Bug 676586

Summary: MRG/M IG Chapter 2, subchapter 2 has to contain info/warning that running multiple brokers on one machine have some SELinux consequences
Product: Red Hat Enterprise MRG Reporter: Frantisek Reznicek <freznice>
Component: Messaging_Installation_and_Configuration_GuideAssignee: Alison Young <alyoung>
Status: CLOSED CURRENTRELEASE QA Contact: Frantisek Reznicek <freznice>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.3CC: esammons, ewarszaw, iboverma
Target Milestone: 1.3.3   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-12 05:15:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Frantisek Reznicek 2011-02-10 10:13:50 UTC 
Description of problem:

Chapter 2. Starting the Broker
  Running multiple brokers on a single machine

  now contains the description that multiple brokers can be ran on single machine as part of bug 651618.

  The subchapter should warn about SELinux caveats of this approach.

  Running the MRG/M broker as service (service qpidd start) runs the qpidd proces under correct SELinux context root:system_r:initrc_t while running qpidd process manually as shown in the 'Running multiple brokers on a single machine' subchapter causes that all brokers are ran under different SELinux context (root:system_r:unconfined_t:SystemLow-SystemHigh).

  This fact does not have so much impact when multiple brokers on single machine are standalone, but in case of clustered configuration there might be seen qpidd hangs / start-up problems because SELinux will block some broker functionality as qpidd SELinux rules expect qpidd process ran under different context.



Version-Release number of selected component (if applicable):
MRG/M IG Revision 4-6 (on docs stage atm)


How reproducible:
N/A (100%)

Steps to Reproduce:
1. Look at Chapter 2. Starting the Broker subchapter 'Running multiple brokers on a single machine'
  
Actual results:
The current description does not highlight the pitfalls of such approach.

Expected results:
The current description should highlight the pitfalls of such approach.


Additional info (this terminal transcript showing the SELinux contexts):

[root@dhcp-26-233 bz667428]# ps -Z $(pidof qpidd)
LABEL                             PID TTY      STAT   TIME COMMAND
root:system_r:initrc_t           5610 ?        Ssl    0:00 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon
[root@dhcp-26-233 bz667428]# qpidd -p 0 --data-dir=/tmp/dd -d
2011-02-10 11:04:17 info Loaded Module: /usr/lib64/qpid/daemon/cluster.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/xml.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/acl.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/ssl.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/watchdog.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/replication_exchange.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/msgstore.so
2011-02-10 11:04:18 info Loaded Module: /usr/lib64/qpid/daemon/replicating_listener.so
53157
[root@dhcp-26-233 bz667428]# ps -Z $(pidof qpidd)
LABEL                             PID TTY      STAT   TIME COMMAND
root:system_r:initrc_t           5610 ?        Ssl    0:00 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon
root:system_r:unconfined_t:SystemLow-SystemHigh 5646 ? Ssl   0:00 qpidd -p 0 --data-dir=/tmp/dd -d
Comment 2 Frantisek Reznicek 2011-07-18 12:48:57 UTC 
I propose following tunings:

-In clustered machine configurations running the <command>qpidd -p 0</command>
command may result in hangs or start-up issues due to SELinux blocking broker
functionality. This is caused by &RHM; SELinux rules expecting the process to
be run under the same SELinux context.
+In clustered machine configurations running the <command>qpidd -p 0</command>
command may result in hangs or start-up issues due to SELinux blocking broker
functionality. This is caused by &RHM; SELinux rules expecting the process to
be run under correct SELinux context.


Following line is incorrect (so remove):

-Running multiple brokers on a single standalone machine should not result in
this issue.


Proposed change:

+Running MRG/M cluster on multiple machines where each machine executes single instance of MRG/M clustered broker started via service (service qpidd start) should not result in this issue.


-> ASSIGNED
Comment 5 Frantisek Reznicek 2011-07-20 13:43:53 UTC 
The requested documentation was included in Messaging_Installation_Guide v 5-2.

-> VERIFIED