Document selinux considerations

2016-08-24 09:18:08 -07:00 · 2016-08-24 09:18:08 -07:00 · 62be2cb8d9
parent 1952986a34
commit 62be2cb8d9
2 changed files with 54 additions and 4 deletions
--- a/examples/mysql-wordpress-pd/README.md
+++ b/examples/mysql-wordpress-pd/README.md
@ -61,6 +61,8 @@ Put your desired mysql password in a file called `password.txt` with
 no trailing newline. The first `tr` command will remove the newline if
 your editor added one.

+**Note:** if your cluster enforces **_selinux_** and you will be using [Host Path](#host-path) for storage, then please follow this [extra step](#selinux).
+
 ```shell
 tr --delete '\n' <password.txt >.strippedpassword.txt && mv .strippedpassword.txt password.txt
 kubectl create -f https://raw.githubusercontent.com/kubernetes/kubernetes/master/examples/mysql-wordpress-pd/local-volumes.yaml
@ -79,6 +81,7 @@ kubectl create -f https://raw.githubusercontent.com/kubernetes/kubernetes/master
  - [Cluster Requirements](#cluster-requirements)
  - [Decide where you will store your data](#decide-where-you-will-store-your-data)
    - [Host Path](#host-path)
+        - [SELinux](#selinux)
    - [GCE Persistent Disk](#gce-persistent-disk)
  - [Create the MySQL Password Secret](#create-the-mysql-password-secret)
  - [Deploy MySQL](#deploy-mysql)
@ -129,7 +132,25 @@ will not be moved between nodes if the pod is recreated on a new
 node. If the pod is deleted and recreated on a new node, data will be
 lost.

-Create the persistent volume objects in Kubernetes using
+##### SELinux
+
+On systems supporting selinux it is preferred to leave it enabled/enforcing.
+However, docker containers mount the host path with the "_svirt_sandbox_file_t_"
+label type, which is incompatible with the default label type for /tmp ("_tmp_t_"),
+resulting in a permissions error when the mysql container attempts to `chown`
+_/var/lib/mysql_.
+Therefore, on selinx systems using host path, you should pre-create the host path
+directory (/tmp/data/) and change it's selinux label type to "_svirt_sandbox_file_t_",
+as follows:
+
+```shell
+## on every node:
+mkdir -p /tmp/data
+chmod a+rwt /tmp/data  # match /tmp permissions
+chcon -Rt svirt_sandbox_file_t /tmp/data
+```
+
+Continuing with host path, create the persistent volume objects in Kubernetes using
 [local-volumes.yaml](local-volumes.yaml):

 ```shell
@ -137,6 +158,7 @@ export KUBE_REPO=https://raw.githubusercontent.com/kubernetes/kubernetes/master
 kubectl create -f $KUBE_REPO/examples/mysql-wordpress-pd/local-volumes.yaml
 ```

+
 ### GCE Persistent Disk

 This storage option is applicable if you are running on
@ -166,7 +188,8 @@ kubectl create -f $KUBE_REPO/examples/mysql-wordpress-pd/gce-volumes.yaml
 ## Create the MySQL Password Secret

 Use a [Secret](http://kubernetes.io/docs/user-guide/secrets/) object
-to store the MySQL password. First create a temporary file called
+to store the MySQL password. First create a file (in the same directory
+as the wordpress sample files) called
 `password.txt` and save your password in it. Make sure to not have a
 trailing newline at the end of the password. The first `tr` command
 will remove the newline if your editor added one. Then, create the
@ -245,6 +268,33 @@ Also in [mysql-deployment.yaml](mysql-deployment.yaml) we created a
 service to allow other pods to reach this mysql instance. The name is
 `wordpress-mysql` which resolves to the pod IP.

+Up to this point one Deployment, one Pod, one PVC, one Service, one Endpoint,
+two PVs, and one Secret have been created, shown below:
+
+```shell
+kubectl get deployment,pod,svc,endpoints,pvc -l app=wordpress -o wide && \
+  kubectl get secret mysql-pass && \
+  kubectl get pv
+```
+
+```shell
+NAME                     DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
+deploy/wordpress-mysql   1         1         1            1           3m
+NAME                                  READY     STATUS    RESTARTS   AGE       IP           NODE
+po/wordpress-mysql-3040864217-40soc   1/1       Running   0          3m        172.17.0.2   127.0.0.1
+NAME                  CLUSTER-IP   EXTERNAL-IP   PORT(S)    AGE       SELECTOR
+svc/wordpress-mysql   None         <none>        3306/TCP   3m        app=wordpress,tier=mysql
+NAME                 ENDPOINTS         AGE
+ep/wordpress-mysql   172.17.0.2:3306   3m
+NAME                 STATUS    VOLUME       CAPACITY   ACCESSMODES   AGE
+pvc/mysql-pv-claim   Bound     local-pv-2   20Gi       RWO           3m
+NAME         TYPE      DATA      AGE
+mysql-pass   Opaque    1         3m
+NAME         CAPACITY   ACCESSMODES   STATUS      CLAIM                    REASON    AGE
+local-pv-1   20Gi       RWO           Available                                      3m
+local-pv-2   20Gi       RWO           Bound       default/mysql-pv-claim             3m
+```
+
 ## Deploy WordPress

 Next deploy WordPress using
--- a/examples/mysql-wordpress-pd/local-volumes.yaml
+++ b/examples/mysql-wordpress-pd/local-volumes.yaml
@ -10,7 +10,7 @@ spec:
  accessModes:
    - ReadWriteOnce
  hostPath:
-    path: /tmp/pv-1
+    path: /tmp/data/pv-1
 ---
 apiVersion: v1
 kind: PersistentVolume
@ -24,4 +24,4 @@ spec:
  accessModes:
    - ReadWriteOnce
  hostPath:
-    path: /tmp/pv-2
+    path: /tmp/data/pv-2