Openshift-ansible: `openshift_node` role fails to complete if SELinux is disabled

Created on 11 Jul 2018 · 14Comments · Source: openshift/openshift-ansible

Description

If OpenShift Origin is deployed with SELinux disabled on bare-metal machines, openshift_node will fail during setting up a sebool value.
It's easy to fix by skipping all SELinux tasks when it's disabled. For instance:

- name: Setting sebool container_manage_cgroup
  seboolean:
    name: container_manage_cgroup
    state: yes
    persistent: yes
  # add the following lines to skip the task if we do not need it
  when:
  - ansible_selinux
  - ansible_selinux.status == 'enabled'

I can create a pull request to address that in other places as well.

Version

ansible 2.6.0
  config file = None
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr 11 2018, 07:36:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

Git version:

openshift-ansible-3.9.32-1-65-gf1255dbd5

Steps To Reproduce

Disable SELinux
Run the deploy_cluster.yml playbook:

$ ansible-playbook --diff -vv -i ${INVENTORY} openshift-ansible/playbooks/deploy_cluster.yml

Expected Results

Since we've disabled SELinux, all tasks regarding SELinux should be skipped:

TASK [openshift_node : Setting sebool container_manage_cgroup] *****************
task path: /root/openshift-ansible/roles/openshift_node/tasks/main.yml:59
skipping: [kube-node01] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [kube-node02] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [kube-node03] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [kube-node04] => {"changed": false, "skip_reason": "Conditional result was False"}
skipping: [kube-master01] => {"changed": false, "skip_reason": "Conditional result was False"}

Observed Results

Since SELinux is disabled, sebool fails to complete:

TASK [openshift_node : Setting sebool container_manage_cgroup] *****************
task path: /root/openshift-ansible/roles/openshift_node/tasks/main.yml:59
fatal: [kube-node02]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}
fatal: [kube-node03]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}
fatal: [kube-node04]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}
fatal: [kube-node01]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}
fatal: [kube-master01]: FAILED! => {"changed": false, "msg": "SELinux is disabled on this host."}

Additional Information

OS version: RHEL CentOS 7.4

Source

FakeEmperor

Most helpful comment

Same issue on 3.11 with SELinux boolean container_manage_cgroup does not exist..

leseb on 5 Dec 2018

👍4

All 14 comments

I am seeing this issue as well. I should also mention that when I ran the playbook a couple months ago against the then last commit of release-3.9, I didn't see any such problems

geoand on 24 Jul 2018

Same issue here on release-3.10 branch

jhaohai on 15 Aug 2018

https://stopdisablingselinux.com/

Consider using permissive mode instead

vrutkovs on 15 Aug 2018

Fair enough. But can we at least have an Ansible variable openshift_ansible_allow_disabled_selinux, which will allow running OpenShift even when SELinux is disabled?

This way a warning can be shown at the end of the playbook run but still successfully deploy and don't fail midway during installation/upgrade. For instance: Variable 'openshift_ansible_allow_disabled_selinux' is set to true and allows OpenShift installation even when SELinux is disabled. Consider enabling SELinux in permissive mode and setting 'openshift_ansible_allow_disabled_selinux' to false.

Previous example would be changed to:

- name: Setting sebool container_manage_cgroup
  seboolean:
    name: container_manage_cgroup
    state: yes
    persistent: yes
  when:
  # either always run this when 'openshift_ansible_allow_disabled_selinux'  is disabled
  # or run when ansible_selinux is enabled
  - not openshift_ansible_allow_disabled_selinux | bool or 
     (ansible_selinux and ansible_selinux.status == 'enabled')

I can make a pull request with necessary changes if this looks good

FakeEmperor on 21 Aug 2018

@vrutkovs: this should be opened cause or here is bug or somewhere else.

Bug is here, and this should be allowed to run.
Bug is at the beginning of playbook, cause I can see in /opt/openshift-ansible/playbooks/byo/openshift-cluster/roles/openshift_node/tasks/main.yml:

- fail:
    msg: "SELinux is disabled, This deployment type requires that SELinux is enabled."
  when:
    - (not ansible_selinux or ansible_selinux.status != 'enabled')
    - openshift_deployment_type == 'openshift-enterprise'
    - not openshift_use_crio | bool

This checks only for Enterprise. Since this reported issue tells about broken installation later - it should be:
a) allowed to run later too
b) mentioned part of playbook should be changed and block doing anything (eg: running /opt/openshift-ansible/playbooks/prerequisites.yml imports that init/main.yml)

morsik on 12 Sep 2018

seeing same issue. on 3.10 okd install with crio

debianmaster on 22 Sep 2018

Same issue on 3.11 with SELinux boolean container_manage_cgroup does not exist..

leseb on 5 Dec 2018

👍4

seeing the issue "SELinux boolean container_manage_cgroup does not exist." in openshift-ansible-3.9.62-1. Any fix available?

dipindas on 28 Dec 2018

is there any walk around this problem. kimsufi and ovh servers disabled selinux and users cannot change status.

edit: I found a way to change selinux status from kimsufi's installation panel. There is a "select distribution's kernel" option on installation wizard.