Thank you so much Jiffin for the quick response! -Janak ________________________________ From: Jiffin Thottan <jthot...@redhat.com> Sent: Thursday, June 20, 2019 11:58:52 PM To: Desai, Janak Cc: Gluster Devel; nfs-ganesha-devel Subject: Re: Quick question about the latest glusterfs and client side selinux support
Hi Janak, Currently, it is supported in glusterfs(from 2.8 onwards) and cephfs(already there in 2.7) for nfs-ganesha. -- Jiffin ----- Original Message ----- From: "Janak Desai" <janak.de...@gtri.gatech.edu> To: "Jiffin Tony Thottan" <jthot...@redhat.com> Sent: Thursday, June 20, 2019 9:29:09 PM Subject: Re: Quick question about the latest glusterfs and client side selinux support Hi Jiffin, I came across your presentation “NFS-Ganesha Weather Report” that you gave at the FOSDEM’19 in early Feb this year. In that you mentioned that ongoing developments in v2.8 include “labelled NFS” support. I see that v2.8 is now out. Do you know if labelled NFS support made it in? If it did, is it only supported in CEPHFS FSAL or any other FSALs also include the support for it? I took a cursory look at the release documents and didn’t see Labelled NFS in it, so thought I would bug you directly. Thanks. -Janak From: Jiffin Tony Thottan <jthot...@redhat.com> Date: Tuesday, August 28, 2018 at 12:50 AM To: Janak Desai <janak.de...@gtri.gatech.edu>, "nde...@redhat.com" <nde...@redhat.com>, "mselv...@redhat.com" <mselv...@redhat.com> Cc: "p...@paul-moore.com" <p...@paul-moore.com> Subject: Re: Quick question about the latest glusterfs and client side selinux support Hi Janak, Thanks for the interest. Basic selinux xlator is present at gluster server stack. It stores selinux context at the backend as a xattr. When we developed that xlator, at that point they were no client to test the functionality. Don't know whether required change in fuse got merged or not. As you mentioned ,here first we need to figure out whether issue is related to server. Can collect the packet trace using tcpdump from client and sent with mail during setting/getting selinux context. Regards, Jiffin On Tuesday 28 August 2018 04:14 AM, Desai, Janak wrote: Hi Niels, Manikandan, Jiffin, I work for Georgia Tech Research Institute’s CIPHER Lab and am investigating suitability of glusterfs for a couple of large upcoming projects. My ‘google research’ is yielding confusing and inconclusive results, so I thought I would try and reach out to some of the core developers to get some clarity. We use SELinux extensively in our software solution. I am trying to find out if, with the latest version 4.1 of glusterfs running on the latest version of rhel, I should be able to associate and enforce selinux contexts from glusterfs clients. I see in the 3.11 release notes that the selinux feature was implemented but then I also see references to kernel work that is not done yet. I also could not find any documentation/examples on how to add/integrate this selinux translator to setup and enforce selinux labels from the client side. In my simple test setup, which I mounted using the “selinux” option (which gluster does seem to recognize), I am getting the “operation not supported” error. I guess either I am not pulling in the selinux translator or I am running up against other missing functionality in the kernel. I would really appreciate if you could clear this up for me. If I am not configuring my mount correctly, I would appreciate if you could point me to a document or an example. Our other option is lustre filesystem since it does have a working client side association and enforcement of selinux contexts. However, lustre appears to be lot difficult to setup and maintain and I would rather use glusterfs. We need a distributed (or parallel) filesystem that can work with Hadoop. If glusterfs doesn’t pan out then I will look at labelled nfs 4.2 that is now available in rhel7. However, my google research shows much more Hadoop affinity for glusterfs than nfs v4. I am also copying Paul Moore, with whom I collaborated a few years ago as part of the team that took Linux through its common criteria evaluation, and who I haven’t bugged lately ☺, to see if he can shed some light any missing kernel dependencies. I am currently testing with rhel7.5, but would be willing to try upstream kernel if have to get this proof of concept going. I know the underlying problem in the kernel is supporting extended attrs on FUSE file systems, but was wondering (and hoping) that at least setup/enforcement of selinux contexts from client side for glusterfs is possible. Thanks. -Janak
_______________________________________________ Community Meeting Calendar: APAC Schedule - Every 2nd and 4th Tuesday at 11:30 AM IST Bridge: https://bluejeans.com/836554017 NA/EMEA Schedule - Every 1st and 3rd Tuesday at 01:00 PM EDT Bridge: https://bluejeans.com/486278655 Gluster-devel mailing list Gluster-devel@gluster.org https://lists.gluster.org/mailman/listinfo/gluster-devel
