settingsLogin | Registersettings

[openstack-dev] [tripleo] undercloud containers with SELinux Enforcing

0 votes

Hello folks.
I need your feedback please on SELinux fixes [0] (or rather workarounds)
for containerized undercloud feature, which is experimental in Pike.

[TL;DR] The problem I'm trying to solve is primarily allowing TripleO
users to follow the guide [1] w/o telling them "please disable SELinux".

Especially, given the note "The undercloud is intended to work correctly
with SELinux enforcing, and cannot be installed to a system with SELinux
disabled".

I understand that putting "chcon -Rt svirtsandboxfile_t -l s0" (see
[2]) to all of the host paths bind-mounted into containers is not
secure, and from SELinux perspective allows everything to all
containers. That could be a first step for docker volumes working w/o
shutting down SELinux on *hosts* though.

I plan to use the same approach for the t-h-t docker/services host-prep
tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't
allow combine with other mount flags, like :ro:z won't work. I look
forward for better solutions and ideas!

[0] https://review.openstack.org/#/q/topic:bug/1682179
[1]
https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html
[2]
https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

--
Best regards,
Bogdan Dobrelya,
Irc #bogdando


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
asked Nov 6, 2017 in openstack-dev by bdobreli_at_redhat.c (2,260 points)   2 3

2 Responses

0 votes

Hi.
I've made some progress with containerized undercloud deployment guide
and SELinux enforcing ( the bug [0] and the topic [1] ).

Although I'm now completely stuck [2] with fixing t-h-t's
docker/services to nail the selinux thing fully, including the
containerized overclouds part. The main issue is to make some of the
host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux
friendly. Any help is appreciated!

Hello folks.
I need your feedback please on SELinux fixes [0] (or rather workarounds)
for containerized undercloud feature, which is experimental in Pike.

[TL;DR] The problem I'm trying to solve is primarily allowing TripleO
users to follow the guide [1] w/o telling them "please disable SELinux".

Especially, given the note "The undercloud is intended to work correctly
with SELinux enforcing, and cannot be installed to a system with SELinux
disabled".

I understand that putting "chcon -Rt svirtsandboxfile_t -l s0" (see
[2]) to all of the host paths bind-mounted into containers is not
secure, and from SELinux perspective allows everything to all
containers. That could be a first step for docker volumes working w/o
shutting down SELinux on *hosts* though.

I plan to use the same approach for the t-h-t docker/services host-prep
tasks as well. Why not using docker's :z :Z directly? IIUC, it doesn't
allow combine with other mount flags, like :ro:z won't work. I look
forward for better solutions and ideas!

[0] https://review.openstack.org/#/q/topic:bug/1682179
[1]
https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html
[2]
https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

[0] https://bugs.launchpad.net/tripleo/+bug/1682179
[1] https://review.openstack.org/#/q/topic:bug/1682179
[2] https://review.openstack.org/#/c/517383/

--
Best regards,
Bogdan Dobrelya,
Irc #bogdando


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Nov 6, 2017 by bdobreli_at_redhat.c (2,260 points)   2 3
0 votes

So the rule of thumb I propose is "if a container bind-mounts /run
(/var/run), make it privileged to not mess with SELinux enforcing". I've
yet to found better alternatives to allow containers access the host
sockets.

Additionally, the patch allows developers of t-h-t docker/services to
not guess and repeat :z flags for generic
/var/lib/, /etc/puppet/,
/usr/share/openstack-puppet/modules and /var/log/containers/ paths
for services as the wanted context for those will be configured at the
deploy steps tasks [0], and the docker-puppet.py tool [1]. That kind of
follows DRY the best.

I hope that works.

[0] https://review.openstack.org/#/c/513669/11/common/deploy-steps.j2
[1] https://review.openstack.org/#/c/513669/12/docker/docker-puppet.py@277

On 11/6/17 2:49 PM, Bogdan Dobrelya wrote:
Hi.
I've made some progress with containerized undercloud deployment guide
and SELinux enforcing ( the bug [0] and the topic [1] ).

Although I'm now completely stuck [2] with fixing t-h-t's
docker/services to nail the selinux thing fully, including the
containerized overclouds part. The main issue is to make some of the
host-path volumes bind-mounted, like /run:/run and /dev:/dev, selinux
friendly. Any help is appreciated!

Hello folks.
I need your feedback please on SELinux fixes [0] (or rather
workarounds) for containerized undercloud feature, which is
experimental in Pike.

[TL;DR] The problem I'm trying to solve is primarily allowing TripleO
users to follow the guide [1] w/o telling them "please disable SELinux".

Especially, given the note "The undercloud is intended to work
correctly with SELinux enforcing, and cannot be installed to a system
with SELinux disabled".

I understand that putting "chcon -Rt svirtsandboxfile_t -l s0" (see
[2]) to all of the host paths bind-mounted into containers is not
secure, and from SELinux perspective allows everything to all
containers. That could be a first step for docker volumes working w/o
shutting down SELinux on *hosts* though.

I plan to use the same approach for the t-h-t docker/services
host-prep tasks as well. Why not using docker's :z :Z directly? IIUC,
it doesn't allow combine with other mount flags, like :ro:z won't
work. I look forward for better solutions and ideas!

[0] https://review.openstack.org/#/q/topic:bug/1682179
[1]
https://docs.openstack.org/tripleo-docs/latest/install/containers_deployment/undercloud.html

[2]
https://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/

[0] https://bugs.launchpad.net/tripleo/+bug/1682179
[1] https://review.openstack.org/#/q/topic:bug/1682179
[2] https://review.openstack.org/#/c/517383/

--
Best regards,
Bogdan Dobrelya,
Irc #bogdando


OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
responded Nov 6, 2017 by bdobreli_at_redhat.c (2,260 points)   2 3
...