Bug 1114615 - [vdsm] [regression] Migration fails - unsupported configuration: Unable to find security driver for label selinux
Summary: [vdsm] [regression] Migration fails - unsupported configuration: Unable to fi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Nobody
QA Contact: meital avital
URL:
Whiteboard: virt
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-30 13:45 UTC by akotov
Modified: 2019-04-28 09:29 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-29 12:13:18 UTC
oVirt Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 883453 0 None None None Never

Description akotov 2014-06-30 13:45:54 UTC 
Description of problem:

Migration fails instantly
---vdsm---
Thread-1032286::DEBUG::2014-06-27 09:01:56,303::vm::378::vm.Vm::(_startUnderlyingMigration) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::starting migration to qemu+tls://130.59.114.142/system with miguri tcp
://130.59.114.142
Thread-1032287::DEBUG::2014-06-27 09:01:56,304::vm::742::vm.Vm::(run) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::migration downtime thread started
Thread-1032288::DEBUG::2014-06-27 09:01:56,305::vm::781::vm.Vm::(run) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::starting migration monitor thread
Thread-1032286::DEBUG::2014-06-27 09:01:56,388::libvirtconnection::108::libvirtconnection::(wrapper) Unknown libvirterror: ecode: 67 edom: 24 level: 2 message: unsupported configuration: Unable to find security driver for label selinux
Thread-1032286::DEBUG::2014-06-27 09:01:56,388::vm::757::vm.Vm::(cancel) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::canceling migration downtime thread
Thread-1032286::DEBUG::2014-06-27 09:01:56,388::vm::845::vm.Vm::(stop) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::stopping migration monitor thread
Thread-1032287::DEBUG::2014-06-27 09:01:56,389::vm::754::vm.Vm::(run) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::migration downtime thread exiting
Thread-1032286::ERROR::2014-06-27 09:01:56,391::vm::239::vm.Vm::(_recover) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::unsupported configuration: Unable to find security driver for label selinux
Thread-1032286::ERROR::2014-06-27 09:01:56,475::vm::340::vm.Vm::(run) vmId=`27de6235-941c-4e3f-a2bb-dd596a3c381c`::Failed to migrate
Traceback (most recent call last):
  File "/usr/share/vdsm/vm.py", line 326, in run
  File "/usr/share/vdsm/vm.py", line 409, in _startUnderlyingMigration
  File "/usr/share/vdsm/vm.py", line 868, in f
  File "/usr/lib64/python2.6/site-packages/vdsm/libvirtconnection.py", line 76, in wrapper
  File "/usr/lib64/python2.6/site-packages/libvirt.py", line 1178, in migrateToURI2
libvirtError: unsupported configuration: Unable to find security driver for label selinux
---


Version-Release number of selected component (if applicable):

From selinux enabled host with vdsm-4.13.2-0.17.el6ev to selinux disabled host with vdsm-4.13.2-0.13.el6ev

How reproducible:


Additional info:

Seems like regression from BZ 1013617
Comment 4 Omer Frenkel 2014-07-01 07:19:04 UTC 
what is the selinux configuration on both hosts?
Comment 5 akotov 2014-07-01 07:34:45 UTC 
Hi.
first comment

>>From selinux enabled host with vdsm-4.13.2-0.17.el6ev to selinux disabled host with vdsm-4.13.2-0.13.el6ev

sosreport from latest(destination host) is attached to the BZ.

sestatus from first:
]$ cat sestatus_-b
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

What is the "configuration" you want to examine further?
Comment 6 Omer Frenkel 2014-07-02 07:44:28 UTC 
sorry, i missed this info from the first comment.
in this case, this is not a bug, as the error state,
migration is not supported in this configuration, where selinux policy is different on the source and migration hosts.

in 3.5 the UI reports the selinux policy for the hosts, for more info please look at bug 894084
Comment 7 akotov 2014-07-02 07:56:16 UTC 
Hello Omer,

It seems rather strange that BZ 1013617 was taken care of and fixed, and this is not a bug now. Until RFE (894084) is implemented, i would consider it as a bug.

Furthermore, from BZ about enforcing SELinux: 1086374

"When a host changes SELinux Enforcing to SELinux permissive, host will be considered as compromised, an alert should be generated and the host should change status to non-responsive, Admin should be able to configure sVirt policy to migrate running VMs from compromised hosts before changing status to non-operational."

How is the proposed RFE pattern to migrate VMs from "compromised" host should work in real life, if customers are facing the bug of not being able to migrate VMs?
Comment 8 Omer Frenkel 2014-07-02 08:17:44 UTC 
I'm not sure about the details of bug 1013617
Michal, is it the same scenario?

iirc, migration can work if migrating from permissive to enabled
so bug 1086374 can work.
but migrating from enabled to disabled doesn't work.
Michal, what do you think?
Comment 10 Michal Skrivanek 2014-07-04 11:17:44 UTC 
(In reply to Omer Frenkel from comment #8)
correct

Alex, your case is from enabled->disabled; that's not supported.
Comment 12 Michal Skrivanek 2014-07-04 11:45:15 UTC 
(In reply to akotov from comment #7)
> It seems rather strange that BZ 1013617 was taken care of and fixed

well not that strange since that bug was about something else:)
it was an issue on selinux enabled environment, effectively breaking VM startup on any host
Note You need to log in before you can comment on or make changes to this bug.