1144199 – [CISCO RHEL-OSP] neutron-ns-metadata-proxy cannot bind to socket when run on isolated network

Bug 1144199 - [CISCO RHEL-OSP] neutron-ns-metadata-proxy cannot bind to socket when run on isolated network

Summary: [CISCO RHEL-OSP] neutron-ns-metadata-proxy cannot bind to socket when run on ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z3
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1154145 1154159
TreeView+	depends on / blocked

Reported:	2014-09-19 01:05 UTC by Britt Houser
Modified:	2023-02-22 23:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:	openstack-selinux-0.5.19-2.el7ost
Doc Type:	Bug Fix
Doc Text:	SELinux did not allow neutron to connect to httpd, resulting in OpenStack Networking failing to bind to httpd. This update gives OpenStack Networking the permission to bind to httpd. As a result, OpenStack Networking will successfully connect to httpd and will continue to run.
Clone Of:
Environment:
Last Closed:	2014-12-02 15:24:32 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Audit Log (138.79 KB, application/octet-stream) 2014-09-19 01:13 UTC, Britt Houser	no flags	Details
Audit Log with semanage dontaudit off (123.00 KB, application/octet-stream) 2014-09-19 13:49 UTC, Britt Houser	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1935	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Bug Fix and EnhancementAdvisory	2014-12-02 20:23:32 UTC

Description Britt Houser 2014-09-19 01:05:14 UTC

Description of problem:

Selinux block metadata proxy from binding to socket in dhcp namespace.  If selinux is set to permissive, it works fine.

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. Install OSP5 via packstack
2. Set enable_isolated_metadata = True in /etc/neutron/dhcp_agent.ini
3. Create a neutron subnet with --no-gateway flag
4. Spin up a VM in this network.

Actual results:
When metadata proxy runs is started in the DHCP namespace, it does immediately with the following error:

2014-09-18 16:34:43.462 6966 INFO neutron.common.config [-] Logging enabled!
2014-09-18 16:34:43.471 6994 CRITICAL neutron [-] [Errno 13] Permission denied
2014-09-18 16:34:43.471 6994 TRACE neutron Traceback (most recent call last):
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/bin/neutron-ns-metadata-proxy", line 10, in <module>
2014-09-18 16:34:43.471 6994 TRACE neutron     sys.exit(main())
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/metadata/namespace_proxy.py", line 181, in main
2014-09-18 16:34:43.471 6994 TRACE neutron     proxy.start()
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/linux/daemon.py", line 145, in start
2014-09-18 16:34:43.471 6994 TRACE neutron     self.run()
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/agent/metadata/namespace_proxy.py", line 142, in run
2014-09-18 16:34:43.471 6994 TRACE neutron     proxy.start(handler, self.port)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 210, in start
2014-09-18 16:34:43.471 6994 TRACE neutron     backlog=backlog)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 183, in _get_socket
2014-09-18 16:34:43.471 6994 TRACE neutron     eventlet.sleep(0.1)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/openstack/common/excutils.py", line 82, in __exit__
2014-09-18 16:34:43.471 6994 TRACE neutron     six.reraise(self.type_, self.value, self.tb)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/neutron/wsgi.py", line 175, in _get_socket
2014-09-18 16:34:43.471 6994 TRACE neutron     family=family)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib/python2.7/site-packages/eventlet/convenience.py", line 38, in listen
2014-09-18 16:34:43.471 6994 TRACE neutron     sock.bind(addr)
2014-09-18 16:34:43.471 6994 TRACE neutron   File "/usr/lib64/python2.7/socket.py", line 224, in meth
2014-09-18 16:34:43.471 6994 TRACE neutron     return getattr(self._sock,name)(*args)
2014-09-18 16:34:43.471 6994 TRACE neutron error: [Errno 13] Permission denied

Expected results:
2014-09-18 16:38:55.308 8481 INFO neutron.common.config [-] Logging enabled!
2014-09-18 16:38:55.317 8511 INFO neutron.wsgi [-] (8511) wsgi starting up on http://0.0.0.0/

Additional info:

Comment 1 Britt Houser 2014-09-19 01:13:09 UTC

Created attachment 939070 [details]
Audit Log

Comment 3 Ryan Hallisey 2014-09-19 13:21:10 UTC

There are no AVCs in the audit log.

try # semanage dontaudit off, and generate a new audit.log.

Comment 4 Britt Houser 2014-09-19 13:49:49 UTC

Created attachment 939360 [details]
Audit Log with semanage dontaudit off

Comment 5 Ryan Hallisey 2014-09-19 14:06:55 UTC

allow neutron_t http_port_t:tcp_socket name_bind;

looks to be the issue.

Comment 6 Ryan Hallisey 2014-10-23 18:09:40 UTC

corenet_tcp_bind_http_port(neutron_t)

Comment 7 Ryan Hallisey 2014-11-18 15:07:28 UTC

This has been fixed in 6.0 just need the acks to build for 5.0.

Comment 10 errata-xmlrpc 2014-12-02 15:24:32 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1935.html

Note You need to log in before you can comment on or make changes to this bug.