Bug 1147059

Summary: daemonAdapter: ImportError: Unable to import libpython2.7! (missing selinux rules)
Product: [Retired] oVirt Reporter: Douglas Schilling Landgraf <dougsland>
Component: ovirt-nodeAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED CURRENTRELEASE QA Contact: bugs <bugs>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 3.5CC: asegurap, bazulay, bugs, danken, dougsland, ecohen, fdeutsch, gklein, iheim, lsurette, lvrabec, mgoldboi, ovirt-bugs, rbalakri, yeylon
Target Milestone: ---Keywords: TestOnly
Target Release: 3.5.0   
Hardware: All   
OS: Linux   
Whiteboard: node
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-17 12:36:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1147536, 1164308, 1164311    
Attachments:
Description Flags
messages
none
supervdsm
none
ovirtlog2
none
ovirtlog1 none

Description Douglas Schilling Landgraf 2014-09-26 18:09:45 UTC 
Description of problem:

Sep 26 13:23:39 localhost vdsmd_init_common.sh: Printing host uuid
Sep 26 13:23:39 localhost vdsmd_init_common.sh: vdsm: stopped during execute check_is_configured task (task returned with error code 1).
Sep 26 13:23:39 localhost daemonAdapter: Traceback (most recent call last):
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/share/vdsm/supervdsmServer", line 61, in <module>
Sep 26 13:23:39 localhost daemonAdapter: from network.api import (addNetwork, delNetwork, editNetwork, setupNetworks,
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/share/vdsm/network/api.py", line 34, in <module>
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/share/vdsm/network/configurators/ifcfg.py", line 41, in <module>
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/lib/python2.7/site-packages/ovirt/node/utils/__init__.py", line 22, in <module>
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/lib/python2.7/site-packages/augeas.py", line 56, in <module>
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/lib/python2.7/site-packages/augeas.py", line 62, in Augeas
Sep 26 13:23:39 localhost daemonAdapter: File "/usr/lib/python2.7/site-packages/augeas.py", line 53, in _dlopen
Sep 26 13:23:39 localhost daemonAdapter: ImportError: Unable to import libpython2.7!


Version-Release number of selected component (if applicable):

rhev-hypervisor7-7.0-20140925.0.iso
https://brewweb.devel.redhat.com/taskinfo?taskID=8025131


Additional data:

- We tried to import from rhev-h IDLE or vdsm manually and it works
Comment 1 Douglas Schilling Landgraf 2014-09-26 18:10:31 UTC 
Created attachment 941677 [details]
messages
Comment 2 Douglas Schilling Landgraf 2014-09-26 18:10:49 UTC 
Created attachment 941678 [details]
supervdsm
Comment 3 Douglas Schilling Landgraf 2014-09-26 18:11:10 UTC 
Created attachment 941679 [details]
ovirtlog2
Comment 4 Douglas Schilling Landgraf 2014-09-26 18:11:46 UTC 
Created attachment 941680 [details]
ovirtlog1
Comment 5 Dan Kenigsberg 2014-09-26 18:54:30 UTC 
Any hints in audit.log? Can you retry with `setenforce 0` (without Dan Walsh seeing)?
Comment 6 Douglas Schilling Landgraf 2014-09-26 19:34:52 UTC 
Hi Dan,

It seems it get moved forward with selinux in Permissive mode but I will double check for sure as my environment is in the debug one. However, I have found other an issue in vdsmd_init_common.sh, please see below:

Sep 26 19:27:51 localhost ntpd[3635]: 0.0.0.0 c618 08 no_sys_peer
Sep 26 19:27:51 localhost vdsmd_init_common.sh: vdsm: Running syslog_available
Sep 26 19:27:51 localhost vdsmd_init_common.sh: vdsm: Running nwfilter
Sep 26 19:27:52 localhost vdsmd_init_common.sh: vdsm: Running dummybr
Sep 26 19:27:53 localhost vdsmd_init_common.sh: vdsm: Running load_needed_modules
Sep 26 19:27:53 localhost vdsmd_init_common.sh: vdsm: Running tune_system
Sep 26 19:27:53 localhost vdsmd_init_common.sh: vdsm: Running test_space
Sep 26 19:27:53 localhost vdsmd_init_common.sh: vdsm: Running test_lo
Sep 26 19:27:53 localhost vdsmd_init_common.sh: vdsm: Running unified_network_persistence_upgrade
Sep 26 19:27:54 localhost vdsmd_init_common.sh: vdsm: Running restore_nets
Sep 26 19:27:55 localhost vdsmd_init_common.sh: Traceback (most recent call last):
Sep 26 19:27:55 localhost vdsmd_init_common.sh: File "/usr/share/vdsm/vdsm-restore-net-config", line 137, in <module>
Sep 26 19:27:55 localhost vdsmd_init_common.sh: restore()
Sep 26 19:27:55 localhost vdsmd_init_common.sh: File "/usr/share/vdsm/vdsm-restore-net-config", line 123, in restore
Sep 26 19:27:55 localhost vdsmd_init_common.sh: unified_restoration()
Sep 26 19:27:55 localhost vdsmd_init_common.sh: File "/usr/share/vdsm/vdsm-restore-net-config", line 66, in unified_restoration
Sep 26 19:27:55 localhost vdsmd_init_common.sh: persistentConfig.bonds)
Sep 26 19:27:55 localhost vdsmd_init_common.sh: File "/usr/share/vdsm/vdsm-restore-net-config", line 91, in _filter_nets_bonds
Sep 26 19:27:55 localhost vdsmd_init_common.sh: bonds[bond]['nics'], net)
Sep 26 19:27:55 localhost vdsmd_init_common.sh: KeyError: u''
Sep 26 19:27:55 localhost vdsmd_init_common.sh: vdsm: stopped during execute restore_nets task (task returned with error code 1).
Sep 26 19:27:55 localhost systemd: vdsmd.service: control process exited, code=exited status=1
Sep 26 19:27:55 localhost systemd: Failed to start Virtual Desktop Server Manager.


@Toni could be related to your change for tests?
Comment 7 Fabian Deutsch 2014-09-29 14:10:17 UTC 
(In reply to Douglas Schilling Landgraf from comment #6)
> Hi Dan,
> 
> It seems it get moved forward with selinux in Permissive mode but I will
> double check for sure as my environment is in the debug one. However, I have
> found other an issue in vdsmd_init_common.sh, please see below:


Hey, I also found some time today.
And It seems that this import error really is an selinux problem.

If I change to permissive mode, then the error is gone, enabling it leads to the problem again.

The reason why no denials appear in audit.log could be that the denials are "Blocked" by dontaudit rules.
Comment 8 Antoni Segura Puimedon 2014-09-29 14:21:53 UTC 
I think that due to the subject of this bug (the issue in comment 6 is unrelated to that and deserves a look separately), the bug should be moved so it is handled by the selinux team.
Comment 9 Dan Kenigsberg 2014-09-29 17:16:19 UTC 
Lukas, can you help us understand what in selinux blocks python's import?

Fabian, can you desable dontaudit and try to reproduce?
Comment 10 Fabian Deutsch 2014-09-29 18:21:23 UTC 
(In reply to Dan Kenigsberg from comment #9)
> Lukas, can you help us understand what in selinux blocks python's import?
> 
> Fabian, can you desable dontaudit and try to reproduce?

I need to see how to do this, but I'll try.
Comment 11 Fabian Deutsch 2014-09-29 18:32:24 UTC 
I am not sure how this bug can be reproduced, btu DOuglas: When trying you can disable the dontauditrules by running

semodule -DB

Afterwards just try to reproduce this bug and catch the audit log.
Comment 12 Antoni Segura Puimedon 2014-09-29 21:41:09 UTC 
The problem of https://bugzilla.redhat.com/show_bug.cgi?id=1147059#c6 has been dealt with in the latest patch to https://bugzilla.redhat.com/show_bug.cgi?id=1144639
Comment 13 Fabian Deutsch 2014-10-01 14:56:00 UTC 
Moving this to ovirt-node because we need to take crae of the correct selinux rules. Setting this to TestOnly, because we've got several patches related also to other bugs which could fix this bug.
Comment 14 Sandro Bonazzola 2014-10-17 12:36:46 UTC 
oVirt 3.5 has been released and should include the fix for this issue.