Operations grimoire/RHEL

From Nasqueron Agora

📕📁📜 Old technical information :: content warning

⌛ This Nasqueron Operations Grimoire page hasn't been updated for a long time.

☣ As our infrastructure evolves quickly, there is a good chance this information is outdated or now inaccurate. Be careful and consider update it.

➡️ To assert the information is still up-to-date or not, you can check the history of the relevant role in our Operations repository.

Docker engines servers uses CentOS Stream (e.g. Dwellers) or Rocky (e.g. docker-002).

SELinux

States targeting RHEL machines need to apply the relevant SELinux context to each directory and file.

For example, to apply the context httpd_log_t to /var/log/www:

   {% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
   
   /var/log/www:
     file.directory:
       - user: {{ options["www_user"] }}
       - group: web
       - dir_mode: 711
   
  {% if has_selinux %}
   selinux_context_nginx_logs:
     selinux.fcontext_policy_present:
       - name: /var/log/www
       - sel_type: httpd_log_t
   
   selinux_context_nginx_logs_applied:
     selinux.fcontext_policy_applied:
       - name: /var/log/www
   {% endif %}

You'll find examples in rOPS: roles/paas-docker/containers/ files.

For booleans (sebool) or custom policies, you'll find examples in rOPS: roles/paas-docker/nginx/selinux.sls