3. Modify System Security

SELinux

  1. If you plan to use SELinux on the Open OnDemand host you must install the ondemand-selinux package.

    sudo yum install ondemand-selinux
    

    Note

    OnDemand runs under the ood_pun_t context.

The OnDemand SELinux package makes several changes to allow OnDemand to run with SELinux enabled.

  • Set contexts of several filesystem paths specific to OnDemand.

  • Enable SELinux booleans.

  • Apply a custom policy to allow actions to performed by ood_pun_t context.

The custom SELinux booleans provided by the OnDemand SELinux policy:

  • ondemand_manage_user_home_dir (default=off): Necessary if user home directories are local disk and not NFS. This is useful when OnDemand is hosted on the system also acting as the NFS server for home directories.

  • ondemand_manage_vmblock (default=off): So far this has only proven necessary when running OnDemand inside of Vagrant when the home directory is a Virtualbox mount.

  • ondemand_use_nfs (default=on): Allow OnDemand to manage NFS home directories, which is necessary if home directories are accessible via NFS on the OnDemand web node.

  • ondemand_use_shell_app (default=off): DEPRECATED, see ondemand_use_ssh Adds necessary rules to allow the OnDemand Shell app to function.

  • ondemand_use_ssh (default=on): Allow OnDemand to use SSH for Shell app and Linux Host Adapter.

  • ondemand_use_sssd (default=on): Allows OnDemand to access SSSD

  • ondemand_use_slurm (default=off): Allows OnDemand to interact with SLURM and MUNGE.

  • ondemand_use_torque (default=off): Allows OnDemand to interact with Torque.

  • ondemand_use_kubernetes (default=off): Allow OnDemand to interact with Kubernetes.

  • ondemand_use_ldap (default=off): Allows OnDemand to interact with remote LDAP servers. This does not affect Apache LDAP authentication. This is only necessary if the PUN is interacting with LDAP ports.

  • ondemand_use_kerberos (default=off): Allow OnDemand to interact with Kerberos.

The following SELinux booleans are enabled by the ondemand-selinux package:

  • httpd_setrlimit

  • httpd_mod_auth_pam

  • httpd_run_stickshift

  • httpd_can_network_connect

  • daemons_use_tty

  • use_nfs_home_dirs (can be disabled if the OnDemand web node is not using NFS for home directories)

The following example disabled the OnDemand SSH SELinux boolean.

sudo setsebool -P ondemand_use_ssh=off

If you experience denials when running SELinux with Open OnDemand please provide denial details by generating a ood.te file and posting that to Discourse. It would also help to post the audit.log lines that correspond to the OnDemand specific denials.

cat /var/log/audit/audit.log | audit2allow -M ood

Firewall

  1. Open ports 80 (http) and 443 (https) in the firewall, typically done with firewalld or iptables.

    Firewalld example:
    $ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
    $ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
    $ sudo firewall-cmd --reload
    
Iptables example:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
$ sudo iptables-save > /etc/sysconfig/iptables

Note

If using Dex authentication the port used by Dex must also be opened. See Dex Firewall for details.