Bug 1372774 - mariadb open file limit is 1024 with selinux enforcing
Summary: mariadb open file limit is 1024 with selinux enforcing
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo
Version: 9.0 (Mitaka)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ---
: 11.0 (Ocata)
Assignee: Michele Baldessari
QA Contact: Arik Chernetsky
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-02 15:34 UTC by Dave Wilson
Modified: 2017-02-27 15:56 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-14 08:58:42 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dave Wilson 2016-09-02 15:34:07 UTC 
Description of problem: with selinux enforcing mariadb limit on open files is 1024. Systemd has a defined limit of 16K for mariadb. In permissive mode the systemd limit of 16K is enabled


Version-Release number of selected component (if applicable):
My env is 9 but this is also seen it the 10 release

openstack-tripleo-0.0.8-0.2.d81bd6dgit.el7ost.noarch
openstack-selinux-0.7.3-3.el7ost.noarch
How reproducible:


Steps to Reproduce:
1.-=>>sestatus
 SELinux status:                 enabled
 Current mode:                   enforcing

2.-=>>grep files /proc/770/limits (mariadb proc)
Max open files            1024                 16384                files     

3.-=>>sestatus
SELinux status:                 enabled
Current mode:                   permissive

4.-=>>service mariadb restart

5.-=>>grep files /proc/84005/limits (maridb proc)
Max open files            16384                16384                files  


Actual results: selinux enabled open files=1024


Expected results: selinux enabled open files=16384

Additional info:-=>>cat /etc/systemd/system/mariadb.service.d/limits.conf
[Service]
LimitNOFILE=16384
Comment 2 Michele Baldessari 2016-10-12 13:48:43 UTC 
Hi Dave,

we usually manage mysql/galera via pacemaker. Starting the service by hand breaks a lot of stuff (different pid path, log files, etc). Does this issue happen when galera is managed by pacemaker as well?

thanks,
Michele
Comment 3 Michele Baldessari 2016-10-12 15:44:18 UTC 
I realize now you might have been talking about the undercloud where we do use mariadb via systemctl. Is that the case, yes?
Comment 4 Michele Baldessari 2016-10-14 09:39:45 UTC 
I can't reproduce this on my OSP 10 undercloud.

[root@haa-16 stack]# getenforce 
Enforcing
[root@haa-16 stack]# for i in $(pgrep mysqld); do cat /proc/$i/limits | grep "open files"; done
Max open files            16384                16384                files     
Max open files            16384                16384                files     
[root@haa-16 stack]# systemctl restart mariadb
[root@haa-16 stack]# for i in $(pgrep mysqld); do cat /proc/$i/limits | grep "open files"; done
Max open files            16384                16384                files     
Max open files            16384                16384                files     

[root@haa-16 stack]# rpm -qa |grep -E "selinux|instack-und"
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-ruby-2.5-6.el7.x86_64
selinux-policy-devel-3.13.1-102.el7.noarch
selinux-policy-3.13.1-102.el7.noarch
instack-undercloud-5.0.0-0.20160930175750.9d2a655.el7ost.noarch
openstack-selinux-0.7.10-1.el7ost.noarch
selinux-policy-targeted-3.13.1-102.el7.noarch
libselinux-2.5-6.el7.x86_64

[root@haa-16 stack]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.3 (Maipo)

Can we get a sosreport from the undercloud where you have seen this please?

Thanks
Michele
Note You need to log in before you can comment on or make changes to this bug.