Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
Am 19.02.2018 um 17:22 schrieb Daniel Gryniewicz: > To my knowledge, no one has done any work on ganesha + ceph and selinux. > Fedora (and RHEL) includes config in it's selinux package for ganesha + > gluster, but I'm sure there's missing bits for ceph. Thanks! I was asking here since from the latest talks on Ceph, I would expect nfs-ganesha to become a major "supported feature" potentially starting even from mimic. For anybody who is following / curious, I had to extend my manual SELinux module to fix kerberos ticket cache issues. I'm now using the following successfully: module nfs_ganesha-fix-perms 1.0; require { type proc_net_t; type cyphesis_port_t; type krb5_host_rcache_t; type ganesha_t; class capability setuid; class capability setgid; class capability dac_override; class tcp_socket name_connect; class file { getattr open read write }; } #= ganesha_t == allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; allow ganesha_t krb5_host_rcache_t:file write; Cheers, Oliver > > Daniel > > On 02/17/2018 03:15 PM, Oliver Freyermuth wrote: >> Hi together, >> >> many thanks for the RPMs provided at: >> http://download.ceph.com/nfs-ganesha/ >> They are very much appreciated! >> >> >> Since the statement was that they will also be maintained in the future, and >> NFS Ganesha seems an important project for the future of Ceph, >> let me do the first "packaging" bug report. >> >> It seems that the current packages do not play so well with SELinux. I'm >> currently using an SELinux module with the following allows, found by >> iterative use of audit2allow (full ".te" module added at the end of the >> mail): >> >> allow ganesha_t cyphesis_port_t:tcp_socket name_connect; >> allow ganesha_t proc_net_t:file { getattr open read }; >> allow ganesha_t self:capability dac_override; >> allow ganesha_t self:capability setuid; >> allow ganesha_t self:capability setgid; >> >> "cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, >> 6780-6799) overlaps with the default ports >> recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, >> the other caps appear to be needed by nfs-ganesha itself. >> >> With these in place, it seems my setup is working well. Without the "setgid" >> cap, for example, nfs-ganesha just segfaults after the permission denied >> failure. >> Of course, it would be best if they were installed by the package >> (potentially, more restrictive allows are possible with some care). >> >> >> Please include me in replies, I am not subscribed to the list. >> >> Cheers and all the best, >> Oliver >> >> >> >> module nfs_ganesha-fix-perms 1.0; >> >> require { >> type proc_net_t; >> type cyphesis_port_t; >> type ganesha_t; >> class capability setuid; >> class capability setgid; >> class capability dac_override; >> class tcp_socket name_connect; >> class file { getattr open read }; >> } >> >> #= ganesha_t == >> allow ganesha_t cyphesis_port_t:tcp_socket name_connect; >> allow ganesha_t proc_net_t:file { getattr open read }; >> allow ganesha_t self:capability dac_override; >> allow ganesha_t self:capability setuid; >> allow ganesha_t self:capability setgid; >> >> >> >> >> ___ >> ceph-users mailing list >> ceph-users@lists.ceph.com >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com smime.p7s Description: S/MIME Cryptographic Signature ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
To my knowledge, no one has done any work on ganesha + ceph and selinux. Fedora (and RHEL) includes config in it's selinux package for ganesha + gluster, but I'm sure there's missing bits for ceph. Daniel On 02/17/2018 03:15 PM, Oliver Freyermuth wrote: Hi together, many thanks for the RPMs provided at: http://download.ceph.com/nfs-ganesha/ They are very much appreciated! Since the statement was that they will also be maintained in the future, and NFS Ganesha seems an important project for the future of Ceph, let me do the first "packaging" bug report. It seems that the current packages do not play so well with SELinux. I'm currently using an SELinux module with the following allows, found by iterative use of audit2allow (full ".te" module added at the end of the mail): allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; "cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, 6780-6799) overlaps with the default ports recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, the other caps appear to be needed by nfs-ganesha itself. With these in place, it seems my setup is working well. Without the "setgid" cap, for example, nfs-ganesha just segfaults after the permission denied failure. Of course, it would be best if they were installed by the package (potentially, more restrictive allows are possible with some care). Please include me in replies, I am not subscribed to the list. Cheers and all the best, Oliver module nfs_ganesha-fix-perms 1.0; require { type proc_net_t; type cyphesis_port_t; type ganesha_t; class capability setuid; class capability setgid; class capability dac_override; class tcp_socket name_connect; class file { getattr open read }; } #= ganesha_t == allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
Hi together, many thanks for the RPMs provided at: http://download.ceph.com/nfs-ganesha/ They are very much appreciated! Since the statement was that they will also be maintained in the future, and NFS Ganesha seems an important project for the future of Ceph, let me do the first "packaging" bug report. It seems that the current packages do not play so well with SELinux. I'm currently using an SELinux module with the following allows, found by iterative use of audit2allow (full ".te" module added at the end of the mail): allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; "cyphesis_port_t" is probably needed since its range (tcp: 6767, 6769, 6780-6799) overlaps with the default ports recommended for use by OSDs and nfs-ganesha uses libcephfs to talk to them, the other caps appear to be needed by nfs-ganesha itself. With these in place, it seems my setup is working well. Without the "setgid" cap, for example, nfs-ganesha just segfaults after the permission denied failure. Of course, it would be best if they were installed by the package (potentially, more restrictive allows are possible with some care). Please include me in replies, I am not subscribed to the list. Cheers and all the best, Oliver module nfs_ganesha-fix-perms 1.0; require { type proc_net_t; type cyphesis_port_t; type ganesha_t; class capability setuid; class capability setgid; class capability dac_override; class tcp_socket name_connect; class file { getattr open read }; } #= ganesha_t == allow ganesha_t cyphesis_port_t:tcp_socket name_connect; allow ganesha_t proc_net_t:file { getattr open read }; allow ganesha_t self:capability dac_override; allow ganesha_t self:capability setuid; allow ganesha_t self:capability setgid; smime.p7s Description: S/MIME Cryptographic Signature ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
nfs-ganesha-2.5.2-.el7.x86_64.rpm ^ Is this correct? -Original Message- From: Marc Roos Sent: dinsdag 29 augustus 2017 11:40 To: amaredia; wooertim Cc: ceph-users Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 Ali, Very very nice! I was creating the rpm's based on a old rpm source spec. And it was a hastle to get them to build, and I am not sure if I even used to correct compile settings. -Original Message- From: Ali Maredia [mailto:amare...@redhat.com] Sent: maandag 28 augustus 2017 22:29 To: TYLin Cc: Marc Roos; ceph-us...@ceph.com Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 Marc, These rpms (and debs) are built with the latest ganesha 2.5 stable release and the latest luminous release on download.ceph.com: http://download.ceph.com/nfs-ganesha/ I just put them up late last week, and I will be maintaining them in the future. -Ali - Original Message - > From: "TYLin" > To: "Marc Roos" > Cc: ceph-us...@ceph.com > Sent: Sunday, August 20, 2017 11:58:05 PM > Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 > > You can get rpm from here > > https://download.gluster.org/pub/gluster/glusterfs/nfs-ganesha/old/2.3 > .0/CentOS/nfs-ganesha.repo > > You have to fix the path mismatch error in the repo file manually. > > > On Aug 20, 2017, at 5:38 AM, Marc Roos wrote: > > > > > > > > Where can you get the nfs-ganesha-ceph rpm? Is there a repository > > that has these? > > > > > > > > > > ___ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
Ali, Very very nice! I was creating the rpm's based on a old rpm source spec. And it was a hastle to get them to build, and I am not sure if I even used to correct compile settings. -Original Message- From: Ali Maredia [mailto:amare...@redhat.com] Sent: maandag 28 augustus 2017 22:29 To: TYLin Cc: Marc Roos; ceph-us...@ceph.com Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 Marc, These rpms (and debs) are built with the latest ganesha 2.5 stable release and the latest luminous release on download.ceph.com: http://download.ceph.com/nfs-ganesha/ I just put them up late last week, and I will be maintaining them in the future. -Ali - Original Message - > From: "TYLin" > To: "Marc Roos" > Cc: ceph-us...@ceph.com > Sent: Sunday, August 20, 2017 11:58:05 PM > Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 > > You can get rpm from here > > https://download.gluster.org/pub/gluster/glusterfs/nfs-ganesha/old/2.3 > .0/CentOS/nfs-ganesha.repo > > You have to fix the path mismatch error in the repo file manually. > > > On Aug 20, 2017, at 5:38 AM, Marc Roos wrote: > > > > > > > > Where can you get the nfs-ganesha-ceph rpm? Is there a repository > > that has these? > > > > > > > > > > ___ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
Marc, These rpms (and debs) are built with the latest ganesha 2.5 stable release and the latest luminous release on download.ceph.com: http://download.ceph.com/nfs-ganesha/ I just put them up late last week, and I will be maintaining them in the future. -Ali - Original Message - > From: "TYLin" > To: "Marc Roos" > Cc: ceph-us...@ceph.com > Sent: Sunday, August 20, 2017 11:58:05 PM > Subject: Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7 > > You can get rpm from here > > https://download.gluster.org/pub/gluster/glusterfs/nfs-ganesha/old/2.3.0/CentOS/nfs-ganesha.repo > > You have to fix the path mismatch error in the repo file manually. > > > On Aug 20, 2017, at 5:38 AM, Marc Roos wrote: > > > > > > > > Where can you get the nfs-ganesha-ceph rpm? Is there a repository that > > has these? > > > > > > > > > > ___ > > ceph-users mailing list > > ceph-users@lists.ceph.com > > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
Re: [ceph-users] Cephfs fsal + nfs-ganesha + el7/centos7
You can get rpm from here https://download.gluster.org/pub/gluster/glusterfs/nfs-ganesha/old/2.3.0/CentOS/nfs-ganesha.repo You have to fix the path mismatch error in the repo file manually. > On Aug 20, 2017, at 5:38 AM, Marc Roos wrote: > > > > Where can you get the nfs-ganesha-ceph rpm? Is there a repository that > has these? > > > > > ___ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com ___ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com