Bug 1463563 - Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh
Instance resizing is not working on a SELinux enforcing system because of wro...
Status: CLOSED DUPLICATE of bug 1476016
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
11.0 (Ocata)
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: RHOS Documentation Team
RHOS Documentation Team
: Documentation, Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-06-21 04:52 EDT by David Manchado
Modified: 2018-03-14 11:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-03-14 11:12:40 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Manchado 2017-06-21 04:52:58 EDT
Description of problem:

The default context for /var/lib/nova/.ssh is nova_var_lib_t inherited from /var/lib/nova(/.*)? instead of ssh_home_t. This is leading instance resizing to failure.

Version-Release number of selected component (if applicable):
Tested in RDO Newton, I guess it might apply to all.
Relevant RPMs:
kernel.x86_64                   3.10.0-514.6.1.el7
openstack-nova-common.noarch    1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-nova-compute.noarch   1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-selinux.noarch        0.8.6-0.20170419204626.312bdba.el7.centos
selinux-policy.noarch           3.13.1-102.el7_3.16
selinux-policy-targeted.noarch  3.13.1-102.el7_3.16

How reproducible:
On a CentOS system with selinux in enforcing mode try to do ssh among compute nodes with public key authentication enabled using the nova user.

Steps to Reproduce:
1. Generate, exchange and enable passwordless ssh using public keys for nova user. $HOME for nova is /var/lib/nova. Note that the shell for nova user has to be changed into /bin/bash as long as it requires an interactive shell.
2. As nova user in the source host, run ssh nova@_dst_host_ . It will prompt for password authentication
3. Set the proper context by running
semanage fcontext -a -t ssh_home_t "/var/lib/nova/.ssh(/.*)?"
4. Apply the context
restorecon -Rvv /var/lib/nova/.ssh/
5. Test again ssh nova@_dst_host_ and login will succeed without password authentication

Actual results:
SSH among compute nodes will fail leading instance resizing to failure.

Expected results:
SSH among compute nodes working with password-less auth allowing instances to be resized.

Additional info:
This issue was already stated [1] but seems it was never addressed

[1] https://bugzilla.redhat.com/show_bug.cgi?id=876452
Comment 3 Christopher Brown 2017-06-29 08:54:23 EDT
Hi David,

Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux):


You could try resizing on the same host?


but I'd be inclined to configure Secure Libvirt with one of:

-TLS for encryption and X.509 client certificates for authentication
-GSSAPI/Kerberos for authentication and encryption
-TLS for encryption and Kerberos for authentication

Does this help?
Comment 4 David Manchado 2017-07-06 11:22:39 EDT

That might be a workaround but it would not fix the underlaying problem.

There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed.

Comment 5 Lon Hohberger 2017-07-11 10:31:45 EDT
Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time.

If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux.
Comment 6 Lon Hohberger 2017-07-11 10:57:27 EDT
Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22.
Comment 7 Lon Hohberger 2017-07-11 10:57:48 EDT
(These need to be done as root)
Comment 8 Ollie Walsh 2017-11-14 19:49:32 EST
Director manages nova ssh key setup since https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637.

Any docs that refer to manual ssh key setup should have been removed.

NB ssh between compute node as the nova user is not expected to succeed.
Comment 9 Ollie Walsh 2018-03-14 11:12:40 EDT

*** This bug has been marked as a duplicate of bug 1476016 ***

Note You need to log in before you can comment on or make changes to this bug.