[ClusterLabs] Possible intrusive change in bundles for 2.0.3

Ken Gaillot kgaillot at redhat.com
Fri Jun 7 12:54:48 EDT 2019 

On Fri, 2019-06-07 at 16:19 +0000, Hayden,Robert wrote:
> Thanks
> Robert
> 
> Robert Hayden | Sr. Technology Architect | Cerner Corporation |
> 
> > -----Original Message-----
> > From: Users <users-bounces at clusterlabs.org> On Behalf Of Ken
> > Gaillot
> > Sent: Thursday, June 6, 2019 5:35 PM
> > To: Cluster Labs - All topics related to open-source clustering
> > welcomed
> > <users at clusterlabs.org>
> > Subject: [ClusterLabs] Possible intrusive change in bundles for
> > 2.0.3
> > 
> > Hi all,
> > 
> > It has been discovered that newer versions of selinux-policy
> > prevent bundles
> > in pacemaker 2.0 from logging. I have a straightforward fix, but it
> > means that
> > whenever a cluster is upgraded from pre-2.0.3 to
> > 2.0.3 or later, all active bundles will restart once the last older
> > node leaves
> > the cluster.
> 
> Is this cluster restart only when crossing the 2.0.3 release?  Or for
> each minor after the 2.0.3?

It would only be for crossing 2.0.3. Only bundle resources are
affected, not all resources in the cluster.

> Rolling upgrades are ideal and much easier to justify getting
> maintenance windows
> scheduled.
> 
> > 
> > This is because the fix passes the "Z" mount flag to docker or
> > podman, which
> > tells them to create a custom SELinux policy for the bundle's
> > container and
> > log directory. This is the easiest and most restrictive solution.
> > 
> > An alternative approach would be for pacemaker to start delivering
> > its own
> > custom SELinux policy as a separate package. The policy would allow
> > all
> > pacemaker-launched containers to access all of
> > /var/log/pacemaker/bundles, which is a bit broader access (not to
> > mention
> > more of a pain to maintain over the longer term). This would avoid
> > the
> > restart.
> > 
> > I'm leaning to the in-code solution, but I want to ask if anyone
> > thinks the
> > bundle restarts on upgrade are a deal-breaker for a minor-minor
> > release, and
> > would prefer the packaged policy solution.
> 
> I am not 100% sure of the configuration you are referring to with
> bundles.

It's a relatively new type of pacemaker resource for running containers
along with the IP addresses/ports and exported directories they need.
No other resources would be affected.

> Overall, I would prefer the SELinux policy to be a separate package,
> or incorporated into the
> main SELinux policies as a Boolean.  Seems to me to be a better long
> term solution,
> albeit painful.
-- 
Ken Gaillot <kgaillot at redhat.com>

More information about the Users mailing list