Bug 1784608
Summary: | chronyd deploy fails during redeploy | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Martin Magr <mmagr> |
Component: | openstack-tripleo-heat-templates | Assignee: | Cédric Jeanneret <cjeanner> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Sasha Smolyak <ssmolyak> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 16.0 (Train) | CC: | aschultz, cjeanner, emacchi, lmadsen, mburns, mrunge |
Target Milestone: | beta | Keywords: | Reopened, Triaged |
Target Release: | 16.1 (Train on RHEL 8.2) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-heat-templates-11.3.2-0.20200130233044.cc909b6.el8ost | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-25 15:44:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Martin Magr
2019-12-17 20:24:38 UTC
It would help if you can provide the output of "systemctl status chronyd.service". ACK, I will when I will reproduce this again. Maybe related: I have seen that as well with osp15 and RHEL8.1. It helped to switch selinux to permissive. In my case, I could not start chronyd at all, since it was not allowed to access /var/run. Sounds more like an actual chronyd issue since we don't run it in a container or do anything special. Will definitely need a reproducer. I just ran a deployment and a subsequent deployment with the latest version of the code with no chronyd failures. If you are able to reproduce this, please provide the chronyd service failure logs. Additionally the templates used would be important as well. [heat-admin@overcloud-controller-0 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux release 8.1 (Ootpa) [heat-admin@overcloud-controller-0 ~]$ logout Connection to 192.168.24.8 closed. (undercloud) [cloud-user@undercloud ~]$ rpm -qa | grep tripleo-heat-tem openstack-tripleo-heat-templates-11.3.1-0.20191212200219.5ca908c.el8ost.noarch Just today, I ran into this again. /var/log/audit/audit.log contains this: [stack@kepler ~]$ sudo cat /var/log/audit/audit.log | grep chronyd type=AVC msg=audit(1578409563.716:21217): avc: denied { read } for pid=4011 comm="chronyd" name="run" dev="dm-0" ino=144 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=lnk_file permissive=0 type=SYSCALL msg=audit(1578409563.716:21217): arch=c000003e syscall=87 success=no exit=-13 a0=55a6b7a368b0 a1=7 a2=0 a3=ffffffff items=0 ppid=1 pid=4011 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="chrony" GID="chrony" EUID="chrony" SUID="chrony" FSUID="chrony" EGID="chrony" SGID="chrony" FSGID="chrony" type=PROCTITLE msg=audit(1578409563.716:21217): proctitle="/usr/sbin/chronyd" type=AVC msg=audit(1578409563.717:21218): avc: denied { read } for pid=4011 comm="chronyd" name="run" dev="dm-0" ino=144 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=lnk_file permissive=0 type=SYSCALL msg=audit(1578409563.717:21218): arch=c000003e syscall=87 success=no exit=-13 a0=55a6b7a368e0 a1=1 a2=0 a3=2ac70da66b8f79 items=0 ppid=1 pid=4011 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" subj=system_u:system_r:chronyd_t:s0 key=(null)ARCH=x86_64 SYSCALL=unlink AUID="unset" UID="chrony" GID="chrony" EUID="chrony" SUID="chrony" FSUID="chrony" EGID="chrony" SGID="chrony" FSGID="chrony" type=PROCTITLE msg=audit(1578409563.717:21218): proctitle="/usr/sbin/chronyd" type=SERVICE_START msg=audit(1578409563.868:21235): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=chronyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" type=SERVICE_STOP msg=audit(1578409563.868:21236): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=chronyd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset" rpm -q openstack-tripleo-heat-templates openstack-tripleo-heat-templates-11.3.2-0.20200109050651.8f93d27.el8ost.noarch openstack-selinux-0.8.20-0.20191202205815.09846a2.el8ost.noarch container-selinux-2.123.0-2.module+el8.1.0+4900+9d7326b8.noarch Hello there, SELinux is preventing chronyd_t to access container_file_t - I'm pretty sure this is due to bind-mount with the ":z" flag. Apparently, it seems to be due to some collectd|metric|monitoring container. We can work together on this issue if you want, Martin. Lemme know if you have some available env so that we can inspect the relevant containers|rights|others. Cheers, C. I am quite sure we should just drop the z flag https://github.com/openstack/tripleo-heat-templates/blob/ce70482aa2e9cea9fa67bda05efdf27c24e72157/deployment/metrics/collectd-container-puppet.yaml#L633 According to our record this is already released and tested/working. |