Red Hat Bugzilla – Bug 1463563
Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh
Last modified: 2017-11-14 19:49:32 EST
Description of problem:
The default context for /var/lib/nova/.ssh is nova_var_lib_t inherited from /var/lib/nova(/.*)? instead of ssh_home_t. This is leading instance resizing to failure.
Version-Release number of selected component (if applicable):
Tested in RDO Newton, I guess it might apply to all.
On a CentOS system with selinux in enforcing mode try to do ssh among compute nodes with public key authentication enabled using the nova user.
Steps to Reproduce:
1. Generate, exchange and enable passwordless ssh using public keys for nova user. $HOME for nova is /var/lib/nova. Note that the shell for nova user has to be changed into /bin/bash as long as it requires an interactive shell.
2. As nova user in the source host, run ssh nova@_dst_host_ . It will prompt for password authentication
3. Set the proper context by running
semanage fcontext -a -t ssh_home_t "/var/lib/nova/.ssh(/.*)?"
4. Apply the context
restorecon -Rvv /var/lib/nova/.ssh/
5. Test again ssh nova@_dst_host_ and login will succeed without password authentication
SSH among compute nodes will fail leading instance resizing to failure.
SSH among compute nodes working with password-less auth allowing instances to be resized.
This issue was already stated  but seems it was never addressed
Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux):
You could try resizing on the same host?
but I'd be inclined to configure Secure Libvirt with one of:
-TLS for encryption and X.509 client certificates for authentication
-GSSAPI/Kerberos for authentication and encryption
-TLS for encryption and Kerberos for authentication
Does this help?
That might be a workaround but it would not fix the underlaying problem.
There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed.
Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time.
If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux.
Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22.
(These need to be done as root)
Director manages nova ssh key setup since https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637.
Any docs that refer to manual ssh key setup should have been removed.
NB ssh between compute node as the nova user is not expected to succeed.