Bug 1102326
| Summary: | authorized_keys has the wrong SElinux context when gear is initially created | ||||||
|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jose Simonelli <jsimonel> | ||||
| Component: | Containers | Assignee: | Brenton Leanhardt <bleanhar> | ||||
| Status: | CLOSED WORKSFORME | QA Contact: | libra bugs <libra-bugs> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 2.1.0 | CC: | jokerman, jsimonel, libra-onpremise-devel, lmeyer, mmasters, mmccomas | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-05 17:48:44 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 900159 [details]
yum update fix
This bug is no longer valid after I updated the selinux rpms by running a yum update. This file has all of the rpm's that were updated during the yum update.
The official installation methods (Deployment Guide, openshift.sh, and oo-install) all include a yum update at the start of the process. Do we have a bug somewhere such that it is possible to miss this step? Please re-open if there's any path to follow install directions and still end up with this problem. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |
Description of problem: You cannot ssh into openshift enterprise using ssh keys until the SElinux context has been restored within the node. Version-Release number of selected component (if applicable): 2.1 How reproducible: Create gear and try to ssh into the server with the key that was added Steps to Reproduce: 1. Create gear 2. SSH into gear 3. Fails to authenticate due to SElinux blocking the authorized_keys from being read Actual results: Output of /var/log/audit/audit.log when authenticating type=CRYPTO_KEY_USER msg=audit(1401301325.061:9462): user pid=16936 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=31:4f:6f:98:06:13:ea:9c:9b:90:d5:2c:05:5d:80:10 direction=? spid=16936 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1401301325.061:9463): user pid=16936 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=6e:37:2a:ae:ba:cc:43:23:26:33:bb:37:92:e0:8a:dc direction=? spid=16936 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1401301325.062:9464): user pid=16935 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 spid=16936 suid=74 rport=53076 laddr=10.15.75.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1401301325.062:9465): user pid=16935 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 spid=16936 suid=74 rport=53076 laddr=10.15.75.11 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=? res=success' type=AVC msg=audit(1401301325.230:9466): avc: denied { read } for pid=16935 comm="sshd" name="authorized_keys" dev=dm-0 ino=1185781 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0:c1,c694 tclass=file type=SYSCALL msg=audit(1401301325.230:9466): arch=c000003e syscall=2 success=no exit=-13 a0=7f35f27aa170 a1=800 a2=1 a3=4 items=0 ppid=8203 pid=16935 auid=0 uid=0 gid=0 euid=1716 suid=0 fsuid=1716 egid=1716 sgid=0 fsgid=1716 tty=(none) ses=1389 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1401301325.231:9467): user pid=16935 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="537ed00df6c3795413000039" exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=ssh res=failed' type=AVC msg=audit(1401301325.231:9468): avc: denied { read } for pid=16935 comm="sshd" name="authorized_keys" dev=dm-0 ino=1185781 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0:c1,c694 tclass=file type=SYSCALL msg=audit(1401301325.231:9468): arch=c000003e syscall=2 success=no exit=-13 a0=7f35f279d990 a1=800 a2=1 a3=41 items=0 ppid=8203 pid=16935 auid=0 uid=0 gid=0 euid=1716 suid=0 fsuid=1716 egid=1716 sgid=0 fsgid=1716 tty=(none) ses=1389 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1401301325.231:9469): user pid=16935 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="537ed00df6c3795413000039" exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=ssh res=failed' type=AVC msg=audit(1401301325.234:9470): avc: denied { read } for pid=16935 comm="sshd" name="authorized_keys" dev=dm-0 ino=1185781 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openshift_var_lib_t:s0:c1,c694 tclass=file type=SYSCALL msg=audit(1401301325.234:9470): arch=c000003e syscall=2 success=no exit=-13 a0=7f35f279da70 a1=800 a2=1 a3=41 items=0 ppid=8203 pid=16935 auid=0 uid=0 gid=0 euid=1716 suid=0 fsuid=1716 egid=1716 sgid=0 fsgid=1716 tty=(none) ses=1389 comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null) type=USER_AUTH msg=audit(1401301325.234:9471): user pid=16935 uid=0 auid=0 ses=1389 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="537ed00df6c3795413000039" exe="/usr/sbin/sshd" hostname=? addr=10.15.161.223 terminal=ssh res=failed' SELinux context of the authorized_keys after the webapp is created [root@jttc-ose-node1 gems]# ls -laZ /var/lib/openshift/537ed00df6c3795413000039/.ssh/ drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:ssh_home_t:s0:c1,c694 . drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:openshift_var_lib_t:s0:c1,c694 .. -r--r-----. root 537ed00df6c3795413000039 system_u:object_r:openshift_var_lib_t:s0:c1,c694 authorized_keys Expected results: # ls -alZ now has correct context [root@jttc-ose-node1 gems]# ls -laZ /var/lib/openshift/537ed00df6c3795413000039/.ssh/ drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:ssh_home_t:s0:c1,c694 . drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:openshift_var_lib_t:s0:c1,c694 .. -r--r-----. root 537ed00df6c3795413000039 system_u:object_r:ssh_home_t:s0:c1,c694 authorized_keys Additional info: After the gear is created I have to ssh into the node it was deployed on and run restorecon on the authorized_keys file in order to fix it, then I am able to ssh into the gear without an issue. # I restorecon the authorized_keys file [root@jttc-ose-node1 gems]# restorecon -v /var/lib/openshift/537ed00df6c3795413000039/.ssh/authorized_keys restorecon reset /var/lib/openshift/537ed00df6c3795413000039/.ssh/authorized_keys context system_u:object_r:openshift_var_lib_t:s0:c1,c694->system_u:object_r:ssh_home_t:s0:c1,c694 # ls -alZ now has correct context [root@jttc-ose-node1 gems]# ls -laZ /var/lib/openshift/537ed00df6c3795413000039/.ssh/ drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:ssh_home_t:s0:c1,c694 . drwxr-x---. root 537ed00df6c3795413000039 system_u:object_r:openshift_var_lib_t:s0:c1,c694 .. -r--r-----. root 537ed00df6c3795413000039 system_u:object_r:ssh_home_t:s0:c1,c694 authorized_keys Now I am able to SSH into the gear.