RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1093385 - neutron L3 agent RPC errors
Summary: neutron L3 agent RPC errors
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RDO
Classification: Community
Component: openstack-selinux
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Ofer Blaut
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-01 14:59 UTC by Ofer Blaut
Modified: 2016-04-26 19:28 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-03-30 23:05:59 UTC
Embargoed:

Attachments (Terms of Use)
L3.log (4.07 KB, text/plain)
2014-05-01 14:59 UTC, Ofer Blaut 		no flags Details
View All

Description Ofer Blaut 2014-05-01 14:59:53 UTC 
Created attachment 891553 [details]
L3.log

Description of problem:

There are  neutron l3_agent_scheduler errors in /var/log/neutron/l3-agent.log

attached logs 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.run setup with RDO RHEL 7 and OVS with neutron router 
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Ofer Blaut 2014-05-01 15:01:05 UTC 
versions

openstack-neutron-openvswitch-2014.1-11.el7.noarch
python-neutron-2014.1-11.el7.noarch
python-neutronclient-2.3.4-1.el7.noarch
openstack-neutron-2014.1-11.el7.noarch
Comment 2 Terry Wilson 2014-05-06 17:43:26 UTC 
Looks like this is a permissions error. There are known selinux issues here: https://bugzilla.redhat.com/show_bug.cgi?id=1093297 so this may be a duplicate. Could you test with permissive mode and verify whether or not the problem goes away?
Comment 3 Jakub Libosvar 2014-05-07 07:29:39 UTC 
You can also check /var/log/audit/audit.log for AVC to confirm that access to ip_forward was denied by SELinux.
Comment 4 Ofer Blaut 2014-05-07 13:07:57 UTC 
[root@cougar16 ~(keystone_admin_tenant1)]$grep ip_forward /var/log/messages 
May  7 14:07:55 cougar16 kernel: type=1400 audit(1399460875.289:77): avc:  denied  { getattr } for  pid=6683 comm="sysctl" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=279711 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
May  7 14:07:55 cougar16 kernel: type=1400 audit(1399460875.290:78): avc:  denied  { write } for  pid=6683 comm="sysctl" name="ip_forward" dev="proc" ino=279711 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
May  7 14:07:55 cougar16 kernel: type=1400 audit(1399460875.291:79): avc:  denied  { open } for  pid=6683 comm="sysctl" path="/proc/sys/net/ipv4/ip_forward" dev="proc" ino=279711 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
Comment 5 Jakub Libosvar 2014-05-07 13:18:31 UTC 
Moving to openstack-selinux based on avc denials in comment 4.
Comment 6 Ryan Hallisey 2014-05-15 14:49:12 UTC 
#============= neutron_t ==============
allow neutron_t sysctl_net_t:file { write getattr open };

This should take care of those avc's.  I think this needs to go into selinux policy for Rhel 6.6.
Comment 7 Miroslav Grepl 2014-05-15 15:04:57 UTC 
(In reply to Ryan Hallisey from comment #6)
> #============= neutron_t ==============
> allow neutron_t sysctl_net_t:file { write getattr open };
> 
> This should take care of those avc's.  I think this needs to go into selinux
> policy for Rhel 6.6.

Has been already added to Fedora/RHEL7. I will back port all changes to RHEL6.6 too.
Note You need to log in before you can comment on or make changes to this bug.