Bug 1532927

Summary: [RFE] Add host SELinux check to analyzer
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: ovirt-log-collectorAssignee: Douglas Schilling Landgraf <dougsland>
Status: CLOSED ERRATA QA Contact: David Necpal <dnecpal>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.8CC: gveitmic, lsvaty, pbrilla, pstehlik, ylavi
Target Milestone: ovirt-4.2.2Keywords: FutureFeature
Target Release: ---Flags: pstehlik: testing_plan_complete-
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ovirt-log-collector-4.2.3-1.el7ev Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-15 17:31:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 499109, 1541392    
Bug Blocks:    

Description Germano Veit Michel 2018-01-10 01:44:25 UTC 
Hosts having selinux disabled may break the required vm migrations during upgrade. And it's also not recommended to have mixed on/off hosts in the same cluster.

Would be nice to check it in the log collector analyzer script.

# select selinux_enforce_mode from vds;

selinux_enforce_mode
Comment 1 Douglas Schilling Landgraf 2018-01-15 21:55:44 UTC 
Hi Germano, 

I have sent a patch to gerrit that show the current configuration of selinux per host in the Hosts tab. Should be enough for your request? 

When you say, mixing the configurations, is it about mixing disabled selinux hosts vs permissive/enforcing hosts or only disabled selinux hosts vs enforcing hosts?

If you are looking for a validation permissive/enforcing vs disabled, might be something like this:

SELECT
    vds_name,
    vds_group_name
FROM
    vds
WHERE vds_group_name IN (SELECT DISTINCT vds_group_name FROM vds WHERE selinux_enforce_mode=-1) AND selinux_enforce_mode IN (0,1);

Do you have a real scenario or sosreport to test the above query or showing the selinux status in the Host tab is enough?

Thanks!
Comment 2 Germano Veit Michel 2018-01-15 22:36:30 UTC 
Hi Douglas,

Yes, that patch is enough (+1).(In reply to Douglas Schilling Landgraf from comment #1)

> When you say, mixing the configurations, is it about mixing disabled selinux
> hosts vs permissive/enforcing hosts or only disabled selinux hosts vs
> enforcing hosts?

It's disabled vs permissive/enforcing that causes problems. A VM will fail to migrate from a enforcing/permissive to a disabled host. This is a known problem and hit several times by our customers.

> Do you have a real scenario or sosreport to test the above query or showing
> the selinux status in the Host tab is enough?

Yes, I did 2 arch reviews recently, both had one host with selinux disabled.

Showing the SELinux status is already good enough to visualize the data. Having a check to ensure enforcing/permissive are not mixed with disabled in the same cluster would be a bonus if you have time.

Thanks!
Comment 3 Douglas Schilling Landgraf 2018-01-16 22:15:12 UTC 
Hi Germano, 

Do you mind to give us a hand and test the following patch against good sosreports and the bad ones you mentioned?

inventory: Check for clusters with mixed selinux config
https://gerrit.ovirt.org/#/c/86450/

This will generate a warning in case we have cluster with mixed selinux config for hosts.

thanks!
Comment 4 Germano Veit Michel 2018-01-17 02:28:55 UTC 
Hi Douglas,

Done. See attached example of the problem explained on gerrit. 
Compare the SELinux warning table to the hosts table.

I'll test again once you submit the next patch.

Thanks for working on this!
Comment 6 Douglas Schilling Landgraf 2018-01-17 05:15:03 UTC 
(In reply to Germano Veit Michel from comment #4)
> Hi Douglas,
> 
> Done. See attached example of the problem explained on gerrit. 
> Compare the SELinux warning table to the hosts table.
> 
> I'll test again once you submit the next patch.
> 
> Thanks for working on this!

Thanks Germano, I new patch is available for testing. Do you mind to give a new test and attach the sosreport you are using for test in this bugzilla report? I have local repo with several sosreports to test the scenarios we are adding.
Comment 8 David Necpal 2018-02-21 09:24:00 UTC 
Verified on version: 

ovirt-log-collector-4.2.4-1.el7ev.noarch
ovirt-log-collector-analyzer-4.2.4-1.el7ev.noarch
Comment 13 errata-xmlrpc 2018-05-15 17:31:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1465
Comment 14 Franta Kust 2019-05-16 13:08:34 UTC 
BZ<2>Jira Resync