Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding SELinux Documentation #900

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adding SELinux Documentation #900

wants to merge 1 commit into from

Conversation

cniackz
Copy link
Contributor

@cniackz cniackz commented Apr 13, 2024
edited

Objective:

When resuming or suspending a drive in an OpenShift cluster, we may encounter a relabel issue. Various solutions exist for this problem, but here I am documenting the one we believe to be the best approach.

@cniackz cniackz self-assigned this Apr 13, 2024
@cniackz cniackz added the documentation Improvements or additions to documentation label Apr 13, 2024
@cniackz cniackz requested a review from ravindk89 April 13, 2024 18:58
@cniackz
Copy link
Contributor Author

cniackz commented Apr 13, 2024
edited

NET:[VulnCheck / Analysis (pull_request) ] fix is on #901

ravindk89
ravindk89 reviewed Apr 13, 2024
View reviewed changes
docs/volume-management.md
pools:
- containerSecurityContext:
seLinuxOptions:
type: spc_t
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a consequence to setting this at initial setup? E.g. should the operator simply do this in general?

balamurugana
balamurugana reviewed Apr 14, 2024
View reviewed changes
docs/volume-management.md
@@ -172,3 +172,18 @@ Suspended volumes can be resumed once they are fixed. Upon resuming, the corresp
```sh
> kubectl directpv resume volumes --nodes node-1 --drives dm-3
```

## SELinux in OpenShift:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section should be in https://github.com/minio/directpv/blob/master/docs/openshift.md

docs/volume-management.md

## SELinux in OpenShift:

If you encounter the `relabel failed` error after executing the `suspend` or `resume` commands, you should set `spc_t` at the Tenant level Specification, as demonstrated below:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Do we have version information of openshift like > v4.12?
  2. Pods using suspended drives/volumes fail due to kubelet try to do selinux relabeling because of lsetxattr syscall fails on read-only filesystem. This issue would occur on any pod consuming suspended volume not limiting to MinIO Tenant pods. We would need to cover this information as well.

@Praveenrajmani
Copy link
Collaborator

PTAL @cniackz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@balamurugana balamurugana balamurugana left review comments

@ravindk89 ravindk89 ravindk89 left review comments

@Praveenrajmani Praveenrajmani Awaiting requested review from Praveenrajmani

@harshavardhana harshavardhana Awaiting requested review from harshavardhana

At least 2 approving reviews are required to merge this pull request.

Assignees

@cniackz cniackz

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cniackz @Praveenrajmani @balamurugana @ravindk89