Bug 1532927 - [RFE] Add host SELinux check to analyzer
Summary: [RFE] Add host SELinux check to analyzer
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-log-collector
Version: 4.1.8
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ovirt-4.2.2
: ---
Assignee: Douglas Schilling Landgraf
QA Contact: David Necpal
URL:
Whiteboard:
Depends On: bonding, Bug, interface, multiple 1541392
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-10 01:44 UTC by Germano Veit Michel
Modified: 2019-05-16 13:08 UTC (History)
5 users (show)

Fixed In Version: ovirt-log-collector-4.2.3-1.el7ev
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-15 17:31:24 UTC
oVirt Team: Integration
Target Upstream Version:
pstehlik: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1465 None None None 2018-05-15 17:32:08 UTC
oVirt gerrit 86390 master MERGED inventory: Add Selinux enforce mode to hosts tab 2018-01-15 21:53:58 UTC
oVirt gerrit 86394 ovirt-log-collector-4.2 MERGED inventory: Add Selinux enforce mode to hosts tab 2018-01-15 22:06:09 UTC
oVirt gerrit 86450 master MERGED inventory: Check for clusters with mixed selinux config 2018-01-17 16:01:19 UTC
oVirt gerrit 86484 ovirt-log-collector-4.2 MERGED inventory: Check for clusters with mixed selinux config 2018-01-17 16:02:59 UTC

Description Germano Veit Michel 2018-01-10 01:44:25 UTC
Hosts having selinux disabled may break the required vm migrations during upgrade. And it's also not recommended to have mixed on/off hosts in the same cluster.

Would be nice to check it in the log collector analyzer script.

# select selinux_enforce_mode from vds;

selinux_enforce_mode

Comment 1 Douglas Schilling Landgraf 2018-01-15 21:55:44 UTC
Hi Germano, 

I have sent a patch to gerrit that show the current configuration of selinux per host in the Hosts tab. Should be enough for your request? 

When you say, mixing the configurations, is it about mixing disabled selinux hosts vs permissive/enforcing hosts or only disabled selinux hosts vs enforcing hosts?

If you are looking for a validation permissive/enforcing vs disabled, might be something like this:

SELECT
    vds_name,
    vds_group_name
FROM
    vds
WHERE vds_group_name IN (SELECT DISTINCT vds_group_name FROM vds WHERE selinux_enforce_mode=-1) AND selinux_enforce_mode IN (0,1);

Do you have a real scenario or sosreport to test the above query or showing the selinux status in the Host tab is enough?

Thanks!

Comment 2 Germano Veit Michel 2018-01-15 22:36:30 UTC
Hi Douglas,

Yes, that patch is enough (+1).(In reply to Douglas Schilling Landgraf from comment #1)

> When you say, mixing the configurations, is it about mixing disabled selinux
> hosts vs permissive/enforcing hosts or only disabled selinux hosts vs
> enforcing hosts?

It's disabled vs permissive/enforcing that causes problems. A VM will fail to migrate from a enforcing/permissive to a disabled host. This is a known problem and hit several times by our customers.

> Do you have a real scenario or sosreport to test the above query or showing
> the selinux status in the Host tab is enough?

Yes, I did 2 arch reviews recently, both had one host with selinux disabled.

Showing the SELinux status is already good enough to visualize the data. Having a check to ensure enforcing/permissive are not mixed with disabled in the same cluster would be a bonus if you have time.

Thanks!

Comment 3 Douglas Schilling Landgraf 2018-01-16 22:15:12 UTC
Hi Germano, 

Do you mind to give us a hand and test the following patch against good sosreports and the bad ones you mentioned?

inventory: Check for clusters with mixed selinux config
https://gerrit.ovirt.org/#/c/86450/

This will generate a warning in case we have cluster with mixed selinux config for hosts.

thanks!

Comment 4 Germano Veit Michel 2018-01-17 02:28:55 UTC
Hi Douglas,

Done. See attached example of the problem explained on gerrit. 
Compare the SELinux warning table to the hosts table.

I'll test again once you submit the next patch.

Thanks for working on this!

Comment 6 Douglas Schilling Landgraf 2018-01-17 05:15:03 UTC
(In reply to Germano Veit Michel from comment #4)
> Hi Douglas,
> 
> Done. See attached example of the problem explained on gerrit. 
> Compare the SELinux warning table to the hosts table.
> 
> I'll test again once you submit the next patch.
> 
> Thanks for working on this!

Thanks Germano, I new patch is available for testing. Do you mind to give a new test and attach the sosreport you are using for test in this bugzilla report? I have local repo with several sosreports to test the scenarios we are adding.

Comment 8 David Necpal 2018-02-21 09:24:00 UTC
Verified on version: 

ovirt-log-collector-4.2.4-1.el7ev.noarch
ovirt-log-collector-analyzer-4.2.4-1.el7ev.noarch

Comment 13 errata-xmlrpc 2018-05-15 17:31:24 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1465

Comment 14 Franta Kust 2019-05-16 13:08:34 UTC
BZ<2>Jira Resync


Note You need to log in before you can comment on or make changes to this bug.