Bug 965311
Summary: | AVC denial when attaching volume to RHOS 3 instance | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Lon Hohberger <lhh> | |
Component: | openstack-selinux | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED WORKSFORME | QA Contact: | Brandon Perkins <bperkins> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 3.0 | CC: | ajeain, dwalsh, eharney, jturner, kchamart, lhh, mgrepl | |
Target Milestone: | rc | Keywords: | TestOnly | |
Target Release: | 3.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 971594 (view as bug list) | Environment: | ||
Last Closed: | 2013-06-24 13:23:37 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 973776 | |||
Bug Blocks: |
Description
Lon Hohberger
2013-05-20 21:37:38 UTC
Possible test reproducer for attaching a volume to an instance: ------------------------------------------------ # Create a cinder volume, and list it $ cinder create --display_name=bootable_volume 1 $ cinder list # Add the cinder volume to env. This is the output of "cinder list" $ VOLUME_ID=2c370395-7f59-4c89-b312-ba35dbb986c0 $ echo $VOLUME_ID # boot an instance $ nova boot --image e1b71961-d66d-4315-8e83-32aa1bd44f3f --flavor 1 --key_name oskey f17-builder # Ensure the above booted instance is ACTIVE $ nova list | grep f17-builder $ cinder list # Attach a volume $ nova volume-attach f17-builder 2c370395-7f59-4c89-b312-ba35dbb986c0 /dev/vdb $ cinder list $ ssh -i oskey.priv 192.168.32.4 ------------------------------------------------ I reproduced this (the logged AVCs) by following the same steps as above: install, boot vm, attach an LVM iSCSI Cinder volume. But, it doesn't seem to break anything, and the attach works. Unclear what is accessing /dev/sda, maybe something triggered by iscsiadm. Same openstack-selinux ver, openstack-nova-* 2013.1.1-3. Note: /dev/sda is the device node for the disk created when the iSCSI initiator logs in during volume attach. This would be a general bug in policy and would happen with or without openstack, it should be fixed. This is being fixed in selinux-policy bug # 971594 and so this bug is just TestOnly once we get updated selinux policy package Works here too:
Version:
========
[root@meadow ~(keystone_admin)]# rpm -q selinux-policy
selinux-policy-3.7.19-195.el6_4.11.noarch
[root@meadow ~(keystone_admin)]# getenforce
Enforcing
Test:
=====
[root@meadow ~(keystone_admin)]# glance image-list
+--------------------------------------+----------+-------------+------------------+-----------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+----------+-------------+------------------+-----------+--------+
| da497c6a-7574-41b8-835f-5875a8c28d56 | fedora17 | qcow2 | bare | 251985920 | active |
+--------------------------------------+----------+-------------+------------------+-----------+--------+
[root@meadow ~(keystone_admin)]# nova boot --flavor 2 --key_name oskey1 --image \
> da497c6a-7574-41b8-835f-5875a8c28d56 fedora17-t1
[root@meadow ~(keystone_admin)]# VOLUME_ID=9d4a296c-42ad-4eeb-8ebd-0cf59ccf37d8
[root@meadow ~(keystone_admin)]# nova volume-attach fedora17-t1 $VOLUME_ID /dev/vdb
+----------+--------------------------------------+
| Property | Value |
+----------+--------------------------------------+
| device | /dev/vdb |
| serverId | cb1cdaa6-554b-4ad5-a22a-c439254b1c81 |
| id | 9d4a296c-42ad-4eeb-8ebd-0cf59ccf37d8 |
| volumeId | 9d4a296c-42ad-4eeb-8ebd-0cf59ccf37d8 |
+----------+--------------------------------------+
-> You could also further confirm the block device vdb is attached by doing:
[root@meadow ~(keystone_admin)]# sudo virsh list
Id Name State
----------------------------------------------------
1 instance-00000001 running
[root@meadow ~(keystone_admin)]# sudo virsh domblklist 1
Target Source
------------------------------------------------
vda /var/lib/nova/instances/cb1cdaa6-554b-4ad5-a22a-c439254b1c81/disk
vdb /dev/disk/by-path/ip-10.WW.YYY.ZZZ:3260-iscsi-iqn.2010-10.org.openstack:volume-9d4a296c-42ad-4eeb-8ebd-0cf59ccf37d8-lun-1
agreed that we are going to close the bug, saying that we could not reproduce it. This bug is a tracker bug (Lon) |