Configuring a containerized cluster with SELinux

This section provides the steps required to run the Cloudera Embedded Container Service with SELinux enabled. If you are not planning to enable SELinux, you do not need to follow these instructions.

Ensure that the hosts you use for the containerized cluster meet all hardware and software requirements for use with Cloudera Data Services on premises.
Ensure SELinux is disabled on your ECS hosts. You can use the getenforce command to check its status.

Ensure system compatibility: Verify your system meets all hardware and software requirements.
Enable SELinux in Permissive mode by updating the /etc/selinux/config file on all ECS hosts by running the following commands:
```
sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config
reboot
```
These commands update the SELinux configuration to permissive mode.
note
Setting the mode to permissive initially allows you to install the Rancher-provided rke2-selinux RPM and continue with ECS installation without any issues. The reason for enabling SELinux in permissive mode initially is to avoid a restart when switching from SELinux disabled mode to SELinux enabled mode. When switching from permissive to enforcing mode (That is, SELinux is enabled in both cases), a reboot of the host is not required.

Install the SELinux policies provided by RKE2 by installing the RPMs on all ECS hosts. Use the following commands:

yum localinstall -y 
http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.107-3.el7.noarch.rpm
wget https://github.com/rancher/rke2-selinux/releases/download/
v0.8.stable.2/rke2-selinux-0.8-2.el7.noarch.rpm
yum install -y rke2-selinux-0.8-2.el7.noarch.rpm

These commands install the necessary SELinux policies to support ECS.

Uninstall the nscd service by running the following command on all ECS hosts :
```
yum erase -y nscd
```
note
Uninstalling the ncsd service is required to prevent issues with Cloudera Manager Agent heartbeats (on ECS hosts) sent to Cloudera Manager Server.
Install a containerized cluster on all hosts. See Adding a Cloudera on Premises Data Services cluster.
Enable SELinux in Enforced mode by running the following commands on all ECS hosts:
```
setenforce 1
```
You can confirm that SELinux is running in Enforced mode by running the following command:
```
getenforce
```
This command switches SELinux from permissive to enforcing mode without a reboot.
Check the SELinux status with getenforce.
Verify that the ECS cluster hosts are sending heartbeats to the Cloudera Manager server.
1. Open the Cloudera Manager Admin Console.
2. Click Hosts > All Hosts.
3. Check the Last Heartbeat column for heartbeat status.
Verify that your workloads are functioning as expected.