This page shows you how to secure your containers by enabling SELinux. SELinux is supported for RHEL and CentOS. If your host machines are running RHEL or CentOS and you want to enable SELinux, you must enable SELinux in all of your host machines before installing or upgrading Google Distributed Cloud.
Check if SELinux is enabled
SELinux is enabled on RHEL and CentOS by default. To verify, run:
$ getenforce
The command returns either Enforcing, Permissive, or Disabled. If the
command returns Enforcing, then you can proceed with upgrading or creating
your clusters.
Enable SELinux
If the getenforce command returns Permissive, you can switch to Enforcing
mode using the setenforce command. Toggling between Permissive and
Enforcing mode using setenforce doesn't require a system reboot. However, if
you want the changes to be persistent across reboots, you must update the
/etc/selinux/config file.
To switch to Enforcing mode, run:
$ sudo setenforce 1 # temporary
$ sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/g' /etc/selinux/config # persistent - after reboot
If SELinux is Disabled, to enable it, we recommend to first enable it in
Permissive mode first and reboot the system to verify that the system boots
successfully. If there are no SELinux errors, then you can safely switch SELinux
to Enforcing mode.
Optional: Enable SELinux in
Permissivemode:$ sudo sed -i 's/SELINUX=disabled/SELINUX=permissive/g' /etc/selinux/config $ sudo rebootIf the system reboots successfully with no SELinux errors, then you can enable
Enforcingmode:$ sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/g' /etc/selinux/config $ sudo reboot
Once SELinux is enabled in Enforcing mode, you can proceed with upgrading or
installing Google Distributed Cloud.