Bug 1599289

Summary: [OSP13] selinux policy does not allow create instance on nfs /var/lib/nova/instances
Product: Red Hat OpenStack Reporter: Martin Schuppert <mschuppe>
Component: openstack-tripleo-heat-templatesAssignee: Martin Schuppert <mschuppe>
Status: CLOSED ERRATA QA Contact: Archit Modi <amodi>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: agurenko, aschultz, jschluet, lhh, lmiccini, mbooth, mburns, mgrepl, mschuppe, msufiyan, pablo.iranzo, pkundal
Target Milestone: z3Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.0.4-23.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1598396
: 1601399 (view as bug list) Environment:
Last Closed: 2018-11-13 22:27:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1598396    

Comment 1 Martin Schuppert 2018-07-09 12:23:41 UTC 
With patches applied to an osp13 test env:

parameter_defaults:
    NovaNfsEnabled: True
    NovaNfsShare: '192.168.24.1:/var/nfs'

[root@compute-0 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.14,local_lock=none,addr=192.168.24.1,_netdev)

[root@compute-1 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.16,local_lock=none,addr=192.168.24.1,_netdev)


(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.small --image cirros --nic net-id=ec392c10-f897-493b-941b-a3f6a0084122 test-nfs
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-1.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ nova live-migration 22659aca-22ea-4e79-a761-a36e2953da28

(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-0.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+


Note: I had to add the following selinux module as otherwise instance start failed with permission errors.

~~~
module my-nova-nfs 1.0;

require {
        type nova_var_lib_t;
        type svirt_t;
        class file { getattr ioctl lock open read };
}

#============= svirt_t ==============
allow svirt_t nova_var_lib_t:file { getattr ioctl lock open read };
~~~
[root@compute-0 ~]# checkmodule -M -m -o my-nova-nfs.mod my-nova-nfs.te 
[root@compute-0 ~]# semodule_package -o my-nova-nfs.pp -m my-nova-nfs.mod 
[root@compute-0 ~]# semodule -i my-nova-nfs.pp


=> affects OSP13 (openstack-selinux-0.8.14-12.el7ost.noarch) + OSP14 (openstack-selinux-0.8.15-0.20180524134826.b63283a.el7ost.noarch)
Comment 2 Lon Hohberger 2018-07-13 19:21:00 UTC 
It sounds like the wrong label is being used for the NFS mount:

system_u:object_r:nfs_t:s0 should have access. My guess is that the mountpoint is mounted with a -ocontext=... that breaks things.

So, the virt_use_nfs boolean, which is turned on by openstack-selinux, should cover this use case. Granting svirt_t generic access to write over nova_var_lib_t isn't ideal.
Comment 3 Martin Schuppert 2018-07-16 10:00:37 UTC 
(In reply to Lon Hohberger from comment #2)
> It sounds like the wrong label is being used for the NFS mount:
> 
> system_u:object_r:nfs_t:s0 should have access. My guess is that the
> mountpoint is mounted with a -ocontext=... that breaks things.
> 
> So, the virt_use_nfs boolean, which is turned on by openstack-selinux,
> should cover this use case. Granting svirt_t generic access to write over
> nova_var_lib_t isn't ideal.

yes, right the default in THT is set to nova_var_lib_t in [1]. I'll move this to THT and submit a patch to have nfs_t as the default.


[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L68
Comment 5 Matthew Booth 2018-09-06 16:58:26 UTC 
*** Bug 1625539 has been marked as a duplicate of this bug. ***
Comment 13 errata-xmlrpc 2018-11-13 22:27:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587