Bug 1208138

Summary: hosted-engine is not able to deploy the engine VM on iSCSI in a nested environment due to SELinux restiction on guest-agent
Product: [Retired] oVirt Reporter: Simone Tiraboschi <stirabos>
Component: ovirt-guest-agentAssignee: Vinzenz Feenstra [evilissimo] <vfeenstr>
Status: CLOSED WORKSFORME QA Contact: Pavel Stehlik <pstehlik>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.5CC: bugs, dfediuck, ecohen, gklein, lsurette, michal.skrivanek, ms, rbalakri, Rhev-m-bugs, sbonazzo, stirabos, vfeenstr, yeylon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-08 12:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
logs
none
gase_log_he
none
oVirt 3.6.0 all-in-one none

Description Simone Tiraboschi 2015-04-01 13:33:54 UTC 
Description of problem:
hosted-engine is not able to deploy the engine VM on iSCSI due to SELinux restiction

In ovirt-hosted-engine-setup logs I find:
2015-04-01 15:09:19 DEBUG otopi.context context._executeMethod:155 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 145, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/sanlock/lockspace.py", line 174, in _misc
    lockspace + '.metadata': md_size,
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 349, in create
    service_size=size)
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 317, in create_volume
    response = connection.clearTask(task)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1294, in single_request
    response = h.getresponse(buffering=True)
  File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
    response.begin()
  File "/usr/lib64/python2.7/httplib.py", line 409, in begin
    version, status, reason = self._read_status()
  File "/usr/lib64/python2.7/httplib.py", line 373, in _read_status
    raise BadStatusLine(line)
BadStatusLine: ''
2015-04-01 15:09:19 ERROR otopi.context context._executeMethod:164 Failed to execute stage 'Misc configuration': ''

while SELinux reports:
time->Wed Apr  1 15:28:36 2015
type=PROCTITLE msg=audit(1427894916.692:822): proctitle=2F7362696E2F6C64636F6E666967002D70
type=SYSCALL msg=audit(1427894916.692:822): arch=c000003e syscall=59 success=yes exit=0 a0=2031af0 a1=2031bf0 a2=2030b60 a3=7ffc03539e20 items=0 ppid=17550 pid=17551 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1427894916.692:822): avc:  denied  { write } for  pid=17551 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9955 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0


It works as expected in permissive mode

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. hosted-engine --deploy
2.
3.

Actual results:
it fails

Expected results:
it works

Additional info:
It works as expected in permissive mode
Comment 1 Simone Tiraboschi 2015-04-01 13:35:06 UTC 
[root@f20tre36i ~]# ls -lZ /dev/vport2p1
crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1
Comment 2 Sandro Bonazzola 2015-04-01 13:39:15 UTC 
Moving to ovirt-guest-agent. The above selinux issue appears in a nested virtualization setup and the device is owned by a user created by the agent.
Comment 3 Vinzenz Feenstra [evilissimo] 2015-04-02 09:09:02 UTC 
Please attach the following log files:
- audit.log 
- /var/log/ovirt-guest-agent/ovirt-guest-agent.log 
- the hosted engine deployment log file
Comment 4 Simone Tiraboschi 2015-04-02 09:20:46 UTC 
Created attachment 1010083 [details]
logs
Comment 5 Simone Tiraboschi 2015-04-02 10:03:51 UTC 
Created attachment 1010095 [details]
gase_log_he
Comment 6 Michal Skrivanek 2015-04-23 10:17:47 UTC 
can you narrow down the failure please?
I didn't find any issue in those HE deploy logs you've attached
Comment 7 Simone Tiraboschi 2015-05-04 14:53:56 UTC 
There is some SELinux issue with something getting a denial while trying to wrote 
on /dev/vport2p1 which is the virtual serial port used by the guest agent on the nested VM to communicate with the host.
Not sure why.

type=AVC msg=audit(1427965867.807:4693): avc:  denied  { write } for  pid=25136 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=13471 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=1
type=SYSCALL msg=audit(1427965867.807:4693): arch=c000003e syscall=59 success=yes exit=0 a0=b6caf0 a1=b6cbf0 a2=b6bb60 a3=7fff13a791e0 items=0 ppid=25135 pid=25136 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=PROCTITLE msg=audit(1427965867.807:4693): proctitle=2F7362696E2F6C64636F6E666967002D70
Comment 8 Simone Tiraboschi 2015-05-12 12:44:22 UTC 
Created attachment 1024566 [details]
oVirt 3.6.0 all-in-one
Comment 9 Simone Tiraboschi 2015-05-12 12:45:01 UTC 
Now happens also with oVirt 3.6.0 all-in-one on Fedora 20
Comment 10 Simone Tiraboschi 2015-05-12 13:29:17 UTC 
It happens with 
 qemu-guest-agent.x86_64         2:1.6.2-13.fc20     @updates
while it doesn't happen with:
 qemu-guest-agent.x86_64         2:2.1.2-7.fc20      @ovirt-3.6-fedora-virt-preview
Comment 11 Michal Skrivanek 2015-06-04 10:07:54 UTC 
Simone, there was a broken libvirt shipped into virt-preview (as apparent in vdsm.log) which likely compromised your run
Can you retry now and specify exactly versions of qemu,libvirt,ovirt-guest-agent.

if it happens again can you please clarify where is the avc denial (guest/host) and eget the pid of that process
Comment 12 Michal Skrivanek 2015-06-08 10:47:49 UTC 
do you redirect stdout to that channel or something anywhere?
Comment 13 Simone Tiraboschi 2015-06-08 12:26:15 UTC 
(In reply to Michal Skrivanek from comment #12)
> do you redirect stdout to that channel or something anywhere?

No, I tried to reproduce on an updated VM and it doesn't happens.