Add docs to explain why we disabling selinux

Change-Id: Iadbd4a0d77aee692abd9ab4f81ba67ead8949b1e
This commit is contained in:
SamYaple 2016-02-17 00:55:51 +00:00
parent 457ce3301e
commit 89cb146ac1
2 changed files with 49 additions and 0 deletions

View File

@ -39,6 +39,7 @@ Kolla Overview
image-building image-building
advanced-configuration advanced-configuration
operating-kolla operating-kolla
selinux
Kolla Services Kolla Services

48
doc/selinux.rst Normal file
View File

@ -0,0 +1,48 @@
SELinux in Kolla
================
Overview
--------
The state of SELinux in Kolla is a work in progress. The short answer is you
must disable it until selinux polices are written for the Docker containers.
The Long Answer
---------------
To understand why Kolla needs to set certain selinux policies for services that
you wouldn't expect to need them (rabbitmq, mariadb, glance, etc.) we must take
a step back and talk about Docker.
Docker has not had the concept of persistent containerized data until recently.
This means when a container is run the data it creates is destroyed when the
container goes away, which is obviously no good in the case of upgrades.
It was suggested data containers could solve this issue by only holding data if
they were never recreated, leading to a scary state where you could lose access
to your data if the wrong command was executed. The real answer to this problem
came in Docker 1.9 with the introduction of named volumes. You could now
address volumes directly by name removing the need for so called "data
containers" all together.
Another solution to the persistent data issue is to use a host bind mount which
involves making, for sake of example, host directory /var/lib/mysql available
inside the container at /var/lib/mysql. This absolutely solves the problem of
persistent data, but it introduces another security issue, permissions. With
this host bind mount solution the data in /var/lib/mysql will be owned by the
mysql user in the container. Unfortunately, that mysql user in the container
could have any UID/GID and thats who will own the data outside the container
introducing a potential security risk. Additionally, this method dirties the
host and requires host permissions to the directories to bind mount.
The solution Kolla chose is named volumes.
Why does this matter in the case of selinux? Kolla does not run the process it
is launching as root in most cases. So glance-api is run as the glance user,
and mariadb is run as the mysql user, and so on. When mounting a named volume
in the location that the persistent data will be stored it will be owned by the
root user and group. The mysql user has no permissions to write to this folder
now. What Kolla does is allow a select few commands to be run with sudo as the
mysql user. This allows the mysql user to chown a specific, explicit directory
and store its data in a named volume without the security risk and other
downsides of host bind mounts. The downside to this is selinux blocks those
sudo commands and it will do so until we make explicit policies to allow those
operations.