Bug 1463563
Summary: | Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | David Manchado <dmanchad> |
Component: | documentation | Assignee: | RHOS Documentation Team <rhos-docs> |
Status: | CLOSED DUPLICATE | QA Contact: | RHOS Documentation Team <rhos-docs> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 11.0 (Ocata) | CC: | chris.brown, dmanchad, owalsh, srevivo |
Target Milestone: | --- | Keywords: | Documentation, Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-03-14 15:12:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Manchado
2017-06-21 08:52:58 UTC
Hi David, Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux): https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/pdf/migrating_instances/Red_Hat_OpenStack_Platform-10-Migrating_Instances-en-US.pdf You could try resizing on the same host? https://access.redhat.com/solutions/1326953 but I'd be inclined to configure Secure Libvirt with one of: -TLS for encryption and X.509 client certificates for authentication -GSSAPI/Kerberos for authentication and encryption -TLS for encryption and Kerberos for authentication Does this help? Christopher, That might be a workaround but it would not fix the underlaying problem. There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed. Cheers, David Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time. If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux. Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22. (These need to be done as root) Director manages nova ssh key setup since https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637. Any docs that refer to manual ssh key setup should have been removed. NB ssh between compute node as the nova user is not expected to succeed. *** This bug has been marked as a duplicate of bug 1476016 *** |