On Fri, 2019-06-07 at 16:19 +0000, Hayden,Robert wrote: > Thanks > Robert > > Robert Hayden | Sr. Technology Architect | Cerner Corporation | > > > -----Original Message----- > > From: Users <users-boun...@clusterlabs.org> On Behalf Of Ken > > Gaillot > > Sent: Thursday, June 6, 2019 5:35 PM > > To: Cluster Labs - All topics related to open-source clustering > > welcomed > > <users@clusterlabs.org> > > Subject: [ClusterLabs] Possible intrusive change in bundles for > > 2.0.3 > > > > Hi all, > > > > It has been discovered that newer versions of selinux-policy > > prevent bundles > > in pacemaker 2.0 from logging. I have a straightforward fix, but it > > means that > > whenever a cluster is upgraded from pre-2.0.3 to > > 2.0.3 or later, all active bundles will restart once the last older > > node leaves > > the cluster. > > Is this cluster restart only when crossing the 2.0.3 release? Or for > each minor after the 2.0.3?
It would only be for crossing 2.0.3. Only bundle resources are affected, not all resources in the cluster. > Rolling upgrades are ideal and much easier to justify getting > maintenance windows > scheduled. > > > > > This is because the fix passes the "Z" mount flag to docker or > > podman, which > > tells them to create a custom SELinux policy for the bundle's > > container and > > log directory. This is the easiest and most restrictive solution. > > > > An alternative approach would be for pacemaker to start delivering > > its own > > custom SELinux policy as a separate package. The policy would allow > > all > > pacemaker-launched containers to access all of > > /var/log/pacemaker/bundles, which is a bit broader access (not to > > mention > > more of a pain to maintain over the longer term). This would avoid > > the > > restart. > > > > I'm leaning to the in-code solution, but I want to ask if anyone > > thinks the > > bundle restarts on upgrade are a deal-breaker for a minor-minor > > release, and > > would prefer the packaged policy solution. > > I am not 100% sure of the configuration you are referring to with > bundles. It's a relatively new type of pacemaker resource for running containers along with the IP addresses/ports and exported directories they need. No other resources would be affected. > Overall, I would prefer the SELinux policy to be a separate package, > or incorporated into the > main SELinux policies as a Boolean. Seems to me to be a better long > term solution, > albeit painful. -- Ken Gaillot <kgail...@redhat.com> _______________________________________________ Manage your subscription: https://lists.clusterlabs.org/mailman/listinfo/users ClusterLabs home: https://www.clusterlabs.org/