Workarounds to skip SELinux relabelling in Openshift Data Foundation / Openshift Container Storage

Solution Verified - Updated -

Issue

  • Openshift namespaces are by default, configured to have different Multi-Category Security (MCS ) SELinux settings. A simple way to review this security context is by inspecting a namespace yaml:

     oc get project mds-test -o yaml | grep scc.mcs
    openshift.io/sa.scc.mcs: s0:c25,c20
          f:openshift.io/sa.scc.mcs: {}

  • This SELinux context is inherited by all the pods running inside these namespaces. Because of this feature, all the files inside PVs bound to these pods, need to be relabeled accordingly, to assure the SELinux context matches the security specs in the pods.

  • When the number of files in these PVs grows largely ( might even span a few millions ), the pods get stuck in ContainerCreating phase, as this process is quite lengthy. This is fully covered in OCP article When using Persistent Volumes with high file counts in OpenShift, why do pods fail to start or take an excessive amount of time to achieve "Ready" state? . There are two available workarounds in this article that must be followed as the first steps to solve this problem.

  • However, there might be occasions when, due to a bug in OCP, or because of security restrictions, the workarounds listed in the above document are useless.
  • Is there any alternate workaround that might be applicable from the ODF side?

Environment

  • Red Hat Openshift Data Foundation (RHODF)
    • >=4.9
  • Red Hat Openshift Container Storage (RHOCS)
    • 4.7, 4.8

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content