From 06fc55b0a4d994550f05625f10d8f7f0b11863eb Mon Sep 17 00:00:00 2001 From: John Mulligan Date: Tue, 11 Mar 2025 14:51:23 -0400 Subject: [PATCH] qa/cephadm/smb: set virt_sandbox_use_netlink selinux bool on ctdb tests Try to use the virt_sandbox_use_netlink selinux boolean to avoid getting selinux AVC errors in smb tests using ctdb. Some tests run ctdb with public addresses and the scripts that ctdb uses to manage those IPs calls ss which uses netlink which can cause selinux denials. Attempt to work around that problem by using a selinux boolean documented in `container_selinux(8)`. Signed-off-by: John Mulligan --- .../cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml | 3 +++ .../orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml | 3 +++ .../orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml | 3 +++ .../orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml | 3 +++ .../orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml | 3 +++ 5 files changed, 15 insertions(+) diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml index 0d862b2c5f993..e05869d93e3ae 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_ctdb_node_gone_state.yaml @@ -24,6 +24,9 @@ overrides: tasks: - cephadm.configure_samba_client_container: role: host.d +- pexec: + all: + - setsebool -P virt_sandbox_use_netlink 1 || true - cephadm: - cephadm.shell: diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml index 3bbf30ea42714..45ed41e8212af 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_clustering_ips.yaml @@ -26,6 +26,9 @@ tasks: role: host.d - vip: count: 1 +- pexec: + all: + - setsebool -P virt_sandbox_use_netlink 1 || true - cephadm: - cephadm.shell: diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml index b9b0ec0d6f17e..aab74b1692be3 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_basic.yaml @@ -24,6 +24,9 @@ overrides: tasks: - cephadm.configure_samba_client_container: role: host.d +- pexec: + all: + - setsebool -P virt_sandbox_use_netlink 1 || true - cephadm: - cephadm.shell: diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml index b74593058e2ba..20a10a7cbc04b 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_dom.yaml @@ -24,6 +24,9 @@ overrides: tasks: - cephadm.deploy_samba_ad_dc: role: host.d +- pexec: + all: + - setsebool -P virt_sandbox_use_netlink 1 || true - cephadm: - cephadm.shell: diff --git a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml index 0aa55a53a3d60..4f3bcb0a7351e 100644 --- a/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml +++ b/qa/suites/orch/cephadm/smb/tasks/deploy_smb_mgr_ctdb_res_ips.yaml @@ -26,6 +26,9 @@ tasks: role: host.d - vip: count: 2 +- pexec: + all: + - setsebool -P virt_sandbox_use_netlink 1 || true - cephadm: - cephadm.shell: -- 2.39.5