Creating an SELinux policy module on Red Hat OpenShift worker nodes

If you are using NFS storage and your worker nodes are running Security Enhanced Linux® (SELinux) in enforcing mode, you must create an SELinux policy module on any nodes where Db2U pods will run.

Installation phase
You are not here. Setting up a client workstation
You are not here. Setting up a cluster
You are not here. Collecting required information
You are not here. Preparing to run installs from a private container registry
You are here icon. Preparing the cluster for Cloud Pak for Data
You are not here. Preparing to install an instance of Cloud Pak for Data
You are not here. Installing an instance of Cloud Pak for Data
Who needs to complete this task?
A cluster administrator must complete this task.
When do you need to complete this task?
If the following statements apply to your environment, you must create an SELinux policy module on your Red Hat OpenShift Container Platform worker nodes:
  • You plan to use NFS storage
  • Your worker nodes are running SELinux in enforcing mode
  • You plan to install one or more of the following services:
    • Db2®
    • Db2 Big SQL
    • Db2 Warehouse
    • OpenPages® (with an internal database)
    • Watson™ Knowledge Catalog
    • Watson Query

If any of these statements don't apply to your environment, you can skip this task.

About this task

If you are planning to install services that support dedicated worker nodes, you have the following options:
  • If you want to set up dedicated worker nodes, create the policy module only on the nodes where you plan to run the services
  • If you don't want to set up dedicated worker nodes, you must create the policy module on all worker nodes in the cluster.
If you are planning to install services that do not support dedicated worker nodes, you have the following options:
  • Create the policy module on all worker nodes in the cluster.
  • Disable enforcing mode. (If you choose this option, you do not need to create the policy module.)
  • Choose a different type of storage for the services. (If you choose this option, you do not need to create the policy module, but you do need to ensure that you set up an additional type of persistent storage for your cluster.)

The following table identifies which services support dedicated nodes:

Service Supports dedicated nodes Does not support dedicated nodes
Db2  
Db2 Big SQL  
Db2 Warehouse  
OpenPages *  
Watson Knowledge Catalog *  
Watson Query  

* The service supports dedicated nodes for Db2U.

Procedure

To create the SELinux policy module:

  1. Complete the following steps on one of the worker nodes in the cluster.

    If you are planning to use dedicated worker nodes, complete this task on one of the nodes that you have chosen as a dedicated node.

    1. Create a type enforcement (TE) file named db2u-nsf.te with the following content: 
      module db2u-nfs 1.0;
require {
  type nfs_t;
  type container_t;
  class fifo_file { create open read unlink write ioctl getattr setattr };
}
allow container_t nfs_t:fifo_file { create open read unlink write ioctl getattr setattr };
    2. Transform the db2u-nsf.te file to a module (MOD) file named db2u-nfs.mod: 
      checkmodule -M -m -o db2u-nfs.mod db2u-nfs.te
    3. Compile the db2u-nfs.mod file into a policy package (PP) file named db2u-nfs.pp: 
      semodule_package -o db2u-nfs.pp -m db2u-nfs.mod
    4. Install the policy package on the node: 
      semodule -i db2u-nfs.pp
  2. Transfer the policy package file to each node where you need to install the SELinux policy module. Then, run the command to install the policy package: 
    semodule -i db2u-nfs.pp