On Fri, 2019-06-07 at 10:15 +0100, lejeczek wrote: > On 06/06/2019 23:34, Ken Gaillot wrote: > > Hi all, > > > > It has been discovered that newer versions of selinux-policy > > prevent > > bundles in pacemaker 2.0 from logging. I have a straightforward > > fix, > > but it means that whenever a cluster is upgraded from pre-2.0.3 to > > 2.0.3 or later, all active bundles will restart once the last older > > node leaves the cluster. > > > > This is because the fix passes the "Z" mount flag to docker or > > podman, > > which tells them to create a custom SELinux policy for the bundle's > > container and log directory. This is the easiest and most > > restrictive > > solution. > > > > An alternative approach would be for pacemaker to start delivering > > its > > own custom SELinux policy as a separate package. The policy would > > allow > > all pacemaker-launched containers to access all of > > /var/log/pacemaker/bundles, which is a bit broader access (not to > > mention more of a pain to maintain over the longer term). This > > would > > avoid the restart. > > > > I'm leaning to the in-code solution, but I want to ask if anyone > > thinks > > the bundle restarts on upgrade are a deal-breaker for a minor-minor > > release, and would prefer the packaged policy solution. > > I personally could live with such a case of restart on my small > deployment. > > (what does the "bundle" constitute?)
Bundles are a special type of pacemaker resource for running containers. If you don't use them, you'll be unaffected. :) > But there is more in terms of SELinux which should be investigated > and > fixed when it comes to pacemaker. Yesterday I had to prep a custom > selinux module because SE policies stop pacemaker from > starting/managing > virt domain with storage off a gluster volume and xml config in > /var/lib/pacemaker. > > thanks, L. Yes, unfortunately SELinux is very service-specific, so each resource must be evaluated individually when SELinux is enabled. Also pacemaker runs in the cluster_t context, so it's subject to those policies as far as file creation etc. -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/