Workaround to skip SELinux relabelling issues in Openshift Data Foundation / Openshift Container Storage

Solution Verified - Updated -

Issue

  • When the number of files in these PVs grows largely (thousands/millions of objects, depending on each case and size), the pods get stuck in ContainerCreating or init status.

  • OpenShift namespaces are by default, configured to have different Multi-Category Security (MCS) SELinux settings. A simple way to review this security context is by inspecting a namespace yaml:

     oc get project mds-test -o yaml | grep scc.mcs
    openshift.io/sa.scc.mcs: s0:c25,c20
          f:openshift.io/sa.scc.mcs: {}

  • This SELinux context is inherited by all the pods running inside these namespaces. Because of this feature, all the files inside PVs bound to these pods need to be relabeled accordingly to ensure the SELinux context matches the security specs in the pods.

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Container Storage (RHOCS)
    • 4
  • Red Hat OpenShift Data Foundation (RHODF)
    • 4

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content