yoga host image selinux #790
Conversation
markgoddard
commented
Nov 15, 2023
markgoddard
commented
- RL9: Set SELinux to permissive mode in the standard overcloud host image
- RL9: Use Pulp repo snapshots when building overcloud host image
From the Zed release, Kayobe changes its default SELinux mode from disabled to permissive. Changing SELinux from disabled to permissive mode requires a reboot, so it's best to include the correct mode in the image. This change is proposed to the Yoga branch because that is the point of the RL9 migration, when it is most convenient to make this change. Doing so requires a backport of the Kayobe patch supporting SELinux modes, and for Kayobe config to set selinux_mode to permissive (we would not change the default config in a backport).
Retries have been added to the stackhpc.pulp collection to improve reliability. Adding the same here.
| # DIB_YUM_MINIMAL_BOOTSTRAP_REPOS: /path/to/dir/containing/dib-mirror-*.repo | ||
| # On Rocky Linux 9, use the host's repo files. | ||
| # These will have been configured to point to Test Pulp repo snapshots during the 'host configure' step. | ||
| # FIXME: This assumes we are building on RL9, which may not be the case. |
There was a problem hiding this comment.
On yoga we use the CS8 builder runners: https://github.com/stackhpc/stackhpc-kayobe-config/blob/stackhpc/yoga/.github/workflows/overcloud-host-image-build.yml#L42
We do switch to RL9 for Zed though: https://github.com/stackhpc/stackhpc-kayobe-config/blob/stackhpc/zed/.github/workflows/overcloud-host-image-build.yml#L30
There was a problem hiding this comment.
Right - we could make it work for CS8 too, but thought I'd focus on the future :)
| # On Rocky Linux 9, use the host's repo files. | ||
| # These will have been configured to point to Test Pulp repo snapshots during the 'host configure' step. | ||
| # FIXME: This assumes we are building on RL9, which may not be the case. | ||
| DIB_YUM_MINIMAL_BOOTSTRAP_REPOS: "{% if os_distribution == 'rocky' and os_release == '9' %}/etc/yum.repos.d/{% endif %}" |
There was a problem hiding this comment.
Unfortunately this didn't work:
cat /etc/rocky-release
Rocky Linux release 9.3 (Blue Onyx)
There was a problem hiding this comment.
Because DIB_YUM_MINIMAL_BOOTSTRAP_REPOS works for yum-minimal element, but rocky-container depends on yum element - working on it.
| @@ -23,7 +23,7 @@ stackhpc_overcloud_dib_name: "deployment_image" | |||
| stackhpc_overcloud_dib_elements: | |||
| - "{{ os_distribution }}-{% if os_distribution == 'rocky' %}container-stackhpc{% else %}minimal{% endif %}" | |||
| - "cloud-init-datasources" | |||
| - "{% if os_distribution in ['centos', 'rocky'] %}disable-selinux{% endif %}" | |||
| - "{% if os_distribution == 'rocky' and os_release == '9' %}selinux-permissive{% elif os_distribution in ['centos', 'rocky'] %}disable-selinux{% endif %}" | |||
There was a problem hiding this comment.
This part did work:
sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
|
Should we try to finish merging this? |
It would be a good change to have. Currently we can't use the ARC runner cluster for host image build jobs, so we'd need to either get that working or spin up a separate runner VM. |
@Alex-Welsh is going to look at getting image builds working on ARC. |
|
ARC builds are now working! However by "working" i just mean that something builds. There are various issues still present e.g. the Rocky 8 image just builds as Rocky 9 at the moment. |
| @@ -19,6 +19,9 @@ | |||
| name: "{{ repository_name }}_{{ promotion_tag }}" | |||
| base_path: "{{ base_path }}/{{ promotion_tag }}" | |||
| register: distribution_details | |||
| until: distribution_details is success | |||
There was a problem hiding this comment.
Pulled out this stuff into #1031
|
@markgoddard Let's close this one? |
