[ClusterLabs] Possible intrusive change in bundles for 2.0.3

Hayden,Robert RHAYDEN at CERNER.COM
Fri Jun 7 12:19:51 EDT 2019


Thanks
Robert

Robert Hayden | Sr. Technology Architect | Cerner Corporation |

> -----Original Message-----
> From: Users <users-bounces at clusterlabs.org> On Behalf Of Ken Gaillot
> Sent: Thursday, June 6, 2019 5:35 PM
> To: Cluster Labs - All topics related to open-source clustering welcomed
> <users at clusterlabs.org>
> Subject: [ClusterLabs] Possible intrusive change in bundles for 2.0.3
>
> Hi all,
>
> It has been discovered that newer versions of selinux-policy prevent bundles
> in pacemaker 2.0 from logging. I have a straightforward fix, but it means that
> whenever a cluster is upgraded from pre-2.0.3 to
> 2.0.3 or later, all active bundles will restart once the last older node leaves
> the cluster.

Is this cluster restart only when crossing the 2.0.3 release?  Or for each minor after the 2.0.3?
Rolling upgrades are ideal and much easier to justify getting maintenance windows
scheduled.

>
> This is because the fix passes the "Z" mount flag to docker or podman, which
> tells them to create a custom SELinux policy for the bundle's container and
> log directory. This is the easiest and most restrictive solution.
>
> An alternative approach would be for pacemaker to start delivering its own
> custom SELinux policy as a separate package. The policy would allow all
> pacemaker-launched containers to access all of
> /var/log/pacemaker/bundles, which is a bit broader access (not to mention
> more of a pain to maintain over the longer term). This would avoid the
> restart.
>
> I'm leaning to the in-code solution, but I want to ask if anyone thinks the
> bundle restarts on upgrade are a deal-breaker for a minor-minor release, and
> would prefer the packaged policy solution.

I am not 100% sure of the configuration you are referring to with bundles.
Overall, I would prefer the SELinux policy to be a separate package, or incorporated into the
main SELinux policies as a Boolean.  Seems to me to be a better long term solution,
albeit painful.

> --
> Ken Gaillot <kgaillot at redhat.com>
>
> _______________________________________________
> Manage your subscription:
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.
> clusterlabs.org%2Fmailman%2Flistinfo%2Fusers&data=02%7C01%7Crha
> yden%40cerner.com%7Ce703a96b366d4fc60aec08d6eacf3740%7Cfbc493a80d
> 244454a815f4ca58e8c09d%7C0%7C0%7C636954573040883577&sdata=Gr
> LMVcbqD7h%2FDQJYgWBBrPGXC6FzBRRfUCyh2qbpzII%3D&reserved=0
>
> ClusterLabs home:
> https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
> w.clusterlabs.org%2F&data=02%7C01%7Crhayden%40cerner.com%7Ce
> 703a96b366d4fc60aec08d6eacf3740%7Cfbc493a80d244454a815f4ca58e8c09d
> %7C0%7C0%7C636954573040883577&sdata=JkoGQV6JWyEUuoQo2aFpP
> 9MDkmQegTl4w%2Fk27J9VkoM%3D&reserved=0


CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024.


More information about the Users mailing list