How do I enable SELinux in an NSP cluster?
Purpose
Perform this procedure to enable SELinux on the member nodes of an NSP cluster.
Note: You must enable permissive mode on all NSP cluster nodes before you can enable enforcing mode on the nodes.
Note: You require root user privileges on each NSP cluster node.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Steps
1 |
Perform Step 3 to Step 11 on each node in the NSP cluster. |
2 |
Go to Step 12. |
Individual node configuration | |
3 |
Log in as the root user on the NSP cluster node. |
4 |
Open a console window. |
5 |
Enter the following: # cd /opt/nsp/nsp-deployer/tools/selinux/tools/bin ↵ |
Check for required OS packages | |
6 |
Enter the following: # ./selinuxenable.sh -c ↵ Any missing OS packages required by SELinux are listed. |
7 |
If the message indicates that one or more required SELinux packages are not installed, enter the following: # dnf -y install package_1 package_2 ... package_n ↵ where package_1 package_2 ... package_n are the names of the listed packages The packages are installed. |
Enable permissive mode | |
8 |
# ./selinuxenable.sh -p ↵ The SELinux mode is set to permissive. |
Apply SELinux labels | |
9 |
Enter the following: # /opt/nsp/nsp-deployer/tools/selinux/installer/bin/nsp-selinux-config.bash ↵ The script loads the required AVC policy, k8s_nsp_domain.pp, and labels the files and directories named in the policy. |
10 |
Enter the following to back up the system audit logs: # cp /var/log/audit/audit.log* backup_location ↵ where backup_location is a secure location on a separate station |
11 |
Enter the following to delete the system audit logs and thereby clear the SELinux AVC history: # rm -f /var/log/audit/audit.log* ↵ |
Restart NSP cluster | |
12 |
Perform How do I stop an NSP cluster? to gracefully shut down the NSP cluster and preserve the cluster data. |
13 |
Enter the following: # systemctl reboot ↵ The node reboots. After the reboot, the SELinux labels take effect as SELinux runs in targeted permissive mode in the nsp_domain_t domain. |
14 |
After the reboot, enter the following to verify that the required processes are running in the nsp_domain_t domain: # ps -aefZ | egrep 'kube-apiserver | kube-scheduler | kube-controller-manager | /usr/local/bin/etcd | /usr/local/bin/kube-proxy | /usr/local/bin/kubelet|/kube-state-metrics | /usr/bin/kube-controllers' | egrep -v 'grep' ↵ Process entries like the following are listed: system_u:system_r:nsp_domain_t:s0 process_description |
15 |
If any listed entry does not include nsp_domain_t, contact technical support for assistance. |
16 |
Enter the following to verify that the policy file is loaded. # semodule -l | grep k8s_nsp_domain ↵ The policy file is listed, as shown below: k8s_nsp_domain |
17 |
Start the NSP cluster; perform How do I start an NSP cluster?. |
18 |
Close the open console windows. End of steps |