1208138 – hosted-engine is not able to deploy the engine VM on iSCSI in a nested environment due to SELinux restiction on guest-agent

Bug 1208138 - hosted-engine is not able to deploy the engine VM on iSCSI in a nested environment due to SELinux restiction on guest-agent

Summary: hosted-engine is not able to deploy the engine VM on iSCSI in a nested enviro...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	oVirt
Classification:	Retired
Component:	ovirt-guest-agent
Sub Component:
Version:	3.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Vinzenz Feenstra [evilissimo]
QA Contact:	Pavel Stehlik
Docs Contact:
URL:
Whiteboard:	virt
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-04-01 13:33 UTC by Simone Tiraboschi
Modified:	2015-06-08 12:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-06-08 12:26:38 UTC
oVirt Team:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
logs (618.43 KB, application/x-gzip) 2015-04-02 09:20 UTC, Simone Tiraboschi	no flags	Details
gase_log_he (100.61 KB, application/x-gzip) 2015-04-02 10:03 UTC, Simone Tiraboschi	no flags	Details
oVirt 3.6.0 all-in-one (442.17 KB, application/x-gzip) 2015-05-12 12:44 UTC, Simone Tiraboschi	no flags	Details
View All

Description Simone Tiraboschi 2015-04-01 13:33:54 UTC

Description of problem:
hosted-engine is not able to deploy the engine VM on iSCSI due to SELinux restiction

In ovirt-hosted-engine-setup logs I find:
2015-04-01 15:09:19 DEBUG otopi.context context._executeMethod:155 method exception
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/otopi/context.py", line 145, in _executeMethod
    method['method']()
  File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/sanlock/lockspace.py", line 174, in _misc
    lockspace + '.metadata': md_size,
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 349, in create
    service_size=size)
  File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 317, in create_volume
    response = connection.clearTask(task)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1294, in single_request
    response = h.getresponse(buffering=True)
  File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse
    response.begin()
  File "/usr/lib64/python2.7/httplib.py", line 409, in begin
    version, status, reason = self._read_status()
  File "/usr/lib64/python2.7/httplib.py", line 373, in _read_status
    raise BadStatusLine(line)
BadStatusLine: ''
2015-04-01 15:09:19 ERROR otopi.context context._executeMethod:164 Failed to execute stage 'Misc configuration': ''

while SELinux reports:
time->Wed Apr  1 15:28:36 2015
type=PROCTITLE msg=audit(1427894916.692:822): proctitle=2F7362696E2F6C64636F6E666967002D70
type=SYSCALL msg=audit(1427894916.692:822): arch=c000003e syscall=59 success=yes exit=0 a0=2031af0 a1=2031bf0 a2=2030b60 a3=7ffc03539e20 items=0 ppid=17550 pid=17551 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=AVC msg=audit(1427894916.692:822): avc:  denied  { write } for  pid=17551 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9955 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0


It works as expected in permissive mode

Version-Release number of selected component (if applicable):


How reproducible:
100%

Steps to Reproduce:
1. hosted-engine --deploy
2.
3.

Actual results:
it fails

Expected results:
it works

Additional info:
It works as expected in permissive mode

Comment 1 Simone Tiraboschi 2015-04-01 13:35:06 UTC

[root@f20tre36i ~]# ls -lZ /dev/vport2p1
crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1

Comment 2 Sandro Bonazzola 2015-04-01 13:39:15 UTC

Moving to ovirt-guest-agent. The above selinux issue appears in a nested virtualization setup and the device is owned by a user created by the agent.

Comment 3 Vinzenz Feenstra [evilissimo] 2015-04-02 09:09:02 UTC

Please attach the following log files:
- audit.log 
- /var/log/ovirt-guest-agent/ovirt-guest-agent.log 
- the hosted engine deployment log file

Comment 4 Simone Tiraboschi 2015-04-02 09:20:46 UTC

Created attachment 1010083 [details]
logs

Comment 5 Simone Tiraboschi 2015-04-02 10:03:51 UTC

Created attachment 1010095 [details]
gase_log_he

Comment 6 Michal Skrivanek 2015-04-23 10:17:47 UTC

can you narrow down the failure please?
I didn't find any issue in those HE deploy logs you've attached

Comment 7 Simone Tiraboschi 2015-05-04 14:53:56 UTC

There is some SELinux issue with something getting a denial while trying to wrote 
on /dev/vport2p1 which is the virtual serial port used by the guest agent on the nested VM to communicate with the host.
Not sure why.

type=AVC msg=audit(1427965867.807:4693): avc:  denied  { write } for  pid=25136 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=13471 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=1
type=SYSCALL msg=audit(1427965867.807:4693): arch=c000003e syscall=59 success=yes exit=0 a0=b6caf0 a1=b6cbf0 a2=b6bb60 a3=7fff13a791e0 items=0 ppid=25135 pid=25136 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=PROCTITLE msg=audit(1427965867.807:4693): proctitle=2F7362696E2F6C64636F6E666967002D70

Comment 8 Simone Tiraboschi 2015-05-12 12:44:22 UTC

Created attachment 1024566 [details]
oVirt 3.6.0 all-in-one

Comment 9 Simone Tiraboschi 2015-05-12 12:45:01 UTC

Now happens also with oVirt 3.6.0 all-in-one on Fedora 20

Comment 10 Simone Tiraboschi 2015-05-12 13:29:17 UTC

It happens with 
 qemu-guest-agent.x86_64         2:1.6.2-13.fc20     @updates
while it doesn't happen with:
 qemu-guest-agent.x86_64         2:2.1.2-7.fc20      @ovirt-3.6-fedora-virt-preview

Comment 11 Michal Skrivanek 2015-06-04 10:07:54 UTC

Simone, there was a broken libvirt shipped into virt-preview (as apparent in vdsm.log) which likely compromised your run
Can you retry now and specify exactly versions of qemu,libvirt,ovirt-guest-agent.

if it happens again can you please clarify where is the avc denial (guest/host) and eget the pid of that process

Comment 12 Michal Skrivanek 2015-06-08 10:47:49 UTC

do you redirect stdout to that channel or something anywhere?

Comment 13 Simone Tiraboschi 2015-06-08 12:26:15 UTC

(In reply to Michal Skrivanek from comment #12)
> do you redirect stdout to that channel or something anywhere?

No, I tried to reproduce on an updated VM and it doesn't happens.

Note You need to log in before you can comment on or make changes to this bug.