Enable SELinux in permissive mode in overcloud host images

markgoddard · markgoddard · commit 9647b559ed3d · 2024-08-08T12:03:46.000+01:00
This matches our current defaults.
diff --git a/etc/kayobe/environments/ci-aio/globals.yml b/etc/kayobe/environments/ci-aio/globals.yml
@@ -55,11 +55,6 @@ os_release: >-
           {{ (lookup('pipe', '. /etc/os-release && echo $VERSION_CODENAME') | trim) if os_distribution == 'ubuntu' else
              (lookup('pipe', '. /etc/os-release && echo $VERSION_ID') | trim | split('.') | first) if os_distribution == 'rocky' }}
 
-###############################################################################
-
-# Avoid a reboot.
-selinux_state: disabled
-
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
diff --git a/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux b/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux
diff --git a/etc/kayobe/environments/ci-builder/globals.yml b/etc/kayobe/environments/ci-builder/globals.yml
@@ -7,9 +7,3 @@
 # OS distribution name. Valid options are "rocky", "ubuntu". Default is
 # "rocky".
 os_distribution: "{{ lookup('pipe', '. /etc/os-release && echo $ID') | trim }}"
-
-###############################################################################
-# SELinux.
-
-# Avoid a reboot.
-selinux_state: disabled
diff --git a/etc/kayobe/environments/ci-multinode/globals.yml b/etc/kayobe/environments/ci-multinode/globals.yml
@@ -60,11 +60,6 @@ os_release: >-
 stackhpc_write_barbican_role_id_to_file: true
 stackhpc_barbican_role_id_file_path: "/tmp/barbican-role-id"
 
-###############################################################################
-
-# Avoid a reboot.
-selinux_state: disabled
-
 ###############################################################################
 # Dummy variable to allow Ansible to accept this file.
 workaround_ansible_issue_8743: yes
diff --git a/etc/kayobe/pulp-host-image-versions.yml b/etc/kayobe/pulp-host-image-versions.yml
@@ -1,5 +1,6 @@
 ---
 # Overcloud host image versioning tags
 # These images must be in SMS, since they are used by our AIO CI runners
+# TODO: Rebuild with SELinux enabled
 stackhpc_rocky_9_overcloud_host_image_version: "2023.1-20240126T093158"
 stackhpc_ubuntu_jammy_overcloud_host_image_version: "2023.1-20240325T130221"
diff --git a/etc/kayobe/stackhpc-overcloud-dib.yml b/etc/kayobe/stackhpc-overcloud-dib.yml
@@ -23,7 +23,7 @@ stackhpc_overcloud_dib_name: "deployment_image"
 stackhpc_overcloud_dib_elements:
   - "{{ os_distribution }}-{% if os_distribution == 'rocky' %}container-stackhpc{% else %}minimal{% endif %}"
   - "cloud-init-datasources"
-  - "{% if os_distribution == 'rocky' %}disable-selinux{% endif %}"
+  - "{% if os_distribution == 'rocky' %}selinux-permissive{% endif %}"
   - "enable-serial-console"
   - "{% if kayobe_environment == 'ci-builder' %}etc-hosts{% endif %}"
   - "vm"
diff --git a/releasenotes/notes/selinux-host-image-ff0fed2583cae7b0.yaml b/releasenotes/notes/selinux-host-image-ff0fed2583cae7b0.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Enables SELinux in permissive mode in the overcloud host image. This
+    matches the default configuration for SELinux in StackHPC Kayobe Configuration.
