Bug 1143873

Summary: firewall-cmd gets stuck when run as superVDSM subsubprocess
Product: [Fedora] Fedora Reporter: Dan Kenigsberg <danken>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: danken, dominick.grift, dwalsh, lvrabec, mgrepl, osvoboda, phoracek, qe-baseos-security
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: network
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1138731 Environment:
Last Closed: 2014-11-21 16:16:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1138731    
Bug Blocks:    

Description Dan Kenigsberg 2014-09-18 07:47:28 UTC 
+++ This bug was initially created as a clone of Bug #1138731 +++

Description of problem:

VDSM component of oVirt project is used (among many other tasks) to manage and monitor select network devices of a virtualization slave. To do so, it currently uses initscripts (/sbin/ifup and /sbin/ifdown), although alternative approaches are in development.

When asked to create a network on an interface (here, 'dummy_x') VDSM first prepares ifcfg-* file(s) and runs ifup/ifdown under its root-privileged supervdsm service.

For a reason unknown, firewall-cmd (run by ifup/ifdown scripts) takes forever when run under VSDM with firewalld service running. ifup/ifdown alone terminate successfully and promptly.

/sbin/ifdown dummy_x results in calling 'firewall-cmd --zone= --remove-interface=dummy_x'. Processes at the time supervdsm's ifdown is stuck are the following:

  ├─supervdsmd.service
  │ ├─144709 /usr/bin/python /usr/share/vdsm/supervdsmServer --sockfile /var/run/vdsm/svdsm.sock
  │ ├─145326 /bin/bash /etc/sysconfig/network-scripts/ifdown-eth ifcfg-dummy_x
  │ ├─145373 /bin/sh /etc/sysconfig/network-scripts/ifdown-post ifcfg-dummy_x
  │ └─145386 /usr/bin/python -Es /usr/bin/firewall-cmd --remove-interface=dummy_x

When debugging firewall-cmd with winpdb remotely I reached a blocking D-Bus call to method getDefaultZone on org.fedoraproject.FirewallD1 interface (/org/fedoraproject/FirewallD1 object).

In /usr/bin/firewall-cmd this was the trigger:
676 if options_zone_ops and not zone:
677     default = fw.getDefaultZone()

firewalld apparently never manages to receive or process or reply to the call. Maybe the call is even not actually made by firewall-cmd (but by stepping through firewall-cmd's code I have found no indication for this claim, even though D-Bus introspection fails for the method).

dbus-monitor --system shows the following output for ifdown dummy_x when invoked alone:

signal sender=:1.1996 -> dest=(null destination) serial=265 path=/org/fedoraproject/FirewallD1; interface=org.fedoraproject.FirewallD1.zone; member=InterfaceRemoved
   string "public"
   string "dummy_x"

No communication is shown between firewall-cmd and firewalld when run under supervdsm.

Do you have any hints what apparently causes firewall-cmd to block on calls to firewalld? Could privileges be capped by supervdsmd, D-Bus, PolicyKit, systemd?

I can offer access to my host and any assistance/information necessary.

Thanks!

Version-Release number of selected component (if applicable):
firewalld-0.3.9-7.el7.noarch
vdsm Git master

How reproducible:
100%

Steps to Reproduce:

1. Create the dummy network interface.

ip link add name dummy_x type dummy

2. Let VDSM create the ifcfg file and ifdown it (in preparation for ifup'ing it again).

vdsClient -s 0 setupNetworks networks='{test-firewalld:{nic:dummy_x,bridged:false}}'

Actual results:

supervdsmd is blocked by firewall-cmd, which never finishes.

Expected results:

firewall-cmd contacts firewalld and exits successfully.

Additional info:

Running /usr/sbin/ifdown dummy_x with the following ifcfg file is successful.

[root@localhost network-scripts]# cat ifcfg-dummy_x
# Generated by VDSM version 4.16.0-278.git189f68c.el7
DEVICE=dummy_x
HWADDR=f6:6e:b6:1e:1e:71
ONBOOT=no
DEFROUTE=no
NM_CONTROLLED=no
Comment 1 Miroslav Grepl 2014-10-13 14:27:34 UTC 
What is your issue on FEdora?
Comment 2 Dan Kenigsberg 2014-10-14 09:17:39 UTC 
I recall having seens firewall-cmd block in the same manner on F20, but Ondrej may have more information.
Comment 3 Ondřej Svoboda 2014-11-20 09:57:06 UTC 
(In reply to Miroslav Grepl from comment #1)
> What is your issue on FEdora?

(In reply to Dan Kenigsberg from comment #2)
> I recall having seens firewall-cmd block in the same manner on F20, but
> Ondrej may have more information.

Dan is right, the same issue is on F20. Installing selinux-policy-3.13.1-96.fc21.noarch and selinux-policy-targeted-3.13.1-96.fc21.noarch from Koji resolved it. Is there a package for F20 that I could vote for to get into stable?