Story #282: As a user, I have docs on how to cluster Pulp with NFS for httpd and worker scaling purposes

Story #282

The "scaling guide":http://pulp.readthedocs.org/en/latest/user-guide/tuning.html#scaling needs improvement to describe in more detail how to configure Pulp into a cluster for the purposes of scaling both httpd and pulp workers. 


 Deliverables: 

 0. Setup and test a Pulp clustered operation to know what is needed with a clustered installation 
 1. Document the requirements for an NFS clustered Pulp installation. 
 2. Revert/rewrite https://github.com/pulp/pulp/pull/1097/files since we and QE will have tested it 
 3. Make sure the docs work with SELinux (see below) 
 4. Add a release note about this change. 


 SELinux and NFS issues: 

 This documentation needs to describe a fix for running with SELinux  

 For Pulp to correctly operate, it expects the that /var/lib/pulp/* will have httpd_sys_rw_content_t file context. If you want to make /var/lib/pulp/ or some subdirectory of it hosted via NFS those files will receive the nfs_t label. This causes Pulp to not work correctly if you want to scale the /var/lib/pulp filesystem with NFS and be secure with SELinux in Enforcing. 


 To reproduce the issue: 

 0. Enable selinux to enforcing mode 
 1. Mount /var/lib/pulp via NFS 
 2. Try to sync or consume content 
 3. Observe the sync will fail and AVC denials will be present 

 SELinux will not allow Pulp to work due to incorrect file labels. 


 Deliverables: 

 1. Document about when/how users can configure NFS to work with Pulp's SELinux policy definition. This should be in a new section or subsection. 
 2. Add a release note about this change. 

 Recommended Solution: 

 The recommended way to fix this is by making NFS aware of the SELinux context to use when mounting /var/lib/pulp/ or a subsection of it using the context option on mount. 

 <pre> 
 # mount -o context="system_u:object_r:httpd_sys_rw_content_t:s0" REMOTEHOST:/var/lib/pulp /var/lib/pulp 
 </pre> 

 Other potential solutions: 

 One way to fix this would be "similar to what spacewalk did by using mountpoints":https://github.com/spacewalkproject/spacewalk/blob/master/spacewalk/setup/bin/spacewalk-make-mount-points by introducing a spacewalk_nfs_mountpoint label or something similar. 

 A third way to fix this would be to have our policy be nfs_t aware specifically for pulp content, but not other nfs_t directories. 

 Another way would be for the user to manually relabel with a restorecon statement that specifies the httpd_sys_rw_content_t label, but that would need to be tested to be sure that it won't interfere with nfs_t correct operation or that SELinux won't relabel it later. 

 Another way would be to use some sort of SELinux aliasing.
Back
Project

Profile

Help

Pulp

Story #282
