Bug 1463563 - Instance resizing is not working on a SELinux enforcing system because of wrong context on /var/lib/nova/.ssh
Instance resizing is not working on a SELinux enforcing system because of wro...
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation (Show other bugs)
11.0 (Ocata)
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: RHOS Documentation Team
RHOS Documentation Team
: Documentation, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-21 04:52 EDT by David Manchado
Modified: 2017-07-12 12:37 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Manchado 2017-06-21 04:52:58 EDT
Description of problem:

The default context for /var/lib/nova/.ssh is nova_var_lib_t inherited from /var/lib/nova(/.*)? instead of ssh_home_t. This is leading instance resizing to failure.


Version-Release number of selected component (if applicable):
Tested in RDO Newton, I guess it might apply to all.
Relevant RPMs:
kernel.x86_64                   3.10.0-514.6.1.el7
openstack-nova-common.noarch    1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-nova-compute.noarch   1:14.0.6-0.20170421215600.52a75c7.el7.centos
openstack-selinux.noarch        0.8.6-0.20170419204626.312bdba.el7.centos
selinux-policy.noarch           3.13.1-102.el7_3.16
selinux-policy-targeted.noarch  3.13.1-102.el7_3.16


How reproducible:
On a CentOS system with selinux in enforcing mode try to do ssh among compute nodes with public key authentication enabled using the nova user.


Steps to Reproduce:
1. Generate, exchange and enable passwordless ssh using public keys for nova user. $HOME for nova is /var/lib/nova. Note that the shell for nova user has to be changed into /bin/bash as long as it requires an interactive shell.
2. As nova user in the source host, run ssh nova@_dst_host_ . It will prompt for password authentication
3. Set the proper context by running
semanage fcontext -a -t ssh_home_t "/var/lib/nova/.ssh(/.*)?"
4. Apply the context
restorecon -Rvv /var/lib/nova/.ssh/
5. Test again ssh nova@_dst_host_ and login will succeed without password authentication


Actual results:
SSH among compute nodes will fail leading instance resizing to failure.

Expected results:
SSH among compute nodes working with password-less auth allowing instances to be resized.

Additional info:
This issue was already stated [1] but seems it was never addressed

[1] https://bugzilla.redhat.com/show_bug.cgi?id=876452
Comment 3 Christopher Brown 2017-06-29 08:54:23 EDT
Hi David,

Resizing generally involves migration and therefore ssh migration is against best practice (but I find works well when not used in conjunction with selinux):

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/pdf/migrating_instances/Red_Hat_OpenStack_Platform-10-Migrating_Instances-en-US.pdf

You could try resizing on the same host?

https://access.redhat.com/solutions/1326953

but I'd be inclined to configure Secure Libvirt with one of:

-TLS for encryption and X.509 client certificates for authentication
-GSSAPI/Kerberos for authentication and encryption
-TLS for encryption and Kerberos for authentication

Does this help?
Comment 4 David Manchado 2017-07-06 11:22:39 EDT
Christopher,

That might be a workaround but it would not fix the underlaying problem.

There are some situations I might prefer to resize in the same host but in some circumstances I might not have enough resources in the local host and I might prefer/need the instance to be migrated if that means the resize can succeed.

Cheers,
David
Comment 5 Lon Hohberger 2017-07-11 10:31:45 EDT
Creation of this directory should be done during installation/configuration, and 'restorecon' should occur at that time.

If we don't call 'restorecon' from installation scripts (puppet-nova, maybe), we can't be sure it will run at the right time if we put in %post of openstack-selinux.
Comment 6 Lon Hohberger 2017-07-11 10:57:27 EDT
Christopher, that doc needs a 'restorecon -Rv /var/lib/nova/.ssh' in 'Step 2' and 'Step 4' on page 22.
Comment 7 Lon Hohberger 2017-07-11 10:57:48 EDT
(These need to be done as root)

Note You need to log in before you can comment on or make changes to this bug.