Bug 1208138
| Summary: | hosted-engine is not able to deploy the engine VM on iSCSI in a nested environment due to SELinux restiction on guest-agent | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] oVirt | Reporter: | Simone Tiraboschi <stirabos> | ||||||||
| Component: | ovirt-guest-agent | Assignee: | Vinzenz Feenstra [evilissimo] <vfeenstr> | ||||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Pavel Stehlik <pstehlik> | ||||||||
| Severity: | low | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 3.5 | CC: | bugs, dfediuck, ecohen, gklein, lsurette, michal.skrivanek, ms, rbalakri, Rhev-m-bugs, sbonazzo, stirabos, vfeenstr, yeylon | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | virt | ||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2015-06-08 12:26:38 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
[root@f20tre36i ~]# ls -lZ /dev/vport2p1 crw-rw----. ovirtagent ovirtagent system_u:object_r:virtio_device_t:s0 /dev/vport2p1 Moving to ovirt-guest-agent. The above selinux issue appears in a nested virtualization setup and the device is owned by a user created by the agent. Please attach the following log files: - audit.log - /var/log/ovirt-guest-agent/ovirt-guest-agent.log - the hosted engine deployment log file Created attachment 1010083 [details]
logs
Created attachment 1010095 [details]
gase_log_he
can you narrow down the failure please? I didn't find any issue in those HE deploy logs you've attached There is some SELinux issue with something getting a denial while trying to wrote
on /dev/vport2p1 which is the virtual serial port used by the guest agent on the nested VM to communicate with the host.
Not sure why.
type=AVC msg=audit(1427965867.807:4693): avc: denied { write } for pid=25136 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=13471 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=1
type=SYSCALL msg=audit(1427965867.807:4693): arch=c000003e syscall=59 success=yes exit=0 a0=b6caf0 a1=b6cbf0 a2=b6bb60 a3=7fff13a791e0 items=0 ppid=25135 pid=25136 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null)
type=PROCTITLE msg=audit(1427965867.807:4693): proctitle=2F7362696E2F6C64636F6E666967002D70
Created attachment 1024566 [details]
oVirt 3.6.0 all-in-one
Now happens also with oVirt 3.6.0 all-in-one on Fedora 20 It happens with qemu-guest-agent.x86_64 2:1.6.2-13.fc20 @updates while it doesn't happen with: qemu-guest-agent.x86_64 2:2.1.2-7.fc20 @ovirt-3.6-fedora-virt-preview Simone, there was a broken libvirt shipped into virt-preview (as apparent in vdsm.log) which likely compromised your run Can you retry now and specify exactly versions of qemu,libvirt,ovirt-guest-agent. if it happens again can you please clarify where is the avc denial (guest/host) and eget the pid of that process do you redirect stdout to that channel or something anywhere? (In reply to Michal Skrivanek from comment #12) > do you redirect stdout to that channel or something anywhere? No, I tried to reproduce on an updated VM and it doesn't happens. |
Description of problem: hosted-engine is not able to deploy the engine VM on iSCSI due to SELinux restiction In ovirt-hosted-engine-setup logs I find: 2015-04-01 15:09:19 DEBUG otopi.context context._executeMethod:155 method exception Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/otopi/context.py", line 145, in _executeMethod method['method']() File "/usr/share/ovirt-hosted-engine-setup/scripts/../plugins/ovirt-hosted-engine-setup/sanlock/lockspace.py", line 174, in _misc lockspace + '.metadata': md_size, File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 349, in create service_size=size) File "/usr/lib/python2.7/site-packages/ovirt_hosted_engine_ha/lib/storage_backends.py", line 317, in create_volume response = connection.clearTask(task) File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__ return self.__send(self.__name, args) File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request verbose=self.__verbose File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib64/python2.7/xmlrpclib.py", line 1294, in single_request response = h.getresponse(buffering=True) File "/usr/lib64/python2.7/httplib.py", line 1045, in getresponse response.begin() File "/usr/lib64/python2.7/httplib.py", line 409, in begin version, status, reason = self._read_status() File "/usr/lib64/python2.7/httplib.py", line 373, in _read_status raise BadStatusLine(line) BadStatusLine: '' 2015-04-01 15:09:19 ERROR otopi.context context._executeMethod:164 Failed to execute stage 'Misc configuration': '' while SELinux reports: time->Wed Apr 1 15:28:36 2015 type=PROCTITLE msg=audit(1427894916.692:822): proctitle=2F7362696E2F6C64636F6E666967002D70 type=SYSCALL msg=audit(1427894916.692:822): arch=c000003e syscall=59 success=yes exit=0 a0=2031af0 a1=2031bf0 a2=2030b60 a3=7ffc03539e20 items=0 ppid=17550 pid=17551 auid=4294967295 uid=175 gid=175 euid=175 suid=175 fsuid=175 egid=175 sgid=175 fsgid=175 tty=(none) ses=4294967295 comm="ldconfig" exe="/usr/sbin/ldconfig" subj=system_u:system_r:ldconfig_t:s0 key=(null) type=AVC msg=audit(1427894916.692:822): avc: denied { write } for pid=17551 comm="ldconfig" path="/dev/vport2p1" dev="devtmpfs" ino=9955 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:virtio_device_t:s0 tclass=chr_file permissive=0 It works as expected in permissive mode Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. hosted-engine --deploy 2. 3. Actual results: it fails Expected results: it works Additional info: It works as expected in permissive mode