Manage sebooleans in MachineConfig

[runcom]

As for Kargs,FIPS and osImageURL, we would need a way to set selinux booleans through an MC (and maybe later on with a dedicated controller+CRD).

Acceptance criteria:

• Verify the MachineConfig object as a field to sebooleans
• Verify the MCD knows how to apply and reconcile them
• Verify sebooleans are applied at early pivot as well

[miminar]

Also some applications like SAP Data Hub need to turn on booleans like virt_use_nfs to enable its own NFS server on top of k8s/OCP.

[runcom]

diff --git a/pkg/apis/machineconfiguration.openshift.io/v1/types.go b/pkg/apis/machineconfiguration.openshift.io/v1/types.go
index 1cc2482e..b7f2ae8b 100644
--- a/pkg/apis/machineconfiguration.openshift.io/v1/types.go
+++ b/pkg/apis/machineconfiguration.openshift.io/v1/types.go
@@ -231,6 +231,14 @@ type MachineConfigSpec struct {
        Config igntypes.Config `json:"config"`
 
        KernelArguments []string `json:"kernelArguments"`
+
+       Sebooleans []Sebool `json:"sebooleans"`
+}
+
+type Sebool struct {
+       Name       string
+       Persistent bool
+       State      bool
 }
 
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

The MCD will know how to set those (need to play with rhcos with these) using get|setsebool [-P]

[cgwalters]

Note this will also really require fixing ostreedev/ostree#1026

[runcom]

Note this will also really require fixing ostreedev/ostree#1026

oh nice

(need to play with rhcos with these)

:D

[ashcrow]

Also some applications like SAP Data Hub need to turn on booleans like virt_use_nfs to enable its own NFS server on top of k8s/OCP.

FWIW we turn this on today in RHCOS. Though I'm 👍 on having MCO be able to configure thins on the host.

[cgwalters]

Related to this, we should probably offer:

selinux: permissive|disabled (default enforcing)

And the MCD should watch for audit notifications of enforcement changes and reconcile (someone doing setenforce 0 would quickly get overruled).

[tylerauerbeck]

Has there been any movement on this?

[cgwalters]

If you want to do this today, the workaround is to ship a systemd unit that does ExecStart=/usr/sbin/setsebool and is Before=kubelet.service etc.

[cgwalters]

Also, if going the systemd route a recommendation is to not use -P so that dropping the unit from the MC will naturally revert the system. This will also avoid triggering ostreedev/ostree#1026

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[avisiedo]

+1 We were investigating how to enable some sebool by using a MachineConfig, and the way we found was using a MachineConfig with a systemd unit; this feature would make sebool management easier and more intuitive.

[JAORMX]

We did a demo on exposing SELinux policies to kubernetes via an operator. While that won't be worked on this release, it could start making sense to bring in this functionality to that operator. With the work that's going on about letting the MCO do certain updates without requiring reboots, I'm thinking it would then be possible to just base the operator on top of MCO.

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[travier]

/lifecycle frozen