Hi all, It has been discovered that newer versions of selinux-policy prevent bundles in pacemaker 2.0 from logging. I have a straightforward fix, but it means that whenever a cluster is upgraded from pre-2.0.3 to 2.0.3 or later, all active bundles will restart once the last older node leaves the cluster.
This is because the fix passes the "Z" mount flag to docker or podman, which tells them to create a custom SELinux policy for the bundle's container and log directory. This is the easiest and most restrictive solution. An alternative approach would be for pacemaker to start delivering its own custom SELinux policy as a separate package. The policy would allow all pacemaker-launched containers to access all of /var/log/pacemaker/bundles, which is a bit broader access (not to mention more of a pain to maintain over the longer term). This would avoid the restart. I'm leaning to the in-code solution, but I want to ask if anyone thinks the bundle restarts on upgrade are a deal-breaker for a minor-minor release, and would prefer the packaged policy solution. -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/