Bug 1170238
| Summary: | Keepalived fail to start for HA router because of SELinux issues | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Community] RDO | Reporter: | Manabu Ori <mori> | ||||
| Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ofer Blaut <oblaut> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | Juno | CC: | bperkins, mori, pasik, yeylon | ||||
| Target Milestone: | --- | ||||||
| Target Release: | Juno | ||||||
| Hardware: | noarch | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-11-06 16:50:18 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 964149 [details] fix for os-neutron.te Description of problem: When creating VRRP HA router with SELINUX=enforcing, keepalived on Network nodes failed to start because of SELinux context mismatch. Version-Release number of selected component (if applicable): CentOS7 + RDO Juno openstack-selinux-0.5.19-2.el7ost.noarch How reproducible: Always Steps to Reproduce: 1. Configure OpenStack environment with 1 controller node, 2 network nodes, 1 compute node. All nodes are set SELINUX=enforcing. 2. Enable l3_ha in /etc/neutron/neutron.conf # openstack-config --set /etc/neutron/neutron.conf DEFAULT l3_ha True 3. Create HA router. # neutron router-create router01 Actual results: Journalctl shows messages like this: 2014-11-29 15:28:11.800 2269 ERROR neutron.agent.l3_agent [-] Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'netns', 'exec', 'qrouter- 002a56ba-beda-43ad-a5d6-adff4dc1a725', 'keepalived', '-P', '-f', '/var/lib/neutron/ha_confs/002a56ba- beda-43ad-a5d6-adff4dc1a725/keepalived.conf', '-p', '/var/lib/neutron/ha_confs/002a56ba-beda-43ad- a5d6-adff4dc1a725.pid', '-r', '/var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6-adff4dc1a725.pid- vrrp'] Exit code: 99 Stdout: '' Stderr: '/usr/bin/neutron-rootwrap: Unauthorized command: ip netns exec qrouter-002a56ba-beda-43ad- a5d6-adff4dc1a725 keepalived -P -f /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6- adff4dc1a725/keepalived.conf -p /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6-adff4dc1a725.pid -r /var/lib/neutron/ha_confs/002a56ba-beda-43ad-a5d6adff4dc1a725.pid-vrrp (no filter matched)\n' Expected results: Start keepalived successfully Additional info: Please find attach patch for os-neutron.te.