From 9e7f22a071c0f7aecd98baeb73a1f90e290ef039 Mon Sep 17 00:00:00 2001
From: kalebskeithley <kaleb@redhat.com>
Date: Tue, 9 Mar 2021 16:10:35 -0500
Subject: [PATCH] rgw-loadbalancer: Update haproxy.cfg.j2

haproxy gets an AVC when configured to connect to port 8081

This commit adds a snippet regarding haproxy in a selinux environment

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1923890

Signed-off-by: Kaleb S KEITHLEY <kkeithle@redhat.com>
---
 roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2 b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
index 8f448160d..47dac0990 100644
--- a/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
+++ b/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2
@@ -40,6 +40,18 @@ frontend rgw-frontend
 {% endif %}
     default_backend rgw-backend
 
+# when running in an selinux environment, selinux restricts the ports that haproxy can
+# connect to to:
+#  * 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) and,
+#  * 8080, 8118, 8123, 10001-10010 (http_cache_port_t)
+#
+# Practically speaking, it would be preferable (and perhaps easier) to configure the
+# rgw daemons to listen on ports 10001-10010 and configure haproxy here to match.
+#
+# Alternatively you can add other unused ports to http_port_t or http_cache_port_t
+# with, e.g.: `semanage port -a -t http_cache_port_t -p tcp 8085`
+# (Note that ports 8081-8084 are already taken and can't be used for haproxy.)
+#
 backend rgw-backend
     option forwardfor
     balance static-rr