Fixes #10443 - added nova/glance/neutron rules #45
Conversation
|
Administrative note, please don't reference a closed + shipped ticket - create a new one and describe the issue. |
Not so sure about this one. The original patch did not actually fix the Later, |
|
The Redmine issue has shipped, please file a new issue for it. |
lzap
force-pushed
the
improv-openstack-7346
branch
from
dc89e99
to
9e68f1f
Compare
|
This patch introduces new foreman_allowed_port_t type for all Fixed issue reference. |
lzap
changed the title
| } | ||
|
|
||
| is_redhat_6() { | ||
| uname -r | grep -o el6 &>/dev/null |
There was a problem hiding this comment.
Are you aware of better way identifying RHEL version?
There was a problem hiding this comment.
test x$(rpm -q --whatprovides redhat-release --qf '%{version}') = x6 would be more standard I believe
|
Have you checked this builds on F19? |
lzap
force-pushed
the
improv-openstack-7346
branch
from
9e68f1f
to
0d20487
Compare
|
Not checked the build, checking. Amended the rhel6 test function. |
|
Ok it looks like I tested against newer versions of RHEL6, in koji it fails. The same for F19. I am going to change the strategy. Instead of quering for RHEL6 version in the enable script, I will query per port. If a port is not assigned (e.g. neutron) I will assign to |
|
In the policy, I'd do something like: for all ports. |
lzap
force-pushed
the
improv-openstack-7346
branch
from
0d20487
to
ea34214
Compare
|
Pushed the idea, untested. What you think? |
|
Not really sure where you're going with this - so there's now a boolean, but the port might also be in foreman_allowed_port_t? So to disable it you have to edit the port list and disable the boolean, as doing only one might just cause it to be allowed through the second.. |
|
Ok I get your point - boolean must work on all platform. For this reason, I will introduce Now, the solution with the We have a problem here - we build on RHEL 6.3 but some OpenStack bits were added in later versions (6.6). For this reason, I think I need to do a fallback solution - everything that is not defined in 6.3 we will re-assign into our own port type. |
lzap
force-pushed
the
improv-openstack-7346
branch
2 times, most recently
from
178ca72
to
e3967ce
Compare
|
Something like this (untested, does not yet build). |
|
FYI The code is just an idea, still building and finding what is defined and what not. |
lzap
force-pushed
the
improv-openstack-7346
branch
from
e3967ce
to
8586e4a
Compare
|
Ok I have amended and simplified everything. It turns out we only need two ports to let Foreman to work properly: 5000 and 8774 (http://docs.openstack.org/kilo/config-reference/content/firewalls-default-ports.html). Therefore I simplified everything and doublechecked what is defined in RHEL 6.3+ and in RHEL 7.0+. This is the result. I am going to test builds from Koji tomorrow. |
lzap
force-pushed
the
improv-openstack-7346
branch
from
8586e4a
to
f518d27
Compare
|
Ok this is ready for review. Works fine: http://koji.katello.org/koji/taskinfo?taskID=300056 |
|
@lzap ping ? |
lzap
force-pushed
the
improv-openstack-7346
branch
from
f518d27
to
dd9f8c8
Compare
|
Ok I have renamed the port type name to |
lzap
force-pushed
the
improv-openstack-7346
branch
2 times, most recently
from
aa04598
to
e52c71b
Compare
| assign_or_change_existing() { | ||
| if ! /usr/sbin/semanage port -E | grep -qEe "${1}.*-p (tcp|udp) ${2}"; then | ||
| if /usr/sbin/semanage port -E | grep -qEe "-p (tcp|udp) $2"; then | ||
| echo "port -m -t $1 -p tcp $2" |
There was a problem hiding this comment.
Is this ever needed? I don't see how it'd be called - might be worth losing it if we can, since semanage isn't particularly fast and we can save a few seconds of installation time.
There was a problem hiding this comment.
Resurrecting this one after some time, sorry for the delay. What you mean by that? Semanage is indeed slow as hell, but what can we do about it? We need to assign or change existing port, otherwise the policy won't be effective.
There was a problem hiding this comment.
I think I was asking, why have this code to run semanage and reassign ports? The two existing ports, elasticsearch and docker are both added every time around line 40, which works fine. It looks like there's no need to check if the port exists already.
There was a problem hiding this comment.
So the reasoning behind this is I expect this port to be introduced in SELinux core policy for RHEL6. Then this will cause a problem as you can't add an existing port number or range - you need explicitly to provide -m flag. This was coded as improvement for the future, I could perhaps extend this to the other two types. You have right point this makes things slower - typical semanage port call is about 1-2 seconds. I can perhaps store the list of ports once in a temp file and then grep it multiple times.
On the other hand, we are getting rid both of docker and elasticsearch quite soon. I can perhaps just file a ticket to make this faster. Or I can completely drop this helper and we can solve this as we hit it (if we hit it).
There was a problem hiding this comment.
To be fair, I need to say that the function is not ideal, it has problems with port ranges - wont work for overlapping ranges.
There was a problem hiding this comment.
So the reasoning behind this is I expect this port to be introduced in SELinux core policy for RHEL6. Then this will cause a problem as you can't add an existing port number or range - you need explicitly to provide -m flag
If the port's added to the base policy then I don't think this will work, because semanage -E is only going to list ports that customisable (i.e. the ones we add, not base policy ones). It's always going to be empty, and always go to the port -a case.
I do vaguely remember there being the possibility of a conflict with base policy, but I can't reproduce it on EL7 at the moment - it seems to let me redefine a port in base policy. Possibly the reverse isn't true, that if there's a port and base policy adds the same, it fails - but I don't have evidence for it.
Or I can completely drop this helper and we can solve this as we hit it (if we hit it).
I'd suggest this for now.
lzap
force-pushed
the
improv-openstack-7346
branch
from
e52c71b
to
0848bac
Compare
|
I have rebased this patch, please elaborate on that comment I don't understand what your concerns are. |
lzap
force-pushed
the
improv-openstack-7346
branch
from
0848bac
to
aabc8a4
Compare
|
Removed the helper, now it should be fast. |
| @@ -25,6 +29,10 @@ do | |||
| /usr/sbin/semanage port -E | grep -q docker_port_t || \ | |||
| echo "port -a -t docker_port_t -p tcp 2375-2376" >> $TMP | |||
|
|
|||
| if is_redhat_6; then | |||
| echo "port -a -t foreman_osapi_compute_port_t -p tcp 8774" >> $TMP | |||
There was a problem hiding this comment.
The same semanage port -E check is needed here to skip the step if it's already defined (on EL6), else running this script multiple times will result in errors:
# /usr/sbin/foreman-selinux-enable /usr/sbin/semanage: Port tcp/8774 already defined # echo $? 1
The code I wanted removed was only the modification stuff.
There was a problem hiding this comment.
Ok added, note I am not adding TMP_PORTS improvement in this patch, I will rebase the other one and add it here once we merge this one.
This patch introduces new type for missing OpenStack port Compute (Nova). Also introduces helper function in the enable script which is now the most sane way of adding ports - if a port number is already defined, it uses `-m` option to redefine it.
lzap
force-pushed
the
improv-openstack-7346
branch
from
aabc8a4
to
d0076b8
Compare
Ok I've missed several other ports. The discussion is in the linked BZ.
There is one snag - the commented macro is missing in RHEL6 and we need to,
once again, define our own port. It will likely cause issues because I expect
this one to be introduced in RHEL6. I need to find a way how to deal with this
first. Then let's get back to this.