Created attachment 1305395 [details] sysctl output Description of problem: With the rhel 7.4 overcloud images provided by the rhosp-director-images rpm a non-root user cannot use the ping command: [heat-admin@controller-0 ~]$ ping 4.2.2.2 ping: socket: Operation not permitted [heat-admin@controller-0 ~]$ stat /usr/bin/ping File: ‘/usr/bin/ping’ Size: 66168 Blocks: 136 IO Block: 4096 regular file Device: fc02h/64514d Inode: 1866893 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: unconfined_u:object_r:ping_exec_t:s0 Access: 2017-07-27 12:10:35.932805586 +0000 Modify: 2017-05-22 08:13:45.000000000 +0000 Change: 2017-07-20 18:08:55.367770119 +0000 Birth: - [heat-admin@controller-0 ~]$ sudo grep denied /var/log/audit/audit.log type=AVC msg=audit(1501157605.122:107): avc: denied { read } for pid=16164 comm="grep" name="kvm.conf" dev="vda2" ino=8409462 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501157605.122:108): avc: denied { read } for pid=16164 comm="grep" name="lockd.conf" dev="vda2" ino=8409458 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501157605.122:109): avc: denied { read } for pid=16164 comm="grep" name="mlx4.conf" dev="vda2" ino=8409460 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501157605.122:110): avc: denied { read } for pid=16164 comm="grep" name="truescale.conf" dev="vda2" ino=8409459 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501157605.122:111): avc: denied { read } for pid=16164 comm="grep" name="tuned.conf" dev="vda2" ino=8409463 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501157605.122:112): avc: denied { read } for pid=16164 comm="grep" name="vhost.conf" dev="vda2" ino=8409461 scontext=system_u:system_r:iptables_t:s0 tcontext=unconfined_u:object_r:modules_conf_t:s0 tclass=file type=AVC msg=audit(1501160462.303:4335): avc: denied { search } for pid=229548 comm="local" name="keystone" dev="vda2" ino=13710671 scontext=system_u:system_r:postfix_local_t:s0 tcontext=unconfined_u:object_r:keystone_var_lib_t:s0 tclass=dir [heat-adm Version-Release number of selected component (if applicable): rhosp-director-images-12.0-20170726.1.el7ost.noarch Linux controller-0 3.10.0-693.el7.x86_64 #1 SMP Thu Jul 6 19:56:57 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux How reproducible: 100% Steps to Reproduce: 1. Deploy overcloud with rhel 7.4 overcloud images 2. SSH to one of the overcloud users as heat-admin users 3. ping an address/hostname Actual results: ping: socket: Operation not permitted Expected results: ping works Additional info:
Please provide full audit.log from a permissive run. If the host is permissive, does ping work? Also, if you think this is selinux, why is it against rhosp-director and not openstack-selinux?
It's not selinux related. Using setcap seems to fix it. $ sudo setcap 'cap_net_admin,cap_net_raw+ep' /usr/bin/ping
(In reply to Mike Burns from comment #1) > Please provide full audit.log from a permissive run. Attaching audit.log > If the host is permissive, does ping work? No, ping doesn't work in permissive modes. > Also, if you think this is selinux, why is it against rhosp-director and not > openstack-selinux? I'm not sure that this is selinux related since I get the same result when switching to permissive. I reported it agains rhosp-director because I'm seeing the issue on the images provided by the rhosp-director. Ping worked fine on a different rhel-7.4 machine, on the undercloud for example.
Created attachment 1305987 [details] audit.log
As noted by Alex, running setcap fixes this. It appears to be any RHEL 7.4 based image. I've been able to reproduce with OSP 11 and 10 images as well. I checked our base images used to create the overcloud images and they have the right getcap values set on /bin/ping. The generated overcloud-full images do not. Another workaround for this is "yum reinstall iputils"
Also those AVCs are not related to ping.
Wow, this is a blast from the past. Previously the fix was to tell tar to maintain extended attributes on files: https://review.openstack.org/#/c/125428/ Maybe there's something new in 7.4 that needs to be kept?
Ugh, sorry. Didn't mean to clear all the other fields.
Seen today in rdo phase1 job:- https://ci.centos.org/artifacts/rdo/jenkins-tripleo-quickstart-promote-ocata-rdo_trunk-minimal-248/undercloud/home/stack/overcloud_validate.log.gz
This should already be fixed in OSP 12. Moving to ON_QA.
*** Bug 1484480 has been marked as a duplicate of this bug. ***
[heat-admin@controller-0 ~]$ ping 4.2.2.2 PING 4.2.2.2 (4.2.2.2) 56(84) bytes of data. 64 bytes from 4.2.2.2: icmp_seq=1 ttl=53 time=58.7 ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462