Skip to content

Commit

Permalink
Update main docs
Browse files Browse the repository at this point in the history
  • Loading branch information
actions-user committed Sep 27, 2024
1 parent 41f8c21 commit 3434de3
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 39 deletions.
37 changes: 18 additions & 19 deletions static/docs/main/_sources/contents/security.rst.txt
Original file line number Diff line number Diff line change
Expand Up @@ -28,25 +28,24 @@ SELinux
The Warewulf server itself was developed with SELinux enabled in
"targeted" and "enforcing" mode and with the firewall active.

Additionally, the provisioning process fully supports SELinux by
default. In previous versions you had to enable a switch to support
SELinux, but in Warewulf v4 and above, it is always enabled, but you
do have to make some configuration changes.

#. The first thing to do is to change the provision "Root" option. By
default this is ``initramfs`` which means, take whatever file
system the kernel hands us. By default this is a ``ramfs`` type
file system (however this may not always be the case) and this
format does not support extended file attributes which are required
for SELinux. Instead you must configure Warewulf to use ``tmpfs``
for the provisioning file system. That change is made like: ``$
sudo wwctl profile set --root tmpfs default``.

#. That is all you have to do to ensure that Warewulf will
support SELinux. Once that is done, you just need to enable SELinux
in ``/etc/sysconfig/selinux`` and install the appropriate profiles
into the container. `An example`_ of such a container is in the
warewulf-node-images repository.
The provisioning process also fully supports booting SELinux-enabled
containers, though nodes must be configured to use tmpfs for init. ("ramfs"
(often used by default) does not support extended file attributes.)

.. code-block:: bash
wwctl profile set default --root tmpfs
.. note::

Versions of Warewulf prior to v4.5.8 also required a kernel argument
"rootfstype=ramfs" in order for wwinit to copy the node image to tmpfs; but
this is no longer required.

Once that is done, you just need to enable SELinux in
``/etc/sysconfig/selinux`` and install the appropriate profiles into the
container. `An example`_ of such a container is available in the
warewulf-node-images repository.

.. _An example: https://github.com/warewulf/warewulf-node-images/tree/main/examples/rockylinux-9-selinux

Expand Down
35 changes: 16 additions & 19 deletions static/docs/main/contents/security.html
Original file line number Diff line number Diff line change
Expand Up @@ -140,25 +140,22 @@ <h1>Security<a class="headerlink" href="#security" title="Link to this heading">
<h2>SELinux<a class="headerlink" href="#selinux" title="Link to this heading"></a></h2>
<p>The Warewulf server itself was developed with SELinux enabled in
“targeted” and “enforcing” mode and with the firewall active.</p>
<p>Additionally, the provisioning process fully supports SELinux by
default. In previous versions you had to enable a switch to support
SELinux, but in Warewulf v4 and above, it is always enabled, but you
do have to make some configuration changes.</p>
<ol class="arabic simple">
<li><p>The first thing to do is to change the provision “Root” option. By
default this is <code class="docutils literal notranslate"><span class="pre">initramfs</span></code> which means, take whatever file
system the kernel hands us. By default this is a <code class="docutils literal notranslate"><span class="pre">ramfs</span></code> type
file system (however this may not always be the case) and this
format does not support extended file attributes which are required
for SELinux. Instead you must configure Warewulf to use <code class="docutils literal notranslate"><span class="pre">tmpfs</span></code>
for the provisioning file system. That change is made like: <code class="docutils literal notranslate"><span class="pre">$</span>
<span class="pre">sudo</span> <span class="pre">wwctl</span> <span class="pre">profile</span> <span class="pre">set</span> <span class="pre">--root</span> <span class="pre">tmpfs</span> <span class="pre">default</span></code>.</p></li>
<li><p>That is all you have to do to ensure that Warewulf will
support SELinux. Once that is done, you just need to enable SELinux
in <code class="docutils literal notranslate"><span class="pre">/etc/sysconfig/selinux</span></code> and install the appropriate profiles
into the container. <a class="reference external" href="https://github.com/warewulf/warewulf-node-images/tree/main/examples/rockylinux-9-selinux">An example</a> of such a container is in the
warewulf-node-images repository.</p></li>
</ol>
<p>The provisioning process also fully supports booting SELinux-enabled
containers, though nodes must be configured to use tmpfs for init. (“ramfs”
(often used by default) does not support extended file attributes.)</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>wwctl<span class="w"> </span>profile<span class="w"> </span><span class="nb">set</span><span class="w"> </span>default<span class="w"> </span>--root<span class="w"> </span>tmpfs
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Versions of Warewulf prior to v4.5.8 also required a kernel argument
“rootfstype=ramfs” in order for wwinit to copy the node image to tmpfs; but
this is no longer required.</p>
</div>
<p>Once that is done, you just need to enable SELinux in
<code class="docutils literal notranslate"><span class="pre">/etc/sysconfig/selinux</span></code> and install the appropriate profiles into the
container. <a class="reference external" href="https://github.com/warewulf/warewulf-node-images/tree/main/examples/rockylinux-9-selinux">An example</a> of such a container is available in the
warewulf-node-images repository.</p>
</section>
<section id="provisioning-security">
<h2>Provisioning Security<a class="headerlink" href="#provisioning-security" title="Link to this heading"></a></h2>
Expand Down
2 changes: 1 addition & 1 deletion static/docs/main/searchindex.js

Large diffs are not rendered by default.

0 comments on commit 3434de3

Please sign in to comment.