Openshift-ansible: virt_sandbox_use_nfs boolean not reconized, breaks install

Created on 13 Aug 2016  路  11Comments  路  Source: openshift/openshift-ansible

The problem is the same of "virt_sandbox_use_nfs boolean may not be available, breaks install #2161"

Working on Fedora 24 for all nodes
The install breaks in file
openshift-ansible/playbooks/byo/openshift-cluster/roles/openshift_node/tasks/storage_plugins/nfs.yml

Seems that setting virt_sandbox_use_nfs give some error.

What can I do to complete Install?

I also added a debug line and all seems correct. The lines 20-34 now are:

- name: Check for existence of virt_sandbox_use_nfs seboolean
  command: getsebool virt_sandbox_use_nfs
  register: virt_sandbox_use_nfs_output
  when: ansible_selinux and ansible_selinux.status == "enabled"
  failed_when: false
  changed_when: false

- debug: var=virt_sandbox_use_nfs_output

- name: Set seboolean to allow nfs storage plugin access from containers(sandbox)
  seboolean:
    name: virt_sandbox_use_nfs
    state: yes
    persistent: yes
  when: ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_nfs_output.rc == 0

Output is:

TASK [openshift_node : Check for existence of virt_sandbox_use_nfs seboolean] **
ok: [OsO5.oso.net]
ok: [OsO3.oso.net]
ok: [OsO4.oso.net]

TASK [openshift_node : debug] **************************************************
ok: [OsO3.oso.net] => {
    "virt_sandbox_use_nfs_output": {
        "changed": false, 
        "cmd": [
            "getsebool", 
            "virt_sandbox_use_nfs"
        ], 
        "delta": "0:00:00.002776", 
        "end": "2016-08-13 07:52:24.033134", 
        "failed": false, 
        "failed_when_result": false, 
        "rc": 0, 
        "start": "2016-08-13 07:52:24.030358", 
        "stderr": "", 
        "stdout": "virt_use_nfs --> on", 
        "stdout_lines": [
            "virt_use_nfs --> on"
        ], 
        "warnings": []
    }
}
ok: [OsO4.oso.net] => {
    "virt_sandbox_use_nfs_output": {
        "changed": false, 
        "cmd": [
            "getsebool", 
            "virt_sandbox_use_nfs"
        ], 
        "delta": "0:00:00.008955", 
        "end": "2016-08-13 07:52:24.052029", 
        "failed": false, 
        "failed_when_result": false, 
        "rc": 0, 
        "start": "2016-08-13 07:52:24.043074", 
        "stderr": "", 
        "stdout": "virt_use_nfs --> on", 
        "stdout_lines": [
            "virt_use_nfs --> on"
        ], 
        "warnings": []
    }
}
ok: [OsO5.oso.net] => {
    "virt_sandbox_use_nfs_output": {
        "changed": false, 
        "cmd": [
            "getsebool", 
            "virt_sandbox_use_nfs"
        ], 
        "delta": "0:00:00.009240", 
        "end": "2016-08-13 07:52:23.952766", 
        "failed": false, 
        "failed_when_result": false, 
        "rc": 0, 
        "start": "2016-08-13 07:52:23.943526", 
        "stderr": "", 
        "stdout": "virt_use_nfs --> on", 
        "stdout_lines": [
            "virt_use_nfs --> on"
        ], 
        "warnings": []
    }
}

TASK [openshift_node : Set seboolean to allow nfs storage plugin access from containers(sandbox)] ***
fatal: [OsO4.oso.net]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
fatal: [OsO3.oso.net]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
fatal: [OsO5.oso.net]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
kinbug prioritP2
Source
picture MirtoBusico

Most helpful comment

So, I stumbled on this too, and sent a patch to ansible to fix the problem: https://github.com/ansible/ansible-modules-core/pull/4570

picture mscherer on 26 Aug 2016
👍2

All 11 comments

Closed for error

I forgot to say that the two boolean are defined and on

Output:

[root@oso2 storage_plugins]# getsebool virt_use_nfs;getsebool virt_sandbox_use_nfs
virt_use_nfs --> on
virt_use_nfs --> on
MirtoBusico picture MirtoBusico on 13 Aug 2016

We'll need to account for this difference when checking for these booleans.

[root@fedora ~]# getsebool virt_sandbox_use_nfs
virt_use_nfs --> off

[root@rhel ~]# getsebool virt_sandbox_use_nfs
virt_sandbox_use_nfs --> on
abutcher picture abutcher on 15 Aug 2016

@abutcher for 3.2+, I don't think virt_sandbox_use_nfs is even needed.

detiber picture detiber on 15 Aug 2016

@detiber Are you cool with removing it then? Works for me.

abutcher picture abutcher on 15 Aug 2016

@abutcher We might need to ensure a version of the selinux policy >= a certain version just to be safe.

detiber picture detiber on 15 Aug 2016

I encountered the same problem:

TASK [openshift_node : Set seboolean to allow nfs storage plugin access from containers(sandbox)] ***
fatal: [osc-master.dev]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
fatal: [osc-node2.dev]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
fatal: [osc-node3.dev]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}
fatal: [osc-node4.dev]: FAILED! => {"changed": false, "failed": true, "msg": "SELinux boolean virt_sandbox_use_nfs does not exist."}

Removal of the appropriate part of the openshift-ansible/playbooks/byo/openshift-cluster/roles/openshift_node/tasks/storage_plugins/nfs.yml playbook:

diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
index e384c1b..4d22c56 100644
--- a/roles/openshift_node/tasks/storage_plugins/nfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -23,10 +23,3 @@
   when: ansible_selinux and ansible_selinux.status == "enabled"
   failed_when: false
   changed_when: false
-
-- name: Set seboolean to allow nfs storage plugin access from containers(sandbox)
-  seboolean:
-    name: virt_sandbox_use_nfs
-    state: yes
-    persistent: yes
-  when: ansible_selinux and ansible_selinux.status == "enabled" and virt_sandbox_use_nfs_output.rc == 0

worked for me.

pospispa picture pospispa on 19 Aug 2016

So, I stumbled on this too, and sent a patch to ansible to fix the problem: https://github.com/ansible/ansible-modules-core/pull/4570

mscherer picture mscherer on 26 Aug 2016
👍2

@sdodson can you verify that the seboolean module fix has landed in Ansible 2.2 rc1?

detiber picture detiber on 4 Oct 2016

It's in, close this or wait until that version ships in Centos and Fedora?

sdodson picture sdodson on 5 Oct 2016

Also, the old booleans should exist in Fedora and RHEL7. We could avoid using the check entirely if we switched back to using those.

sdodson picture sdodson on 5 Oct 2016

This should no longer be an issue now that Ansible 2.2.0.0 has shipped. Please update to ansible 2.2.0.0, if it's not available for your distro we have a copr repo with 2.2.0.0 https://copr.fedorainfracloud.org/coprs/abutcher/ansible/

sdodson picture sdodson on 7 Nov 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

michaelcourcy picture michaelcourcy  路  5Comments
DavidTinoco picture DavidTinoco  路  6Comments
IronicBadger picture IronicBadger  路  7Comments
dharmit picture dharmit  路  6Comments
dharmit picture dharmit  路  4Comments