Description of problem: Glance image upload after integrating ceph failing because of selinux Version-Release number of selected component (if applicable): [root@cvf13-server-5 ~(keystone_admin)]# glance --version 0.13.1 How reproducible: setup the openstack nodes setup the ceph nodes integrate Glance to use the ceph nodes to store images Actual results: It fails with 500(internal server error) from glance api.log 2014-08-12 17:16:18.973 32444 ERROR glance.api.v1.upload_utils [-] Failed to upload image 3b1fbd0a-0717-4983-bf8b-67263d73dad7 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils Traceback (most recent call last): 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils File "/usr/lib/python2.7/site-packages/glance/api/v1/upload_utils.py", line 99, in upload_data_to_store 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils store) 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils File "/usr/lib/python2.7/site-packages/glance/store/__init__.py", line 380, in store_add_to_backend 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils (location, size, checksum, metadata) = store.add(image_id, data, size) 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils File "/usr/lib/python2.7/site-packages/glance/store/rbd.py", line 319, in add 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils with rados.Rados(conffile=self.conf_file, rados_id=self.user) as conn: 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils File "/usr/lib/python2.7/site-packages/rados.py", line 208, in __init__ 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils self.librados = CDLL(librados_path) 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils File "/usr/lib64/python2.7/ctypes/__init__.py", line 360, in __init__ 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils self._handle = _dlopen(self._name, mode) 2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils OSError: librados.so.2: cannot enable executable stack as shared object requires: Permission denied Expected results: Upload should work fine Additional info:
the ceph cluster we are using is inktank ceph cluster root@cvf13-server-247:~ # ceph -v ceph version 0.80.4-1-g67b5193 (67b5193f73a2c9ec9e503ad3431473998217375d)
Created attachment 926858 [details] /var/log/messages from the server
Created attachment 926859 [details] /var/log/audit/ from the server
@Daniel Do you know OTOH what rule might be missing?
$ audit2allow -i * #============= glance_api_t ============== #!!!! This avc can be allowed using the boolean 'glance_use_execmem' allow glance_api_t self:process { execstack execmem }; dwalsh@redsox$
Moving to openstack-selinux since this needs to be enabled there.
Looks like maybe fix has been identified. Is this something we can apply manually as opposed to turning selinux off wholesale?
That boolean isn't available yet, so I'm adding the execmem/execstack allow rule for now.
[root@localhost tests]# getsebool -a | grep glance glance_use_fusefs --> on [root@localhost tests]# rpm -q selinux-policy selinux-policy-3.12.1-153.el7_0.10.noarch
verified, the boolean has changed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1325.html