Bug 1463563

Summary: Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh
Product: Red Hat OpenStack Reporter: David Manchado <dmanchad>
Component: documentationAssignee: RHOS Documentation Team <rhos-docs>
Status: CLOSED DUPLICATE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: low Docs Contact:
Priority: low    
Version: 11.0 (Ocata)CC: chris.brown, dmanchad, owalsh, srevivo
Target Milestone: ---Keywords: Documentation, Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-14 15:12:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Manchado 2017-06-21 08:52:58 UTC 
Description of problem:

The default context for /var/lib/nova/.ssh is nova_var_lib_t inherited from /var/lib/nova(/.*)? instead of ssh_home_t. This is leading instance resizing to failure.


Version-Release number of selected component (if applicable):
Tested in RDO Newton, I guess it might apply to all.
Relevant RPMs:
kernel.x86_64                   3.10.0-514.6.1.el7
openstack-nova-common.noarch    1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-nova-compute.noarch   1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-selinux.noarch        0.8.6-0.20170419204626.312bdba.el7.centos
selinux-policy.noarch           3.13.1-102.el7_3.16
selinux-policy-targeted.noarch  3.13.1-102.el7_3.16


How reproducible:
On a CentOS system with selinux in enforcing mode try to do ssh among compute nodes with public key authentication enabled using the nova user.


Steps to Reproduce:
1. Generate, exchange and enable passwordless ssh using public keys for nova user. $HOME for nova is /var/lib/nova. Note that the shell for nova user has to be changed into /bin/bash as long as it requires an interactive shell.
2. As nova user in the source host, run ssh nova@_dst_host_ . It will prompt for password authentication
3. Set the proper context by running
semanage fcontext -a -t ssh_home_t "/var/lib/nova/.ssh(/.*)?"
4. Apply the context
restorecon -Rvv /var/lib/nova/.ssh/
5. Test again ssh nova@_dst_host_ and login will succeed without password authentication


Actual results:
SSH among compute nodes will fail leading instance resizing to failure.

Expected results:
SSH among compute nodes working with password-less auth allowing instances to be resized.

Additional info:
This issue was already stated [1] but seems it was never addressed

[1] https://bugzilla.redhat.com/show_bug.cgi?id=876452
Comment 3 Christopher Brown 2017-06-29 12:54:23 UTC 
Hi David,

Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux):

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/pdf/migrating_instances/Red_Hat_OpenStack_Platform-10-Migrating_Instances-en-US.pdf

You could try resizing on the same host?

https://access.redhat.com/solutions/1326953

but I'd be inclined to configure Secure Libvirt with one of:

-TLS for encryption and X.509 client certificates for authentication
-GSSAPI/Kerberos for authentication and encryption
-TLS for encryption and Kerberos for authentication

Does this help?
Comment 4 David Manchado 2017-07-06 15:22:39 UTC 
Christopher,

That might be a workaround but it would not fix the underlaying problem.

There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed.

Cheers,
David
Comment 5 Lon Hohberger 2017-07-11 14:31:45 UTC 
Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time.

If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux.
Comment 6 Lon Hohberger 2017-07-11 14:57:27 UTC 
Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22.
Comment 7 Lon Hohberger 2017-07-11 14:57:48 UTC 
(These need to be done as root)
Comment 8 Ollie Walsh 2017-11-15 00:49:32 UTC 
Director manages nova ssh key setup since https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637.

Any docs that refer to manual ssh key setup should have been removed.

NB ssh between compute node as the nova user is not expected to succeed.
Comment 9 Ollie Walsh 2018-03-14 15:12:40 UTC 

*** This bug has been marked as a duplicate of bug 1476016 ***