IMHO, I would just disable selinux. In my use case the clusters I boot with elasticluster are "temporary cloud clusters" so security is not a priority for me. I prefer to keep it simple.
Disabling selinux is just a single ansible task ( http://docs.ansible.com/ansible/selinux_module.html) while configuring selinux properly would take much more effort and it's easy that you miss some use case were selinux can give trouble. I think it's better to invest the time to get other features working. my two cents :) regards, Pablo. 2017-01-09 16:57 GMT+01:00 Riccardo Murri <[email protected]>: > Hello, > > first of all: happy new year! ;-) > > A bug report was submitted today [1], stating that, on CentOS 7 VMs, the > temporary enabling and disabling of SELinux that ElastiCluster does > (e.g., when enabling iptables firewall rules) renders `journald` > non-functional -- and possibly creates other problems too. > > A workaround [2] posted on ServerFault is also reported to cause trouble > in the same issue report. > > I do not know enough of SELinux myself to be able to take an informed > decision here. As far as I can see there are these options: > > 1. Just disable SELinux altogether (`setenforce 0`) at the start of > ElastiCluster playbooks. This makes life simpler for anyone (well, > makes *my* life simpler at least) but may be not what experienced > CentOS/RHEL admins expect? Also, is somebody replying on SELinux in > production clusters built with ElastiCluster? > > 2. Try to use a workaround like `restorecon -r /` (assuming one exists > that works reliably). I have no idea what this workaround can be, > though. > > 3. Try to do things correctly "the SELinux way". Last time I checked Red > Hat's docs this involved rebooting the VM, which is not something we > can do in the middle of an Ansible playbook. But maybe I read wrong? > > Any opinions? > > [1]: https://github.com/gc3-uzh-ch/elasticluster/issues/370 > [2]: http://serverfault.com/questions/764687/systemd- > journald-fails-to-start-on-centos-7 > > Ciao, > R > > -- > Riccardo Murri, Schwerzenbacherstrasse 2, CH-8606 Nänikon, Switzerland > > -- > You received this message because you are subscribed to the Google Groups > "elasticluster" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticluster" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
