Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1491767

Summary: Nova fails to open console.log file at repeated host evacuation
Product: Red Hat OpenStack Reporter: Raoul Scarazzini <rscarazz>
Component: openstack-novaAssignee: Eoghan Glynn <eglynn>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Joe H. Rahme <jhakimra>
Severity: medium Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: acanan, arkady_kanevsky, awaugama, berrange, bhaubeck, cshastri, dasmith, eglynn, gpaterno, ipetrova, jhakimra, jjoyce, jschluet, j_t_williams, kchamart, mbooth, mbracho, mburns, mkrcmari, morazi, mschuppe, pablo.iranzo, rbergami, rscarazz, sbauza, sferdjao, sgordon, smerrow, srevivo, stephenfin, vromanso
Target Milestone: z4Keywords: Reopened, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1386420 Environment:
Last Closed: 2018-01-13 00:23:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1386420    
Bug Blocks: 1335596, 1356451    

Comment 1 Raoul Scarazzini 2017-09-14 15:31:40 UTC 
I just encountered the same exact error in an environment with openstack-nova-14.0.8-2.el7ost.noarch.
I took the sosreports from all the nodes here [1]. Problem happened doing the same exact test Marian wrote on the bug description.

[1] http://file.rdu.redhat.com/~rscarazz/BZ1386420/
Comment 2 Matthew Booth 2017-09-18 10:15:24 UTC 
Can you please check for an AVC denial in the audit logs? If you find one, can you also please confirm the version of your SELinux policy?
Comment 3 Raoul Scarazzini 2017-10-03 15:24:03 UTC 
I posted the sosreports exactly to share these info.
In any case if I look inside the audit.log of the compute node I see AVC denials related to these components:

     11 "chronyd"
      4 "chrony-helper"
      4 "dhclient"
      2 "NetworkManager"
      1 "virtlogd"

So the one which can may interest us is:

type=AVC msg=audit(1505232916.329:112): avc:  denied  { unlink } for  pid=3705 comm="virtlogd" name="console.log" dev="sda2" ino=96469187 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:svirt_image_t:s0:c292,c869 tclass=file

About the selinux policy these are the packages installed on the system:

selinux-policy-3.13.1-166.el7_4.4.noarch                    Thu Sep  7 17:48:18 2017
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch           Thu Sep  7 17:51:03 2017
Comment 4 Mike Orazi 2017-10-06 02:34:47 UTC 
Any progress updates?
Comment 7 Artom Lifshitz 2017-11-22 19:57:07 UTC 
I think this might be an occurrence of [1], actually. Can we check the installed openstack-selinux version, and if it's earlier than openstack-selinux-0.8.11-1.el7ost, update to at least that?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1499800
Comment 8 Raoul Scarazzini 2017-11-23 16:55:07 UTC 
At the time I posted the sosreports (see #comment1) the version of the package in the installation was openstack-selinux-0.8.9-0.1.el7ost.noarch. There's no way at the moment to check an updated version because that installation is gone.
The only way we can test this is by trying to reproduce the problem again.
Comment 9 Artom Lifshitz 2017-11-23 19:43:03 UTC 
> The only way we can test this is by trying to reproduce the problem again.

Is that something you're planning on doing? Just so I know what to do with this bz.

Cheers!
Comment 10 Artom Lifshitz 2018-01-13 00:23:32 UTC 
Hi Raoul,

I'm going to close this bug for now. Feel free to reopen at any time if we get an answer to the question in comments 7 and 9.

Cheers!