Created attachment 846768 [details] n-net-audit.log Description of problem: Both nova-network and neutron uses a rootwrap script for executing commands as root, these oprations are failing. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 0. default packstack nova net or neutron setup. 1. nova boot Server1 --poll --flavor 42 --image cirros-0.3.1-x86_64-uec The server will be in ERROR state. Actual results: /var/log/nova/network.log: Stderr: 'sudo: unknown uid 162: who are you?\n' 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Traceback (most recent call last): 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 117, in wait 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup x.wait() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 49, in wait 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self.thread.wait() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 168, in wait 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self._exit_event.wait() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 116, in wait 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return hubs.get_hub().switch() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 187, in switch 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self.greenlet.switch() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 194, in main 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup result = function(*args, **kwargs) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/service.py", line 448, in run_service 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup service.start() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/service.py", line 154, in start 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup self.manager.init_host() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/manager.py", line 1631, in init_host 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup self.l3driver.initialize(fixed_range=False, networks=networks) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 93, in initialize 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup linux_net.ensure_metadata_ip() 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 731, in ensure_metadata_ip 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup run_as_root=True, check_exit_code=[0, 2, 254]) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 1191, in _execute 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return utils.execute(*cmd, **kwargs) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/utils.py", line 175, in execute 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return processutils.execute(*cmd, **kwargs) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 178, in execute 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup cmd=' '.join(cmd)) 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup ProcessExecutionError: Unexpected error while running command. 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ip addr add 169.254.169.254/32 scope link dev lo 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Exit code: 1 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Stdout: '' 2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Stderr: 'sudo: unknown uid 162: who are you?\n' $ id nova uid=162(nova) gid=162(nova) groups=162(nova),99(nobody),107(qemu) or 2014-01-07 15:42:50.481 11528 INFO neutron.agent.dhcp_agent [-] Synchronizing state 2014-01-07 15:42:51.144 11528 ERROR neutron.agent.dhcp_agent [-] Unable to enable dhcp for 5c0063c7-97cd-4e27-b103-3f66578b3b21. 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Traceback (most recent call last): 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/dhcp_agent.py", line 128, in call_driver 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent getattr(driver, action)(**action_kwargs) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 171, in enable 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent reuse_existing=True) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 737, in setup 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent namespace=network.namespace) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/interface.py", line 183, in plug 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent ns_dev.link.set_address(mac_address) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 230, in set_address 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent self._as_root('set', self.name, 'address', mac_address) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 217, in _as_root 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent kwargs.get('use_root_namespace', False)) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 70, in _as_root 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent namespace) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 81, in _execute 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent root_helper=root_helper) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 75, in execute 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent raise RuntimeError(m) 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent RuntimeError: 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'link', 'set', 'tapfceedffd-44', 'address', 'fa:16:3e:7a:23:b0'] 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Exit code: 2 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Stdout: '' 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Stderr: 'Cannot talk to rtnetlink: Permission denied\n' 2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Expected results: VM booting Additional info: Multiple other swift related issue in the audit log files, they als needs to be fixed. xz compressed audit.log attached.
Created attachment 846770 [details] neutron-audit.log
Tip for next time -you can run the below command, instead of adding the whole audit log file: # Enable SELinux $ setenforce 1 # Clear your audit log $ > /var/log/audit/audit.log [Perform your offending tests] # Show the reference policy/errors occurred $ cat /var/log/audit/audit.log | audit2allow -R
These issues also apply to havana on f20 (and I believe on f19 as well).
Terry: do you know if these issues have been addressed by recent releases of selinux-policy?
Lars, apparently, those issues have not been solved in latest selinux-policy updates rpm -q selinux-policy selinux-policy-3.12.1-122.fc20.noarch
*** Bug 1073170 has been marked as a duplicate of this bug. ***
Same issue on RHEL 7 beta(Maipo) with RDO-Icehouse openstack-packstack-2014.1.1-0.7.dev992.el7.noarch python-django-openstack-auth-1.1.4-1.el7.noarch openstack-nova-novncproxy-2014.1-0.11.b2.el7.noarch openstack-glance-2014.1-0.2.b2.el7.noarch openstack-nova-api-2014.1-0.11.b2.el7.noarch openstack-dashboard-2014.1-0.3.b2.el7.noarch openstack-keystone-2014.1-0.3.b2.el7.noarch openstack-cinder-2014.1-0.2.b1.LIO.el7.noarch [root@cougar12 /]# rpm -q selinux-policy selinux-policy-3.12.1-136.el7.noarch
#============= neutron_t ============== allow neutron_t dhcpd_port_t:udp_socket name_bind; allow neutron_t dns_port_t:tcp_socket name_bind; allow neutron_t dns_port_t:udp_socket name_bind; allow neutron_t dnsmasq_exec_t:file execute_no_trans; allow neutron_t iptables_exec_t:file execute_no_trans; allow neutron_t proc_t:filesystem getattr; allow neutron_t self:capability { net_bind_service dac_override }; allow neutron_t self:process setcap; allow neutron_t self:rawip_socket { getopt create setopt }; allow neutron_t var_run_t:file { read create open }; #============= swift_t ============== allow swift_t file_t:dir rw_dir_perms; allow swift_t var_t:file { write getattr read lock unlink open }; #============= nova_api_t ============== allow nova_api_t self:process signal; #============= nova_network_t ============== allow nova_network_t lib_t:dir { write remove_name add_name }; allow nova_network_t lib_t:file { write create unlink }; auth_read_passwd(nova_network_t) allow nova_network_t self:capability2 block_suspend; allow nova_network_t sysctl_net_t:dir search; allow nova_network_t sysctl_net_t:file { write getattr open }; #============= rsync_t ============== enable bool 'rsync_full_access' #============= swift_t ============== allow swift_t file_t:dir rw_dir_perms; allow swift_t var_t:file { write getattr read lock unlink open }; allow swift_t xserver_port_t:tcp_socket name_bind; We can ship this in selinux policy.
Generally we don't want to allow "manage" for generic types allow nova_network_t lib_t:dir { write remove_name add_name }; allow nova_network_t lib_t:file { write create unlink }; allow swift_t var_t:file { write getattr read lock unlink open };
(In reply to Miroslav Grepl from comment #9) > Generally we don't want to allow "manage" for generic types > > allow nova_network_t lib_t:dir { write remove_name add_name }; > allow nova_network_t lib_t:file { write create unlink }; I don't see AVC msgs for lib_t issues. > allow swift_t var_t:file { write getattr read lock unlink open }; where is name="object.recon" located? Also #restorecon -R -v /srv/node is needed to fix labeling.
I think this is fixed with the current selinux policy: selinux-policy-3.12.1-153.el7_0.10 Please retest to see if there are anymore avcs generated.
I'm just starting a Openstack fresh install and I got the same issue selinux-policy-3.12.1-153.el7_0.11.noarch selinux-policy-targeted-3.12.1-153.el7_0.11.noarch openstack-nova-api-2014.2-2.el7.centos.noarch openstack-nova-network-2014.2-2.el7.centos.noarch Nov 10 13:06:39 compute1 systemd: Started OpenStack Nova Network Server. Nov 10 13:06:39 compute1 nova-network: Traceback (most recent call last): Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 455, in fire_timers Nov 10 13:06:39 compute1 nova-network: timer() Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/hubs/timer.py", line 58, in __call__ Nov 10 13:06:39 compute1 nova-network: cb(*args, **kw) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 212, in main Nov 10 13:06:39 compute1 nova-network: result = function(*args, **kwargs) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/openstack/common/service.py", line 492, in run_service Nov 10 13:06:39 compute1 nova-network: service.start() Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/service.py", line 164, in start Nov 10 13:06:39 compute1 nova-network: self.manager.init_host() Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/manager.py", line 1799, in init_host Nov 10 13:06:39 compute1 nova-network: self.l3driver.initialize(fixed_range=False, networks=networks) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 92, in initialize Nov 10 13:06:39 compute1 nova-network: linux_net.ensure_metadata_ip() Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 751, in ensure_metadata_ip Nov 10 13:06:39 compute1 nova-network: run_as_root=True, check_exit_code=[0, 2, 254]) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 1228, in _execute Nov 10 13:06:39 compute1 nova-network: return utils.execute(*cmd, **kwargs) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/utils.py", line 163, in execute Nov 10 13:06:39 compute1 nova-network: return processutils.execute(*cmd, **kwargs) Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 203, in execute Nov 10 13:06:39 compute1 nova-network: cmd=sanitized_cmd) Nov 10 13:06:39 compute1 nova-network: ProcessExecutionError: Unexpected error while running command. Nov 10 13:06:39 compute1 nova-network: Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ip addr add 169.254.169.254/32 scope link dev lo Nov 10 13:06:39 compute1 nova-network: Exit code: 1 Nov 10 13:06:39 compute1 nova-network: Stdout: u'' Nov 10 13:06:39 compute1 nova-network: Stderr: u'sudo: unknown uid 162: who are you?\n'
Can you attach your audit.log?
Created attachment 955955 [details] Audit DavidPasqua
done, btw, i'm trying to use nova not neutron for the network service
what version of selinux and openstack-selinux are you using?
Hi Ryan, Sorry I didn't answer before I was out of the office. openstack-selinux wasn't installed after install openstack-selinux-0.5.19-2.el7ost.noarch everything start to work without problem So I guess is a dependency issue Thank you! :)