieradata/ceph.yaml4
-rw-r--r--puppet/manifests/overcloud_cephstorage.pp14
-rw-r--r--puppet/manifests/overcloud_controller.pp14
-rw-r--r--puppet/manifests/overcloud_controller_pacemaker.pp14
4 files changed, 45 insertions, 1 deletions
diff --git a/puppet/hieradata/ceph.yaml b/puppet/hieradata/ceph.yaml
index 6eb0e671..18a48622 100644
--- a/puppet/hieradata/ceph.yaml
+++ b/puppet/hieradata/ceph.yaml
@@ -12,4 +12,6 @@ ceph_pools:
- vms
- images
-ceph_classes: [] \ No newline at end of file
+ceph_classes: []
+
+ceph_osd_selinux_permissive: true
diff --git a/puppet/manifests/overcloud_cephstorage.pp b/puppet/manifests/overcloud_cephstorage.pp
index 21fd5f98..38b6a546 100644
--- a/puppet/manifests/overcloud_cephstorage.pp
+++ b/puppet/manifests/overcloud_cephstorage.pp
@@ -30,6 +30,20 @@ if count(hiera('ntp::servers')) > 0 {
include ::ntp
}
+if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+}
+
include ::ceph::profile::client
include ::ceph::profile::osd
diff --git a/puppet/manifests/overcloud_controller.pp b/puppet/manifests/overcloud_controller.pp
index 777ebad6..1408feaf 100644
--- a/puppet/manifests/overcloud_controller.pp
+++ b/puppet/manifests/overcloud_controller.pp
@@ -193,6 +193,20 @@ if hiera('step') >= 2 {
}
if str2bool(hiera('enable_ceph_storage', 'false')) {
+ if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+ }
+
include ::ceph::profile::client
include ::ceph::profile::osd
}
diff --git a/puppet/manifests/overcloud_controller_pacemaker.pp b/puppet/manifests/overcloud_controller_pacemaker.pp
index 3c5a0151..9bad7211 100644
--- a/puppet/manifests/overcloud_controller_pacemaker.pp
+++ b/puppet/manifests/overcloud_controller_pacemaker.pp
@@ -494,6 +494,20 @@ MYSQL_HOST=localhost\n",
}
if str2bool(hiera('enable_ceph_storage', 'false')) {
+ if str2bool(hiera('ceph_osd_selinux_permissive', true)) {
+ exec { 'set selinux to permissive on boot':
+ command => "sed -ie 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config",
+ onlyif => "test -f /etc/selinux/config && ! grep '^SELINUX=permissive' /etc/selinux/config",
+ path => ["/usr/bin", "/usr/sbin"],
+ }
+
+ exec { 'set selinux to permissive':
+ command => "setenforce 0",
+ onlyif => "which setenforce && getenforce | grep -i 'enforcing'",
+ path => ["/usr/bin", "/usr/sbin"],
+ } -> Class['ceph::profile::osd']
+ }
+
include ::ceph::profile::client
include ::ceph::profile::osd
}