W E K A
4.3
4.3
  • WEKA v4.3 documentation
    • Documentation revision history
  • WEKA System Overview
    • WEKA Data Platform introduction
      • WEKA system functionality features
      • Converged WEKA system deployment
      • Optimize redundancy in WEKA deployments
    • SSD capacity management
    • Filesystems, object stores, and filesystem groups
    • WEKA networking
    • Data lifecycle management
    • WEKA client and mount modes
    • WEKA containers architecture overview
    • Glossary
  • Planning and Installation
    • Prerequisites and compatibility
    • WEKA cluster installation on bare metal servers
      • Plan the WEKA system hardware requirements
      • Obtain the WEKA installation packages
      • Install the WEKA cluster using the WMS with WSA
      • Install the WEKA cluster using the WSA
      • Manually install OS and WEKA on servers
      • Manually prepare the system for WEKA configuration
        • Broadcom adapter setup for WEKA system
        • Enable the SR-IOV
      • Configure the WEKA cluster using the WEKA Configurator
      • Manually configure the WEKA cluster using the resource generator
      • Perform post-configuration procedures
      • Add clients to an on-premises WEKA cluster
    • WEKA Cloud Deployment Manager Web (CDM Web) User Guide
    • WEKA Cloud Deployment Manager Local (CDM Local) User Guide
    • WEKA installation on AWS
      • WEKA installation on AWS using Terraform
        • Terraform-AWS-WEKA module description
        • Deployment on AWS using Terraform
        • Required services and supported regions
        • Supported EC2 instance types using Terraform
        • WEKA cluster auto-scaling in AWS
        • Detailed deployment tutorial: WEKA on AWS using Terraform
      • WEKA installation on AWS using the Cloud Formation
        • Self-service portal
        • CloudFormation template generator
        • Deployment types
        • AWS Outposts deployment
        • Supported EC2 instance types using Cloud Formation
        • Add clients to a WEKA cluster on AWS
        • Auto scaling group
        • Troubleshooting
      • Install SMB on AWS
    • WEKA installation on Azure
    • WEKA installation on GCP
      • WEKA project description
      • GCP-WEKA deployment Terraform package description
      • Deployment on GCP using Terraform
      • Required services and supported regions
      • Supported machine types and storage
      • Auto-scale instances in GCP
      • Add clients to a WEKA cluster on GCP
      • Troubleshooting
      • Detailed deployment tutorial: WEKA on GCP using Terraform
      • Google Kubernetes Engine and WEKA over POSIX deployment
  • Getting Started with WEKA
    • Manage the system using the WEKA GUI
    • Manage the system using the WEKA CLI
      • WEKA CLI hierarchy
      • CLI reference guide
    • Run first IOs with WEKA filesystem
    • Getting started with WEKA REST API
    • WEKA REST API and equivalent CLI commands
  • Performance
    • WEKA performance tests
      • Test environment details
  • WEKA Filesystems & Object Stores
    • Manage object stores
      • Manage object stores using the GUI
      • Manage object stores using the CLI
    • Manage filesystem groups
      • Manage filesystem groups using the GUI
      • Manage filesystem groups using the CLI
    • Manage filesystems
      • Manage filesystems using the GUI
      • Manage filesystems using the CLI
    • Attach or detach object store buckets
      • Attach or detach object store bucket using the GUI
      • Attach or detach object store buckets using the CLI
    • Advanced data lifecycle management
      • Advanced time-based policies for data storage location
      • Data management in tiered filesystems
      • Transition between tiered and SSD-only filesystems
      • Manual fetch and release of data
    • Mount filesystems
      • Mount filesystems from Single Client to Multiple Clusters (SCMC)
    • Snapshots
      • Manage snapshots using the GUI
      • Manage snapshots using the CLI
    • Snap-To-Object
      • Manage Snap-To-Object using the GUI
      • Manage Snap-To-Object using the CLI
    • Quota management
      • Manage quotas using the GUI
      • Manage quotas using the CLI
  • Additional Protocols
    • Additional protocol containers
    • Manage the NFS protocol
      • Supported NFS client mount parameters
      • Manage NFS networking using the GUI
      • Manage NFS networking using the CLI
    • Manage the S3 protocol
      • S3 cluster management
        • Manage the S3 service using the GUI
        • Manage the S3 service using the CLI
      • S3 buckets management
        • Manage S3 buckets using the GUI
        • Manage S3 buckets using the CLI
      • S3 users and authentication
        • Manage S3 users and authentication using the CLI
        • Manage S3 service accounts using the CLI
      • S3 rules information lifecycle management (ILM)
        • Manage S3 lifecycle rules using the GUI
        • Manage S3 lifecycle rules using the CLI
      • Audit S3 APIs
        • Configure audit webhook using the GUI
        • Configure audit webhook using the CLI
        • Example: How to use Splunk to audit S3
      • S3 supported APIs and limitations
      • S3 examples using boto3
      • Access S3 using AWS CLI
    • Manage the SMB protocol
      • Manage SMB using the GUI
      • Manage SMB using the CLI
  • Operation Guide
    • Alerts
      • Manage alerts using the GUI
      • Manage alerts using the CLI
      • List of alerts and corrective actions
    • Events
      • Manage events using the GUI
      • Manage events using the CLI
      • List of events
    • Statistics
      • Manage statistics using the GUI
      • Manage statistics using the CLI
      • List of statistics
    • Insights
    • System congestion
    • Security management
      • Obtain authentication tokens
      • KMS management
        • Manage KMS using the GUI
        • Manage KMS using the CLI
      • TLS certificate management
        • Manage the TLS certificate using the GUI
        • Manage the TLS certificate using the CLI
      • CA certificate management
        • Manage the CA certificate using the GUI
        • Manage the CA certificate using the CLI
      • Account lockout threshold policy management
        • Manage the account lockout threshold policy using GUI
        • Manage the account lockout threshold policy using CLI
      • Manage the login banner
        • Manage the login banner using the GUI
        • Manage the login banner using the CLI
      • Manage Cross-Origin Resource Sharing
    • User management
      • Manage users using the GUI
      • Manage users using the CLI
    • Organizations management
      • Manage organizations using the GUI
      • Manage organizations using the CLI
      • Mount authentication for organization filesystems
    • Expand and shrink cluster resources
      • Add a backend server
      • Expand specific resources of a container
      • Shrink a cluster
    • Background tasks
      • Set up a Data Services container for background tasks
      • Manage background tasks using the GUI
      • Manage background tasks using the CLI
    • Upgrade WEKA versions
  • Licensing
    • License overview
    • Classic license
  • Monitor the WEKA Cluster
    • Deploy monitoring tools using the WEKA Management Station (WMS)
    • WEKA Home - The WEKA support cloud
      • Local WEKA Home overview
      • Deploy Local WEKA Home v3.0 or higher
      • Deploy Local WEKA Home v2.x
      • Explore cluster insights and statistics
      • Manage alerts and integrations
      • Enforce security and compliance
      • Optimize support and data management
    • Set up the WEKAmon external monitoring
    • Set up the SnapTool external snapshots manager
  • Support
    • Get support for your WEKA system
    • Diagnostics management
      • Traces management
        • Manage traces using the GUI
        • Manage traces using the CLI
      • Protocols debug level management
        • Manage protocols debug level using the GUI
        • Manage protocols debug level using the CLI
      • Diagnostics data management
  • Best Practice Guides
    • WEKA and Slurm integration
      • Avoid conflicting CPU allocations
    • Storage expansion best practice
  • WEKApod
    • WEKApod Data Platform Appliance overview
    • WEKApod servers overview
    • Rack installation
    • WEKApod initial system setup and configuration
    • WEKApod support process
  • Appendices
    • WEKA CSI Plugin
      • Deployment
      • Storage class configurations
      • Tailor your storage class configuration with mount options
      • Dynamic and static provisioning
      • Launch an application using WEKA as the POD's storage
      • Add SELinux support
      • NFS transport failback
      • Upgrade legacy persistent volumes for capacity enforcement
      • Troubleshooting
    • Convert cluster to multi-container backend
    • Create a client image
    • Update WMS and WSA
    • BIOS tool
Powered by GitBook
On this page
  • Install a custom SELinux policy
  • Install and configure the WEKA CSI Plugin
  • Test the WEKA CSI plugin operation
  1. Appendices
  2. WEKA CSI Plugin

Add SELinux support

PreviousLaunch an application using WEKA as the POD's storageNextNFS transport failback

Last updated 8 months ago

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

To add SELinux support, perform the following procedures:

  1. .

  2. .

  3. .

Install a custom SELinux policy

  1. Distribute the SELinux policy package to all Kubernetes nodes using one of the following options:

    • Clone WEKA CSI Plugin Github repository:

      git clone https://github.com/weka/csi-wekafs.git

    • Copy the content of the selinux directory directly to Kubernetes nodes

  2. Apply the policy package directly:

    $ semodule -i csi-wekafs.pp

    Verify that the policy is applied correctly:

    $ getsebool -a | grep wekafs
container_use_wekafs --> off

    If the output matches mentioned above, skip to step 4. Otherwise, proceed to step 3 to build the policy from the sources.

  3. In certain circumstances, the pre-compiled policy installation could fail. For example, in a different Kernel version or Linux distribution. In this case, build the policy and install it from the source using the following steps:

    $ checkmodule -M -m -o csi-wekafs.mod csi-wekafs.te
$ semodule_package -o csi-wekafs.pp -m csi-wekafs.mod
$ make -f /usr/share/selinux/devel/Makefile csi-wekafs.pp
$ semodule -i csi-wekafs.pp

    For this purpose, the policycoreutils-devel package (or its alternative in case of Linux distribution different from the Red Hat family) is required.

    Verify that the policy is applied correctly:

    $ getsebool -a | grep wekafs
container_use_wekafs --> off

  4. The policy provides a boolean setting that allows on-demand enablement of relevant permissions. To enable WekaFS CSI volumes access from pods, run the command:

    $ setsebool container_use_wekafs=on

    To disable access, perform the command:

    $ setsebool container_use_wekafs=off

    The configuration changes are applied immediately.

Install and configure the WEKA CSI Plugin

  1. To label volumes correctly, install the WEKA CSI Plugin in an SELinux-compatible mode. To do that, set the selinuxSupport value to "enforced" or "mixed” by editing the file values.yaml or passing the parameter directly in the helm installation command.

Example:

$ helm install --upgrade csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace --set selinuxSupport=enforced

Follow these considerations:

  • WEKA CSI Plugin supports both the enforced and mixed modes of selinuxSupport. The installation depends on the following mode settings:

    • When selinuxSupport is enforced, only SELinux-enabled CSI plugin node components are installed.

    • When selinuxSupport is mixed, both non-SELinux and SELinux-enabled components are installed.

    • When selinuxSupport is off, only non-SELinux CSI plugin node components are installed.

  • The SELinux status cannot be known from within the CSI plugin pod. Therefore, a way of distinguishing between SELinux-enabled and non-SELinux nodes is required. WEKA CSI Plugin relies on the node affinity mechanism by matching the value of a certain node label in a mutually exclusive way. Only when the label exists and is set to true, an SELinux-enabled node component will start on that node. Otherwise, the non-SELinux node component will start.

    To ensure that the plugin starts in compatibility mode, set the following label on each SELinux-enabled Kubernetes node:

  • If a node label is modified after installing the WEKA CSI Plugin node component on that node, terminate the csi-wekafs-node-XXXX component on the affected node. As a result, a replacement pod is automatically scheduled on the node but with the correct SELinux configuration.

csi.weka.io/selinux_enabled="true"

  • If another label stating SELinux support is already maintained on nodes, you can modify the expected label name in the selinuxNodeLabel parameter by editing the file values.yaml or by setting it directly during the WEKA CSI Plugin installation.

    Example:

$ helm install --upgrade csi-wekafsplugin csi-wekafs/csi-wekafsplugin --namespace csi-wekafsplugin --create-namespace --set selinuxSupport=mixed --set selinuxNodeLabel="selinux_enabled"

  • If a node lab

Test the WEKA CSI plugin operation

  4. Monitor the pod logs using the following command (expect no printing in the log files):

    $ kubectl logs -f -lapp=csi-daemonset-app-on-dir-api

    If the command returns a repeating message like the following one, it is most likely that the node on which the relevant pod is running is misconfigured:

    /bin/sh: can't create /data/csi-wekafs-test-api-gldmk.txt: Permission denied

  5. Obtain the node name from the pod:

    $ kubectl get pod csi-wekafs-test-api-gldmk -o wide
NAME                        READY   STATUS    RESTARTS   AGE   IP            NODE         NOMINATED NODE   READINESS GATES
csi-wekafs-test-api-gldmk   1/1     Running   0          98m   10.244.15.2   don-kube-8   <none>           <none>

  6. Connect to the relevant node and check if the WEKA CSI SELinux policy is installed and enabled:

    $ getsebool -a | grep wekafs
container_use_wekafs --> on

    • If the result matches the example, proceed to the next step.

    • If the policy is off, enable it and check the pod output again by running:

      $ setsebool container_use_wekafs=on

  7. Check if the node is labeled with the plugin is operating in SELinux-compatible mode by running the following command:

    $ kubectl describe node don-kube-8 | grep csi.weka.io/selinux_enabled
             csi.weka.io/selinux_enabled=true

    • If the label was missing and added by you during troubleshooting, the CSI node server component must be restarted on the node. Perform the following command to terminate the relevant pod, and another instance will start automatically:

$ POD=$(kubectl get pod -n csi-wekafs -lcomponent=csi-wekafs-node -o wide | grep -w don-kube-8 | cut -d" " -f1)
$ kubectl delete pod -n csi-wekafs $POD
$ POD=$(kubectl get pod -n csi-wekafs -lcomponent=csi-wekafs-node -o wide | grep -w don-kube-8 | cut -d" " -f1)
$ kubectl logs -n csi-wekafs -c wekafs $POD > log.txt

Make sure you have configured a valid CSI API . Create a valid WEKA CSI Plugin .

Provision a .

Provision a to enable access to all pods on all nodes.

If there is no result, the policy is not installed. Perform the procedure.

If the output is empty, Perform the procedure.

Collect CSI node server logs from the matching Kubernetes nodes and contact the .

secret
storageClass
PersistentVolumeClaim
DaemonSet
Install a custom SELinux policy
Install and configure the WEKA CSI Plugin
Test the WEKA CSI Plugin operation
Install a custom SELinux policy
Install and configure the Weka CSI Plugin
Customer Success Team