From 2036e2ea39fad84f2a4fb0163adb11ff1aee0149 Mon Sep 17 00:00:00 2001 From: Ryan Beisner Date: Wed, 28 Mar 2018 13:24:20 -0500 Subject: [PATCH] Update readme for apparmor Change-Id: I4afe123e8543441a9fee805dea1426ddd19a9416 --- README.md | 15 +++++++++++++++ config.yaml | 3 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b599a7d..b0271061 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,21 @@ Please refer to the [Ceph Network Reference](http://docs.ceph.com/docs/master/ra **NOTE**: Existing deployments using ceph-*-network configuration options will continue to function; these options are preferred over any network space binding provided if set. +AppArmor Profiles +================= + +AppArmor is not enforced for Ceph by default. An AppArmor profile can be generated by the charm. However, great care must be taken. + +Changing the value of the ```aa-profile-mode``` option is disruptive to a running Ceph cluster as all ceph-osd processes must be restarted as part of changing the AppArmor profile enforcement mode. + +The generated AppArmor profile currently has a narrow supported use case, and it should always be verified in pre-production against the specific configurations and topologies intended for production. + +The AppArmor profile(s) which are generated by the charm should NOT yet be used in the following scenarios: + - When there are separate journal devices. + - On any version of Ceph prior to Luminous. + - On any version of Ubuntu other than 16.04. + - With Bluestore enabled. + Contact Information =================== diff --git a/config.yaml b/config.yaml index 70ec475c..f236a70d 100644 --- a/config.yaml +++ b/config.yaml @@ -299,4 +299,5 @@ options: . NOTE: changing the value of this option is disruptive to a running Ceph cluster as all ceph-osd processes must be restarted as part of changing - the apparmor profile enforcement mode. + the apparmor profile enforcement mode. Always test in pre-production + before enabling AppArmor on a live cluster.