Re: [openstack-dev] [openstack-ansible] dropping selinux support
This title seems very scary. It was to be read as "... for source installs" : ) To be honest, I feel very sad about the lack of involvement in CentOS in OSA over the years. We didn't get many contributors over time for it. This has always been a labour of love, and the honeymoon seems over for many. So... Please help us if you want to keep your sourced based installs + CentOS + selinux. Else, you can still use packages! :D Thanks mnaser for starting this hard topic and community decision process. JP (evrardjp) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] dropping selinux support
Hi Paul: On Thu, Jun 28, 2018 at 5:03 PM, Paul Belanger wrote: > On Thu, Jun 28, 2018 at 12:56:22PM -0400, Mohammed Naser wrote: >> Hi everyone: >> >> This email is to ask if there is anyone out there opposed to removing >> SELinux bits from OpenStack ansible, it's blocking some of the gates >> and the maintainers for them are no longer working on the project >> unfortunately. >> >> I'd like to propose removing any SELinux stuff from OSA based on the >> following: >> >> 1) We don't gate on it, we don't test it, we don't support it. If >> you're running OSA with SELinux enforcing, please let us know how :-) >> 2) It extends beyond the scope of the deployment project and there are >> no active maintainers with the resources to deal with them >> 3) With the work currently in place to let OpenStack Ansible install >> distro packages, we can rely on upstream `openstack-selinux` package >> to deliver deployments that run with SELinux on. >> >> Is there anyone opposed to removing it? If so, please let us know. :-) >> > While I don't use OSA, I would be surprised to learn that selinux wouldn't be > supported. I also understand it requires time and care to maintain. Have you > tried reaching out to people in #RDO, IIRC all those packages should support > selinux. Indeed, the support from RDO for SELinux works very well. In this case however, OpenStack ansible deploys from source and therefore places binaries in different places than the default expected locations for the upstream `openstack-selinux`. As we work towards adding 'distro' support (which to clarify, it means install from RPMs or DEBs rather than from source), we'll be able to pull in that package and automagically get SELinux support that's supported by an upstream that tracks it. > As for gating, maybe default to selinux passive for it to report errors, but > not > fail. And if anybody is interested in support it, they can do so and enable > enforcing again when everything is fixed. That's reasonable. However, right now we have bugs around the distribution of SELinux modules and how they are compiled inside the the containers, which means that we're not having problems with the rules as much as uploading the rules and getting them compiled inside the server. I hope I cleared up a bit more of our side of things, I'm actually looking forward for us being able to support upstream distro packages. > - Paul > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Mohammed Naser — vexxhost - D. 514-316-8872 D. 800-910-1726 ext. 200 E. mna...@vexxhost.com W. http://vexxhost.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] dropping selinux support
On Thu, Jun 28, 2018 at 12:56:22PM -0400, Mohammed Naser wrote: > Hi everyone: > > This email is to ask if there is anyone out there opposed to removing > SELinux bits from OpenStack ansible, it's blocking some of the gates > and the maintainers for them are no longer working on the project > unfortunately. > > I'd like to propose removing any SELinux stuff from OSA based on the > following: > > 1) We don't gate on it, we don't test it, we don't support it. If > you're running OSA with SELinux enforcing, please let us know how :-) > 2) It extends beyond the scope of the deployment project and there are > no active maintainers with the resources to deal with them > 3) With the work currently in place to let OpenStack Ansible install > distro packages, we can rely on upstream `openstack-selinux` package > to deliver deployments that run with SELinux on. > > Is there anyone opposed to removing it? If so, please let us know. :-) > While I don't use OSA, I would be surprised to learn that selinux wouldn't be supported. I also understand it requires time and care to maintain. Have you tried reaching out to people in #RDO, IIRC all those packages should support selinux. As for gating, maybe default to selinux passive for it to report errors, but not fail. And if anybody is interested in support it, they can do so and enable enforcing again when everything is fixed. - Paul __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [openstack-ansible] dropping selinux support
Also, this is the change that drops it, so feel free to vote with your opinion there too: https://review.openstack.org/578887 Drop SELinux support from os_swift On Thu, Jun 28, 2018 at 12:56 PM, Mohammed Naser wrote: > Hi everyone: > > This email is to ask if there is anyone out there opposed to removing > SELinux bits from OpenStack ansible, it's blocking some of the gates > and the maintainers for them are no longer working on the project > unfortunately. > > I'd like to propose removing any SELinux stuff from OSA based on the > following: > > 1) We don't gate on it, we don't test it, we don't support it. If > you're running OSA with SELinux enforcing, please let us know how :-) > 2) It extends beyond the scope of the deployment project and there are > no active maintainers with the resources to deal with them > 3) With the work currently in place to let OpenStack Ansible install > distro packages, we can rely on upstream `openstack-selinux` package > to deliver deployments that run with SELinux on. > > Is there anyone opposed to removing it? If so, please let us know. :-) > > Thanks! > Mohammed > > -- > Mohammed Naser — vexxhost > - > D. 514-316-8872 > D. 800-910-1726 ext. 200 > E. mna...@vexxhost.com > W. http://vexxhost.com -- Mohammed Naser — vexxhost - D. 514-316-8872 D. 800-910-1726 ext. 200 E. mna...@vexxhost.com W. http://vexxhost.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [openstack-ansible] dropping selinux support
Hi everyone: This email is to ask if there is anyone out there opposed to removing SELinux bits from OpenStack ansible, it's blocking some of the gates and the maintainers for them are no longer working on the project unfortunately. I'd like to propose removing any SELinux stuff from OSA based on the following: 1) We don't gate on it, we don't test it, we don't support it. If you're running OSA with SELinux enforcing, please let us know how :-) 2) It extends beyond the scope of the deployment project and there are no active maintainers with the resources to deal with them 3) With the work currently in place to let OpenStack Ansible install distro packages, we can rely on upstream `openstack-selinux` package to deliver deployments that run with SELinux on. Is there anyone opposed to removing it? If so, please let us know. :-) Thanks! Mohammed -- Mohammed Naser — vexxhost - D. 514-316-8872 D. 800-910-1726 ext. 200 E. mna...@vexxhost.com W. http://vexxhost.com __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
