Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-120

Implement RWOP SELinux context mounts (TechPreview)

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • 100
    • 100% 100%
    • 0
    • 0

    Description

      Epic Goal*

      Provide a long term solution to SELinux context labeling in OCP.

       
      Why is this important? (mandatory)

      As of today when selinux is enabled, the PV's files are relabeled when attaching the PV to the pod, this can cause timeout when the PVs contains lot of files as well as overloading the storage backend.

      https://access.redhat.com/solutions/6221251 provides few workarounds until the proper fix is implemented. Unfortunately these workaround are not perfect and we need a long term seamless optimised solution.

      This feature tracks the long term solution where the PV FS will be mounted with the right selinux context thus avoiding to relabel every file.

       
      Scenarios (mandatory) 

      Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      1. Apply new context when there is none
      2. Change context of all files/folders when changing context
      3. RWO & RWX PVs
        1. ReadWriteOncePod PVs first
        2. RWX PV in a second phase

      As we are relying on mount context there should not be any relabeling (chcon) because all files / folders will inherit the context from the mount context

      More on design & scenarios in the KEP  and related epic STOR-1173

      Dependencies (internal and external) (mandatory)

      None for the core feature

      However the driver will have to set SELinuxMountSupported to true in the CSIDriverSpec to enable this feature. 

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - STOR
      • Documentation - STOR
      • QE - STOR
      • PX - 
      • Others -

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

      Attachments

        Issue Links

          is depended on by

          Feature Request - Feature requests from customers and/or users RFE-3327 Implement Selinux context mounts

          • Critical - To be worked on immediately following BLOCKER issues.
          • Accepted

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1147 Implement RWOP SELinux context mounts (Full Support)

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • In Progress
          is related to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-612 Automate workaround for SELinux relabeling issue for large volumes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          Web Link KCS 6221251: When using Persistent Volumes with high file counts in OpenShift, why do pods fail to start or take an excessive amount of time to achieve "Ready" state?

          Activity

            People

              rh-gs-gcharot Gregory Charot
              rh-gs-gcharot Gregory Charot
              Chao Yang Chao Yang
              Lisa Pettyjohn Lisa Pettyjohn
              Jan Safranek Jan Safranek
              Gregory Charot Gregory Charot
              Eric Rich Eric Rich
              Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: