diff --git a/etc/kayobe/environments/ci-aio/globals.yml b/etc/kayobe/environments/ci-aio/globals.yml index edd2b87df..f65cba9f1 100644 --- a/etc/kayobe/environments/ci-aio/globals.yml +++ b/etc/kayobe/environments/ci-aio/globals.yml @@ -55,11 +55,6 @@ os_release: >- {{ (lookup('pipe', '. /etc/os-release && echo $VERSION_CODENAME') | trim) if os_distribution == 'ubuntu' else (lookup('pipe', '. /etc/os-release && echo $VERSION_ID') | trim | split('.') | first) if os_distribution == 'rocky' }} -############################################################################### - -# Avoid a reboot. -selinux_state: disabled - ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux b/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux deleted file mode 100644 index 97bfb5bb0..000000000 --- a/etc/kayobe/environments/ci-aio/inventory/group_vars/controllers/selinux +++ /dev/null @@ -1,4 +0,0 @@ ---- -# Configure SELinux to be disabled in all cases. This is a short term fix, we -# want RL9 hosts to be be permissive but our host images need to be rebuilt. -selinux_state: "disabled" diff --git a/etc/kayobe/environments/ci-builder/globals.yml b/etc/kayobe/environments/ci-builder/globals.yml index 7efb44f44..9852cbd4d 100644 --- a/etc/kayobe/environments/ci-builder/globals.yml +++ b/etc/kayobe/environments/ci-builder/globals.yml @@ -7,9 +7,3 @@ # OS distribution name. Valid options are "rocky", "ubuntu". Default is # "rocky". os_distribution: "{{ lookup('pipe', '. /etc/os-release && echo $ID') | trim }}" - -############################################################################### -# SELinux. - -# Avoid a reboot. -selinux_state: disabled diff --git a/etc/kayobe/environments/ci-multinode/globals.yml b/etc/kayobe/environments/ci-multinode/globals.yml index 3cf02f052..9fe415ecd 100644 --- a/etc/kayobe/environments/ci-multinode/globals.yml +++ b/etc/kayobe/environments/ci-multinode/globals.yml @@ -60,11 +60,6 @@ os_release: >- stackhpc_write_barbican_role_id_to_file: true stackhpc_barbican_role_id_file_path: "/tmp/barbican-role-id" -############################################################################### - -# Avoid a reboot. -selinux_state: disabled - ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes diff --git a/etc/kayobe/pulp-host-image-versions.yml b/etc/kayobe/pulp-host-image-versions.yml index 3b8aceb84..ec8126430 100644 --- a/etc/kayobe/pulp-host-image-versions.yml +++ b/etc/kayobe/pulp-host-image-versions.yml @@ -1,5 +1,6 @@ --- # Overcloud host image versioning tags # These images must be in SMS, since they are used by our AIO CI runners +# TODO: Rebuild with SELinux enabled stackhpc_rocky_9_overcloud_host_image_version: "2023.1-20240126T093158" stackhpc_ubuntu_jammy_overcloud_host_image_version: "2023.1-20240325T130221" diff --git a/etc/kayobe/stackhpc-overcloud-dib.yml b/etc/kayobe/stackhpc-overcloud-dib.yml index 69ba5c81e..845cf7e9c 100644 --- a/etc/kayobe/stackhpc-overcloud-dib.yml +++ b/etc/kayobe/stackhpc-overcloud-dib.yml @@ -23,7 +23,7 @@ stackhpc_overcloud_dib_name: "deployment_image" stackhpc_overcloud_dib_elements: - "{{ os_distribution }}-{% if os_distribution == 'rocky' %}container-stackhpc{% else %}minimal{% endif %}" - "cloud-init-datasources" - - "{% if os_distribution == 'rocky' %}disable-selinux{% endif %}" + - "{% if os_distribution == 'rocky' %}selinux-permissive{% endif %}" - "enable-serial-console" - "{% if kayobe_environment == 'ci-builder' %}etc-hosts{% endif %}" - "vm" diff --git a/releasenotes/notes/selinux-host-image-ff0fed2583cae7b0.yaml b/releasenotes/notes/selinux-host-image-ff0fed2583cae7b0.yaml new file mode 100644 index 000000000..b545668f4 --- /dev/null +++ b/releasenotes/notes/selinux-host-image-ff0fed2583cae7b0.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Enables SELinux in permissive mode in the overcloud host image. This + matches the default configuration for SELinux in StackHPC Kayobe Configuration.