Additional documentation for rsync distributors

re #2199 https://pulp.plan.io/issues/2199
pulp · Aug 31, 2016 · 58657ea · 58657ea
1 parent e8397ee
commit 58657ea
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/docs/tech-reference/iso-rsync-distributor.rst b/docs/tech-reference/iso-rsync-distributor.rst
@@ -9,6 +9,13 @@ ssh to perform the file transfer.
 
 Configuration
 =============
+Pulp's SELinux policy includes a ``pulp_manage_rsync`` boolean. When enabled, the
+``pulp_manage_rsync`` boolean allows Pulp to use rsync and make ssh connections. The boolean is
+disabled by default. The ISO Rsync distributor will fail to publish with SELinux Enforcing unless
+the boolean is enabled. To enable it, you can do this::
+
+    $ sudo semanage boolean --modify --on pulp_manage_rsync
+
 Here is an example iso_rsync_distributor configuration::
 
     {
@@ -37,8 +44,13 @@ The ``distributor_config`` contains a ``remote`` section with the following sett
   The ssh user for remote server.
 
 ``ssh_identity_file``
-  Absolute path to the private key that will be used as the identity file for ssh. The key has to
-  be readable by user ``apache``.
+  Absolute path to the private key that will be used as identity file for ssh. The key must be
+  owned by user ``apache`` and must not be readable by other users. If the POSIX are too loose,
+  the SSH application will refuse to use the key. Additionally, if SELinux is Enforcing, Pulp
+  requires the key to be labeled with the ``httpd_sys_content_t`` SELinux context. This can be
+  applied to the file with::
+
+    $ sudo chcon -t httpd_sys_content_t  /path/to/ssh_identity_file
 
 ``host``
   The hostname of the remote server.

diff --git a/docs/tech-reference/rsync-distributor.rst b/docs/tech-reference/rsync-distributor.rst
@@ -9,6 +9,13 @@ ssh to perform the file transfer.
 
 Configuration
 =============
+Pulp's SELinux policy includes a ``pulp_manage_rsync`` boolean. When enabled, the
+``pulp_manage_rsync`` boolean allows Pulp to use rsync and make ssh connections. The boolean is
+disabled by default. The RPM Rsync distributor will fail to publish with SELinux Enforcing unless
+the boolean is enabled. To enable it, you can do this::
+
+    $ sudo semanage boolean --modify --on pulp_manage_rsync
+
 Here's an example of rpm_rsync_distributor configuration::
 
     {
@@ -37,9 +44,13 @@ The ``distributor_config`` contains a ``remote`` section made up of the followin
   ssh user for remote server
 
 ``ssh_identity_file``
-  Absolute path to the private key that will be used as the identity file for ssh. The key must be
-  owned by user ``apache`` and must not be readable by other users. (If key permissions are too lax,
-  the SSH application will refuse to use the key.)
+  Absolute path to the private key that will be used as identity file for ssh. The key must be
+  owned by user ``apache`` and must not be readable by other users. If the POSIX are too loose,
+  the SSH application will refuse to use the key. Additionally, if SELinux is Enforcing, Pulp
+  requires the key to be labeled with the ``httpd_sys_content_t`` SELinux context. This can be
+  applied to the file with::
+
+    $ sudo chcon -t httpd_sys_content_t  /path/to/ssh_identity_file
 
 ``host``
   The hostname of the remote server.