Bug 1866290
Summary: | SELinux blocking instance from spawning after 16.1 update (incorrect podman version and module stream) | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Sergii Mykhailushko <smykhail> | |
Component: | openstack-selinux | Assignee: | Julie Pichon <jpichon> | |
Status: | CLOSED DUPLICATE | QA Contact: | nlevinki <nlevinki> | |
Severity: | high | Docs Contact: | ||
Priority: | urgent | |||
Version: | 16.0 (Train) | CC: | aglotov, ariveral, cjeanner, ealcaniz, jpichon, knoha, kthakre, lbezdick, lhh, lvrabec, mivollme, pmannidi, pveiga, yocha | |
Target Milestone: | --- | Keywords: | Triaged | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1866479 (view as bug list) | Environment: | ||
Last Closed: | 2020-08-07 10:35:26 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1866479 | |||
Bug Blocks: |
Description
Sergii Mykhailushko
2020-08-05 10:30:21 UTC
This looks exactly like bug 1841822 indeed... /usr/libexec/qemu-kvm should not have the container_file_t label. I think the podman version may be too old, looking at one of the dependent bugs for podman (bug 1846364) it seems like we need podman podman-1.6.4-15 at least. Cedric, I'm adding you as needinfo just in case you spot anything else missing - there were a few moving parts with that other bug. Thank you! Hello, you appear to have the wrong podman version, it should be 1.6.4-15. So I'd say "duplicate", indeed. If you can update your podman version and restart the containers (or the hosts directly), you should be good. Cheers, C. 1.6.4-15 should be in the container-tools:2.0 module stream, which should be enabled by default (as opposed to the default module, which shouldn't be used.) Thanks for the investigation! It didn't get update during 16.0.2 -> 16.1 upgrade. Either there is an issue with the capsule server we use or the module stream is wrong. @Julie: Who should enable container-tools:2.0? This is what I currently have: --- # yum module list container-tools Updating Subscription Management repositories. /usr/lib/python3.6/site-packages/dateutil/parser/_parser.py:70: UnicodeWarning: decode() called on unicode string, see https://bugzilla.redhat.com/show_bug.cgi?id=1693751 instream = instream.decode() Fast Datapath for RHEL 8 x86_64 (RPMs) 27 kB/s | 2.4 kB 00:00 Red Hat Enterprise Linux 8 for x86_64 - BaseOS - Extended Update Support (RPMs) 25 kB/s | 2.4 kB 00:00 Red Hat Enterprise Linux 8 for x86_64 - AppStream - Extended Update Support (RPMs) 35 kB/s | 2.8 kB 00:00 Red Hat Enterprise Linux 8 for x86_64 - High Availability - Extended Update Support (RPMs) 23 kB/s | 2.4 kB 00:00 Advanced Virtualization for RHEL 8 x86_64 (RPMs) 24 kB/s | 2.8 kB 00:00 Red Hat Satellite Tools 6.5 for RHEL 8 x86_64 (RPMs) 17 kB/s | 2.1 kB 00:00 Red Hat Ansible Engine 2.9 for RHEL 8 x86_64 (RPMs) 22 kB/s | 2.4 kB 00:00 Red Hat OpenStack Platform 16.1 for RHEL 8 x86_64 (RPMs) 18 kB/s | 2.4 kB 00:00 Red Hat Enterprise Linux 8 for x86_64 - AppStream - Extended Update Support (RPMs) Name Stream Profiles Summary container-tools rhel8 [d][e] common [d] Common tools and dependencies for container runtimes container-tools 1.0 common [d] Common tools and dependencies for container runtimes container-tools 2.0 common [d] Common tools and dependencies for container runtimes Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled I think this should have been resolved as part of bug 1829609... Lukas, you were looking at that other bug: it looks like the correct module (container-tools:2.0) wasn't enabled as expected during a 16.0.2 to 16.1 update. Do you have any ideas? It looks like the bug I linked to is about upgrades, not updates. I think the correct module stream might need to be enabled manually when setting up the new repos. Priscila, with regard to the new case you linked, Cedric described the workaround in comment 2: update podman and restart the containers. You may need to enable the correct module stream first in order to get the right podman version. Is container-tools the only module stream which needs to be changed or are there others as well? I suspect virt:8.2 needs to be enabled as well if it isn't. It seems like there's a need to update the 16.1 documentation... I opened 1866479 to track the wrong module being setup while we debug the libvirt issue here. The nova_libvirt container needs to be replaced. Steps from Cedric, to run *on the compute* as root: # dnf module disable -y container-tools:rhel8 # dnf module enable -y container-tools:2.0 # dnf upgrade -y podman # systemctl disable --now tripleo_nova_libvirt # podman rm nova_libvirt # paunch apply --file /var/lib/tripleo-config/container-startup-config/step_3/nova_libvirt.json --config-id step_3 # systemctl enable tripleo_nova_libvirt Then we get a fresh container with the correct labels, and VMs can be started. As an additional precaution, we should also add the following 2 commands to the workaround above, to avoid other potential issues in the future: # dnf module disable virt:rhel # dnf module enable virt:8.2 |