Bug 1491767 - Nova fails to open console.log file at repeated host evacuation
Summary: Nova fails to open console.log file at repeated host evacuation
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova
Version: 10.0 (Newton)
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: z4
: 10.0 (Newton)
Assignee: Eoghan Glynn
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On: 1386420
Blocks: 1335596 1356451
TreeView+ depends on / blocked
 
Reported: 2017-09-14 15:29 UTC by Raoul Scarazzini
Modified: 2021-03-11 15:46 UTC (History)
31 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1386420
Environment:
Last Closed: 2018-01-13 00:23:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1634282 0 None None None 2017-09-14 15:29:14 UTC
OpenStack gerrit 392643 0 None None None 2017-09-14 15:29:14 UTC
OpenStack gerrit 454593 0 None None None 2017-09-14 15:29:14 UTC
Red Hat Knowledge Base (Solution) 3175381 0 None None None 2017-10-26 12:51:46 UTC

Comment 1 Raoul Scarazzini 2017-09-14 15:31:40 UTC 
I just encountered the same exact error in an environment with openstack-nova-14.0.8-2.el7ost.noarch.
I took the sosreports from all the nodes here [1]. Problem happened doing the same exact test Marian wrote on the bug description.

[1] http://file.rdu.redhat.com/~rscarazz/BZ1386420/
Comment 2 Matthew Booth 2017-09-18 10:15:24 UTC 
Can you please check for an AVC denial in the audit logs? If you find one, can you also please confirm the version of your SELinux policy?
Comment 3 Raoul Scarazzini 2017-10-03 15:24:03 UTC 
I posted the sosreports exactly to share these info.
In any case if I look inside the audit.log of the compute node I see AVC denials related to these components:

     11 "chronyd"
      4 "chrony-helper"
      4 "dhclient"
      2 "NetworkManager"
      1 "virtlogd"

So the one which can may interest us is:

type=AVC msg=audit(1505232916.329:112): avc:  denied  { unlink } for  pid=3705 comm="virtlogd" name="console.log" dev="sda2" ino=96469187 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c292,c869 tclass=file

About the selinux policy these are the packages installed on the system:

selinux-policy-3.13.1-166.el7_4.4.noarch                    Thu Sep  7 17:48:18 2017
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch           Thu Sep  7 17:51:03 2017
Comment 4 Mike Orazi 2017-10-06 02:34:47 UTC 
Any progress updates?
Comment 7 Artom Lifshitz 2017-11-22 19:57:07 UTC 
I think this might be an occurrence of [1], actually. Can we check the installed openstack-selinux version, and if it's earlier than openstack-selinux-0.8.11-1.el7ost, update to at least that?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1499800
Comment 8 Raoul Scarazzini 2017-11-23 16:55:07 UTC 
At the time I posted the sosreports (see #comment1) the version of the package in the installation was openstack-selinux-0.8.9-0.1.el7ost.noarch. There's no way at the moment to check an updated version because that installation is gone.
The only way we can test this is by trying to reproduce the problem again.
Comment 9 Artom Lifshitz 2017-11-23 19:43:03 UTC 
> The only way we can test this is by trying to reproduce the problem again.

Is that something you're planning on doing? Just so I know what to do with this bz.

Cheers!
Comment 10 Artom Lifshitz 2018-01-13 00:23:32 UTC 
Hi Raoul,

I'm going to close this bug for now. Feel free to reopen at any time if we get an answer to the question in comments 7 and 9.

Cheers!
Note You need to log in before you can comment on or make changes to this bug.