DescriptionJaroslav Henner
2015-03-10 13:20:34 UTC
I sww this on rhelosp-6.0.
[root@jhenner-vmware ~(keystone_admin)]# yum info openstack-nova-network openstack-selinux
Loaded plugins: priorities
Installed Packages
Name : openstack-nova-network
Arch : noarch
Version : 2014.2.2
Release : 2.el7ost
Size : 4.6 k
Repo : installed
From repo : rhelosp-6.0
Summary : OpenStack Nova Network control service
URL : http://openstack.org/projects/compute/
License : ASL 2.0
Description : OpenStack Compute (codename Nova) is open source software designed to
: provision and manage large networks of virtual machines, creating a
: redundant and scalable cloud computing platform. It gives you the
: software, control panels, and APIs required to orchestrate a cloud,
: including running instances, managing networks, and controlling access
: through users and projects. OpenStack Compute strives to be both
: hardware and hypervisor agnostic, currently supporting a variety of
: standard hardware configurations and seven major hypervisors.
:
: This package contains the Nova service for controlling networking.
Name : openstack-selinux
Arch : noarch
Version : 0.6.23
Release : 1.el7ost
Size : 120 k
Repo : installed
From repo : rhelosp-6.0
Summary : SELinux Policies for OpenStack
URL : https://github.com/redhat-openstack/openstack-selinux
License : GPLv2
Description : SELinux policy modules for use with OpenStack
[root@jhenner-vmware ~(keystone_admin)]#
+++ This bug was initially created as a clone of Bug #1049503 +++
Description of problem:
Both nova-network and neutron uses a rootwrap script for executing commands as root, these oprations are failing.
Version-Release number of selected component (if applicable):
How reproducible:
always
Steps to Reproduce:
0. default packstack nova net or neutron setup.
1. nova boot Server1 --poll --flavor 42 --image cirros-0.3.1-x86_64-uec
The server will be in ERROR state.
Actual results:
/var/log/nova/network.log:
Stderr: 'sudo: unknown uid 162: who are you?\n'
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Traceback (most recent call last):
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 117, in wait
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup x.wait()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/threadgroup.py", line 49, in wait
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self.thread.wait()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 168, in wait
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self._exit_event.wait()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/event.py", line 116, in wait
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return hubs.get_hub().switch()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 187, in switch
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return self.greenlet.switch()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 194, in main
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup result = function(*args, **kwargs)
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/service.py", line 448, in run_service
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup service.start()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/service.py", line 154, in start
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup self.manager.init_host()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/manager.py", line 1631, in init_host
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup self.l3driver.initialize(fixed_range=False, networks=networks)
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 93, in initialize
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup linux_net.ensure_metadata_ip()
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 731, in ensure_metadata_ip
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup run_as_root=True, check_exit_code=[0, 2, 254])
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 1191, in _execute
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return utils.execute(*cmd, **kwargs)
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/utils.py", line 175, in execute
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup return processutils.execute(*cmd, **kwargs)
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup File "/usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 178, in execute
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup cmd=' '.join(cmd))
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup ProcessExecutionError: Unexpected error while running command.
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ip addr add 169.254.169.254/32 scope link dev lo
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Exit code: 1
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Stdout: ''
2014-01-07 14:54:48.591 10409 TRACE nova.openstack.common.threadgroup Stderr: 'sudo: unknown uid 162: who are you?\n'
$ id nova
uid=162(nova) gid=162(nova) groups=162(nova),99(nobody),107(qemu)
or
2014-01-07 15:42:50.481 11528 INFO neutron.agent.dhcp_agent [-] Synchronizing state
2014-01-07 15:42:51.144 11528 ERROR neutron.agent.dhcp_agent [-] Unable to enable dhcp for 5c0063c7-97cd-4e27-b103-3f66578b3b21.
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Traceback (most recent call last):
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/dhcp_agent.py", line 128, in call_driver
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent getattr(driver, action)(**action_kwargs)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 171, in enable
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent reuse_existing=True)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/dhcp.py", line 737, in setup
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent namespace=network.namespace)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/interface.py", line 183, in plug
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent ns_dev.link.set_address(mac_address)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 230, in set_address
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent self._as_root('set', self.name, 'address', mac_address)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 217, in _as_root
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent kwargs.get('use_root_namespace', False))
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 70, in _as_root
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent namespace)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/ip_lib.py", line 81, in _execute
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent root_helper=root_helper)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent File "/usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py", line 75, in execute
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent raise RuntimeError(m)
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent RuntimeError:
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Command: ['sudo', 'neutron-rootwrap', '/etc/neutron/rootwrap.conf', 'ip', 'link', 'set', 'tapfceedffd-44', 'address', 'fa:16:3e:7a:23:b0']
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Exit code: 2
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Stdout: ''
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent Stderr: 'Cannot talk to rtnetlink: Permission denied\n'
2014-01-07 15:42:51.144 11528 TRACE neutron.agent.dhcp_agent
Expected results:
VM booting
Additional info:
Multiple other swift related issue in the audit log files, they als needs to be fixed.
xz compressed audit.log attached.
--- Additional comment from Attila Fazekas on 2014-01-07 17:16:35 CET ---
--- Additional comment from Kashyap Chamarthy on 2014-01-07 17:56:03 CET ---
Tip for next time -you can run the below command, instead of adding the whole audit log file:
# Enable SELinux
$ setenforce 1
# Clear your audit log
$ > /var/log/audit/audit.log
[Perform your offending tests]
# Show the reference policy/errors occurred
$ cat /var/log/audit/audit.log | audit2allow -R
--- Additional comment from Terry Wilson on 2014-01-08 22:57:14 CET ---
These issues also apply to havana on f20 (and I believe on f19 as well).
--- Additional comment from Lars Kellogg-Stedman on 2014-01-28 22:04:07 CET ---
Terry: do you know if these issues have been addressed by recent releases of selinux-policy?
--- Additional comment from Matthias Runge on 2014-02-11 08:17:47 CET ---
Lars,
apparently, those issues have not been solved in latest selinux-policy updates
rpm -q selinux-policy
selinux-policy-3.12.1-122.fc20.noarch
--- Additional comment from Brent Eagles on 2014-03-10 17:41:14 CET ---
--- Additional comment from Tzach Shefi on 2014-03-20 12:53:09 CET ---
Same issue on RHEL 7 beta(Maipo) with RDO-Icehouse
openstack-packstack-2014.1.1-0.7.dev992.el7.noarch
python-django-openstack-auth-1.1.4-1.el7.noarch
openstack-nova-novncproxy-2014.1-0.11.b2.el7.noarch
openstack-glance-2014.1-0.2.b2.el7.noarch
openstack-nova-api-2014.1-0.11.b2.el7.noarch
openstack-dashboard-2014.1-0.3.b2.el7.noarch
openstack-keystone-2014.1-0.3.b2.el7.noarch
openstack-cinder-2014.1-0.2.b1.LIO.el7.noarch
[root@cougar12 /]# rpm -q selinux-policy
selinux-policy-3.12.1-136.el7.noarch
--- Additional comment from Ryan Hallisey on 2014-04-28 17:00:25 CEST ---
#============= neutron_t ==============
allow neutron_t dhcpd_port_t:udp_socket name_bind;
allow neutron_t dns_port_t:tcp_socket name_bind;
allow neutron_t dns_port_t:udp_socket name_bind;
allow neutron_t dnsmasq_exec_t:file execute_no_trans;
allow neutron_t iptables_exec_t:file execute_no_trans;
allow neutron_t proc_t:filesystem getattr;
allow neutron_t self:capability { net_bind_service dac_override };
allow neutron_t self:process setcap;
allow neutron_t self:rawip_socket { getopt create setopt };
allow neutron_t var_run_t:file { read create open };
#============= swift_t ==============
allow swift_t file_t:dir rw_dir_perms;
allow swift_t var_t:file { write getattr read lock unlink open };
#============= nova_api_t ==============
allow nova_api_t self:process signal;
#============= nova_network_t ==============
allow nova_network_t lib_t:dir { write remove_name add_name };
allow nova_network_t lib_t:file { write create unlink };
auth_read_passwd(nova_network_t)
allow nova_network_t self:capability2 block_suspend;
allow nova_network_t sysctl_net_t:dir search;
allow nova_network_t sysctl_net_t:file { write getattr open };
#============= rsync_t ==============
enable bool 'rsync_full_access'
#============= swift_t ==============
allow swift_t file_t:dir rw_dir_perms;
allow swift_t var_t:file { write getattr read lock unlink open };
allow swift_t xserver_port_t:tcp_socket name_bind;
We can ship this in selinux policy.
--- Additional comment from Miroslav Grepl on 2014-05-06 11:29:34 CEST ---
Generally we don't want to allow "manage" for generic types
allow nova_network_t lib_t:dir { write remove_name add_name };
allow nova_network_t lib_t:file { write create unlink };
allow swift_t var_t:file { write getattr read lock unlink open };
--- Additional comment from Miroslav Grepl on 2014-05-06 11:35:53 CEST ---
(In reply to Miroslav Grepl from comment #9)
> Generally we don't want to allow "manage" for generic types
>
> allow nova_network_t lib_t:dir { write remove_name add_name };
> allow nova_network_t lib_t:file { write create unlink };
I don't see AVC msgs for lib_t issues.
> allow swift_t var_t:file { write getattr read lock unlink open };
where is name="object.recon" located?
Also
#restorecon -R -v /srv/node
is needed to fix labeling.
--- Additional comment from Ryan Hallisey on 2014-06-04 20:14:53 CEST ---
I think this is fixed with the current selinux policy:
selinux-policy-3.12.1-153.el7_0.10
Please retest to see if there are anymore avcs generated.
--- Additional comment from David Pasqua on 2014-11-10 19:07:27 CET ---
I'm just starting a Openstack fresh install and I got the same issue
selinux-policy-3.12.1-153.el7_0.11.noarch
selinux-policy-targeted-3.12.1-153.el7_0.11.noarch
openstack-nova-api-2014.2-2.el7.centos.noarch
openstack-nova-network-2014.2-2.el7.centos.noarch
Nov 10 13:06:39 compute1 systemd: Started OpenStack Nova Network Server.
Nov 10 13:06:39 compute1 nova-network: Traceback (most recent call last):
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/hubs/hub.py", line 455, in fire_timers
Nov 10 13:06:39 compute1 nova-network: timer()
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/hubs/timer.py", line 58, in __call__
Nov 10 13:06:39 compute1 nova-network: cb(*args, **kw)
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/eventlet/greenthread.py", line 212, in main
Nov 10 13:06:39 compute1 nova-network: result = function(*args, **kwargs)
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/openstack/common/service.py", line 492, in run_service
Nov 10 13:06:39 compute1 nova-network: service.start()
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/service.py", line 164, in start
Nov 10 13:06:39 compute1 nova-network: self.manager.init_host()
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/manager.py", line 1799, in init_host
Nov 10 13:06:39 compute1 nova-network: self.l3driver.initialize(fixed_range=False, networks=networks)
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/l3.py", line 92, in initialize
Nov 10 13:06:39 compute1 nova-network: linux_net.ensure_metadata_ip()
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 751, in ensure_metadata_ip
Nov 10 13:06:39 compute1 nova-network: run_as_root=True, check_exit_code=[0, 2, 254])
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/network/linux_net.py", line 1228, in _execute
Nov 10 13:06:39 compute1 nova-network: return utils.execute(*cmd, **kwargs)
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/utils.py", line 163, in execute
Nov 10 13:06:39 compute1 nova-network: return processutils.execute(*cmd, **kwargs)
Nov 10 13:06:39 compute1 nova-network: File "/usr/lib/python2.7/site-packages/nova/openstack/common/processutils.py", line 203, in execute
Nov 10 13:06:39 compute1 nova-network: cmd=sanitized_cmd)
Nov 10 13:06:39 compute1 nova-network: ProcessExecutionError: Unexpected error while running command.
Nov 10 13:06:39 compute1 nova-network: Command: sudo nova-rootwrap /etc/nova/rootwrap.conf ip addr add 169.254.169.254/32 scope link dev lo
Nov 10 13:06:39 compute1 nova-network: Exit code: 1
Nov 10 13:06:39 compute1 nova-network: Stdout: u''
Nov 10 13:06:39 compute1 nova-network: Stderr: u'sudo: unknown uid 162: who are you?\n'
--- Additional comment from Ryan Hallisey on 2014-11-10 19:49:09 CET ---
Can you attach your audit.log?
--- Additional comment from David Pasqua on 2014-11-10 20:19:07 CET ---
--- Additional comment from David Pasqua on 2014-11-10 20:20:02 CET ---
done, btw, i'm trying to use nova not neutron for the network service
--- Additional comment from Ryan Hallisey on 2014-11-10 22:48:46 CET ---
what version of selinux and openstack-selinux are you using?
--- Additional comment from David Pasqua on 2014-11-11 14:08:57 CET ---
Hi Ryan,
Sorry I didn't answer before I was out of the office.
openstack-selinux wasn't installed
after install openstack-selinux-0.5.19-2.el7ost.noarch everything start to work without problem
So I guess is a dependency issue
Thank you! :)
There's something else going on.
1) All of the AVCs are allowed in the RHEL 7.1 policy w/ openstack-selinux 0.6.23-1.el7ost.
2) 'yum info' queries the yum cache, not the installed RPM database - that is, it's likely openstack-selinux is not installed. Is it possible openstack-selinux was not installed on the node in question for some reason?
Note: TripleO needs to install openstack-selinux; it's incorrect to make packages depend (at the RPM level) on SELinux policies, as SELinux is allowed to be turned off (and uninstalled) by administrators.