Configuring a containerized cluster with SELinux

You can configure a containerized cluster with SELinux to enable it to run the Embedded Container Service (ECS).

  1. Ensure that the hosts you use for the containerized cluster meet all hardware and software requirements for use with CDP Private Cloud Data Services.
  2. Enable SELinux in Permissive mode by updating the /etc/selinux/config file on all ECS hosts by running the following commands:
    sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
    reboot
  3. Add the SELinux policies provided by RKE2 by installing the RPMs on all ECS hosts. Use the following commands:
    yum localinstall -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-3.el7.noarch.rpm
    wget https://github.com/rancher/rke2-selinux/releases/download/v0.8.stable.2/rke2-selinux-0.8-2.el7.noarch.rpm
    yum install -y rke2-selinux-0.8-2.el7.noarch.rpm
  4. Uninstall the nscd service by running the following command on all ECS hosts :
    yum erase -y nscd
  5. Install a containerized cluster on all hosts. See Adding a CDP Private Cloud Data Services cluster.
  6. Enable SELinux in Enforced mode by running the following commands on all ECS hosts:
    setenforce 1
    You can confirm that SELinux is running in Enforced mode by running the following command:
    getenforce
  7. Verify that the ECS cluster hosts are sending heartbeats to the Cloudera Manager server.
    1. Open the Cloudera Manager Admin Console.
    2. Click Hosts > All Hosts.
    3. Check the Last Heartbeat column for heartbeat status.
  8. Verify that your workloads are functioning as expected.