Bug 1463563 - Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh
Instance resizing is not working on a SELinux enforcing system because of wro...
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
11.0 (Ocata)
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: RHOS Documentation Team
RHOS Documentation Team
: Documentation, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-21 04:52 EDT by David Manchado
Modified: 2017-11-14 19:49 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Manchado 2017-06-21 04:52:58 EDT
Description of problem:

The default context for /var/lib/nova/.ssh is nova_var_lib_t inherited from /var/lib/nova(/.*)? instead of ssh_home_t. This is leading instance resizing to failure.


Version-Release number of selected component (if applicable):
Tested in RDO Newton, I guess it might apply to all.
Relevant RPMs:
kernel.x86_64                   3.10.0-514.6.1.el7
openstack-nova-common.noarch    1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-nova-compute.noarch   1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-selinux.noarch        0.8.6-0.20170419204626.312bdba.el7.centos
selinux-policy.noarch           3.13.1-102.el7_3.16
selinux-policy-targeted.noarch  3.13.1-102.el7_3.16


How reproducible:
On a CentOS system with selinux in enforcing mode try to do ssh among compute nodes with public key authentication enabled using the nova user.


Steps to Reproduce:
1. Generate, exchange and enable passwordless ssh using public keys for nova user. $HOME for nova is /var/lib/nova. Note that the shell for nova user has to be changed into /bin/bash as long as it requires an interactive shell.
2. As nova user in the source host, run ssh nova@_dst_host_ . It will prompt for password authentication
3. Set the proper context by running
semanage fcontext -a -t ssh_home_t "/var/lib/nova/.ssh(/.*)?"
4. Apply the context
restorecon -Rvv /var/lib/nova/.ssh/
5. Test again ssh nova@_dst_host_ and login will succeed without password authentication


Actual results:
SSH among compute nodes will fail leading instance resizing to failure.

Expected results:
SSH among compute nodes working with password-less auth allowing instances to be resized.

Additional info:
This issue was already stated [1] but seems it was never addressed

[1] https://bugzilla.redhat.com/show_bug.cgi?id=876452
Comment 3 Christopher Brown 2017-06-29 08:54:23 EDT
Hi David,

Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux):

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/pdf/migrating_instances/Red_Hat_OpenStack_Platform-10-Migrating_Instances-en-US.pdf

You could try resizing on the same host?

https://access.redhat.com/solutions/1326953

but I'd be inclined to configure Secure Libvirt with one of:

-TLS for encryption and X.509 client certificates for authentication
-GSSAPI/Kerberos for authentication and encryption
-TLS for encryption and Kerberos for authentication

Does this help?
Comment 4 David Manchado 2017-07-06 11:22:39 EDT
Christopher,

That might be a workaround but it would not fix the underlaying problem.

There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed.

Cheers,
David
Comment 5 Lon Hohberger 2017-07-11 10:31:45 EDT
Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time.

If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux.
Comment 6 Lon Hohberger 2017-07-11 10:57:27 EDT
Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22.
Comment 7 Lon Hohberger 2017-07-11 10:57:48 EDT
(These need to be done as root)
Comment 8 Ollie Walsh 2017-11-14 19:49:32 EST
Director manages nova ssh key setup since https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2637.

Any docs that refer to manual ssh key setup should have been removed.

NB ssh between compute node as the nova user is not expected to succeed.

Note You need to log in before you can comment on or make changes to this bug.