Bug 1572510

Summary: OSP10: Support for dpdkvhostuserclient mode
Product: Red Hat OpenStack Reporter: Saravanan KR <skramaja>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Udi Shkalim <ushkalim>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: amuller, atelang, chrisw, fbaudin, jraju, mbabushk, mgrepl, nyechiel, samccann, skramaja, srevivo, tfreger, vchundur
Target Milestone: asyncKeywords: Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.14-5.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1557850 Environment:
Last Closed: 2018-06-27 23:33:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1557850    
Bug Blocks: 1561869, 1561870, 1568355, 1568356    
Attachments:
Description Flags
compute selinux vhost socket issue
none
sosreport dontaudit enforcing none

Comment 1 Saravanan KR 2018-04-27 08:40:59 UTC 
SElinux is preventing dpdkvhostuserclient ports to be accessed by ovs on the directory /var/lib/vhost_sockets.

Probably related to BZ #1561729, I also see lot of ovs logs. I will attach the sos-report.


[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -dZ
drwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 /var/lib/vhost_sockets/
[root@overcloud-compute-0 heat-admin]# ll /var/lib/vhost_sockets/ -Z
srwxrwxr-x. qemu hugetlbfs system_u:object_r:virt_cache_t:s0 vhu66209262-ab


[root@overcloud-compute-0 heat-admin]# rpm -qa | grep 'selinux\|openvswitch'
selinux-policy-targeted-3.13.1-192.el7_5.3.noarch
libselinux-ruby-2.5-12.el7.x86_64
openvswitch-ovn-central-2.6.1-28.git20180130.el7ost.x86_64
container-selinux-2.55-1.el7.noarch
python-openvswitch-2.9.0-19.el7fdp.noarch
openvswitch-2.9.0-19.el7fdp.x86_64
ceph-selinux-10.2.10-17.el7cp.x86_64
libselinux-python-2.5-12.el7.x86_64
selinux-policy-3.13.1-192.el7_5.3.noarch
openstack-selinux-0.8.14-1.el7ost.noarch
openstack-neutron-openvswitch-9.4.1-16.el7ost.noarch
libselinux-utils-2.5-12.el7.x86_64
openvswitch-ovn-host-2.9.0-19.el7fdp.x86_64
libselinux-2.5-12.el7.x86_64
openvswitch-ovn-common-2.9.0-19.el7fdp.x86_64
[root@overcloud-compute-0 heat-admin]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 (Maipo)
Comment 2 Saravanan KR 2018-04-27 08:42:22 UTC 
Created attachment 1427579 [details]
compute selinux vhost socket issue
Comment 3 Lon Hohberger 2018-04-27 16:27:35 UTC 
The AVCs in the audit.log (from the sosreport) do not appear directly related to vhost_sockets / virt_cache_t.

There are these errors in the system logs:

Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00005|dpdk|ERR|VHOST_CONFIG: truncted msg
Apr 27 03:56:01 overcloud-compute-0 ovs-vswitchd[11431]: ovs|00006|dpdk|ERR|VHOST_CONFIG: vhost read message failed

However, there are no obvious (to me) corresponding AVCs in /var/log/audit/audit.log that would explain them. ovs-vswitchd runs as 'openvswitch_t'.

There are other AVCs which appear unrelated.
Comment 4 Lon Hohberger 2018-04-27 17:06:04 UTC 
You might try running with SELinux in permissive with dontaudit rules disabled and capturing that sosreport.  That might help identify the problem.

Also, a that truncated read should not result in ovs-vswitchd going into a flat spin and spewing millions of errors to syslog, but that's not related to this bug.
Comment 5 Saravanan KR 2018-04-30 07:03:57 UTC 
(In reply to Lon Hohberger from comment #4)
> You might try running with SELinux in permissive with dontaudit rules
> disabled and capturing that sosreport.  That might help identify the problem.
Can you elaborate on the steps and commands to be executed to disable dontaudit rules and capture sosreport?

> 
> Also, a that truncated read should not result in ovs-vswitchd going into a
> flat spin and spewing millions of errors to syslog, but that's not related
> to this bug.
VM is in the pause state SELinux is Enforcing and ovs dumps these logs. The moment it changed to permissive, VM moves to active state and ovs stops dumping logs. This the only reason for treating it as related to SELinux.
Comment 6 Saravanan KR 2018-04-30 08:49:10 UTC 
By disabling the dontaudit module, below is the error in the audit.log, I will attach an sosreport.

--------------------------------------------------
[root@overcloud-compute-0 heat-admin]# semodule --disable_dontaudit --build
[root@overcloud-compute-0 heat-admin]# getenforce
Enforcing
--------------------------------------------------

type=AVC msg=audit(1525078048.180:1080085): avc:  denied  { read write } for  pid=11438 comm="ovs-vswitchd" path="socket:[38232802]" dev="sockfs" ino=38232802 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:svirt_t:s0:c14,c629 tclass=unix_stream_socket

--------------------------------------------------
Comment 7 Saravanan KR 2018-04-30 09:36:51 UTC 
Created attachment 1428734 [details]
sosreport dontaudit enforcing
Comment 8 Lon Hohberger 2018-04-30 12:18:01 UTC 
Confirmed; the only AVCs I see in the new audit.log are as in comment #6.
Comment 18 errata-xmlrpc 2018-06-27 23:33:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2102