1130212 – [CISCO RHEL-OSP] Glance image upload after integrating ceph failing because of selinux

Bug 1130212 - [CISCO RHEL-OSP] Glance image upload after integrating ceph failing because of selinux

Summary: [CISCO RHEL-OSP] Glance image upload after integrating ceph failing because o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	Yogev Rabl
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1154145 1154162 1154159
TreeView+	depends on / blocked

Reported:	2014-08-14 14:35 UTC by satya routray
Modified:	2016-04-26 15:05 UTC (History)
CC List:	13 users (show)
Fixed In Version:	openstack-selinux-0.5.15-2.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-09-30 18:02:39 UTC
Target Upstream Version:

Attachments	(Terms of Use)
/var/log/messages from the server (564.60 KB, application/x-gzip) 2014-08-14 16:26 UTC, Britt Houser	no flags	Details
/var/log/audit/ from the server (579.86 KB, application/octet-stream) 2014-08-14 16:26 UTC, Britt Houser	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1325	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Bug Fix and Enhancement Advisory	2014-09-30 22:01:16 UTC

Description satya routray 2014-08-14 14:35:28 UTC

Description of problem:
Glance image upload after integrating ceph failing because of selinux

Version-Release number of selected component (if applicable):
[root@cvf13-server-5 ~(keystone_admin)]# glance --version
0.13.1

How reproducible:
setup the openstack nodes
setup the ceph nodes
integrate Glance to use the ceph nodes to store images

Actual results:
It fails with 500(internal server error)
from glance api.log
2014-08-12 17:16:18.973 32444 ERROR glance.api.v1.upload_utils [-] Failed to upload image 3b1fbd0a-0717-4983-bf8b-67263d73dad7
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils Traceback (most recent call last):
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/api/v1/upload_utils.py", line 99, in upload_data_to_store
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     store)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/store/__init__.py", line 380, in store_add_to_backend
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     (location, size, checksum, metadata) = store.add(image_id, data, size)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/glance/store/rbd.py", line 319, in add
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     with rados.Rados(conffile=self.conf_file, rados_id=self.user) as conn:
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib/python2.7/site-packages/rados.py", line 208, in __init__
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     self.librados = CDLL(librados_path)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils   File "/usr/lib64/python2.7/ctypes/__init__.py", line 360, in __init__
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils     self._handle = _dlopen(self._name, mode)
2014-08-12 17:16:18.973 32444 TRACE glance.api.v1.upload_utils OSError: librados.so.2: cannot enable executable stack as shared object requires: Permission denied

Expected results:
Upload should work fine

Additional info:

Comment 2 satya routray 2014-08-14 16:06:02 UTC

the ceph cluster we are using is inktank ceph cluster

root@cvf13-server-247:~ # ceph -v
ceph version 0.80.4-1-g67b5193 (67b5193f73a2c9ec9e503ad3431473998217375d)

Comment 3 Britt Houser 2014-08-14 16:26:26 UTC

Created attachment 926858 [details]
/var/log/messages from the server

Comment 4 Britt Houser 2014-08-14 16:26:57 UTC

Created attachment 926859 [details]
/var/log/audit/ from the server

Comment 5 Flavio Percoco 2014-08-19 07:39:32 UTC

@Daniel Do you know OTOH what rule might be missing?

Comment 6 Daniel Walsh 2014-08-19 20:30:58 UTC

$ audit2allow -i *


#============= glance_api_t ==============

#!!!! This avc can be allowed using the boolean 'glance_use_execmem'
allow glance_api_t self:process { execstack execmem };
dwalsh@redsox$

Comment 7 Flavio Percoco 2014-08-20 09:03:26 UTC

Moving to openstack-selinux since this needs to be enabled there.

Comment 10 Britt Houser 2014-09-05 02:53:09 UTC

Looks like maybe fix has been identified.  Is this something we can apply manually as opposed to turning selinux off wholesale?

Comment 12 Lon Hohberger 2014-09-17 14:50:15 UTC

That boolean isn't available yet, so I'm adding the execmem/execstack allow rule for now.

Comment 13 Lon Hohberger 2014-09-17 14:51:16 UTC

[root@localhost tests]# getsebool -a | grep glance
glance_use_fusefs --> on
[root@localhost tests]# rpm -q selinux-policy
selinux-policy-3.12.1-153.el7_0.10.noarch

Comment 15 Yogev Rabl 2014-09-22 15:42:39 UTC

verified, the boolean has changed.

Comment 17 errata-xmlrpc 2014-09-30 18:02:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1325.html

Note You need to log in before you can comment on or make changes to this bug.