My apologies in advance for not being quite sure under which part of oVirt / OVS to log this bug. Description of problem: Adding new hosts fails under oVirt 4.2.2-3. The web UI gives no information why the 'Install' fails - however when inspecting the install log on the engine it appears openvswitch fails to create it's empty / initial database due to a SELinux denial. Version-Release number of selected component (if applicable): CentOS Minimal Install. Self-hosted engine. openvswitch-ovn-host-2.9.0-3.el7.x86_64 ovirt-imageio-daemon-1.2.2-0.el7.centos.noarch ovirt-host-4.2.2-2.el7.centos.x86_64 python-ovirt-engine-sdk4-4.2.4-2.el7.centos.x86_64 ovirt-host-deploy-1.7.3-1.el7.centos.noarch python2-openvswitch-2.9.0-3.el7.noarch ovirt-release42-4.2.2-3.el7.centos.noarch ovirt-host-dependencies-4.2.2-2.el7.centos.x86_64 ovirt-vmconsole-host-1.0.4-1.el7.noarch ovirt-engine-sdk-python-3.6.9.1-1.el7.noarch ovirt-setup-lib-1.1.4-1.el7.centos.noarch ovirt-vmconsole-1.0.4-1.el7.noarch ovirt-hosted-engine-ha-2.2.10-1.el7.centos.noarch cockpit-ovirt-dashboard-0.11.20-1.el7.centos.noarch openvswitch-2.9.0-3.el7.x86_64 ovirt-hosted-engine-setup-2.2.16-1.el7.centos.noarch openvswitch-ovn-common-2.9.0-3.el7.x86_64 ovirt-provider-ovn-driver-1.2.9-1.el7.centos.noarch ovirt-engine-appliance-4.2-20180329.1.el7.centos.noarch ovirt-imageio-common-1.2.2-0.el7.centos.noarch How reproducible: Every time Steps to Reproduce: 1. CentOS minimal install 2. In UI of existing oVirt engine, add new host 3. New host will fail to install 4. Inspect of /var/log/audit/audit.log shows SELinux denials on openvswitch Actual results: Openvswitch should be able to start and allow the install to proceed. Expected results: Openvswitch cannot start and the install fails. Additional info: journalctl: Journal: -- The result is assert. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service holdoff time over, scheduling restart. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Cannot add dependency job for unit lvm2-lvmetad.socket, ignoring: Unit is masked. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: start request repeated too quickly for ovsdb-server.service Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Failed to start Open vSwitch Database Unit. -- Subject: Unit ovsdb-server.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ovsdb-server.service has failed. -- -- The result is failed. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Unit ovsdb-server.service entered failed state. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: ovsdb-server.service failed. Apr 19 16:10:11 s1-b12.my.fqdn.com systemd[1]: Assertion failed for Open vSwitch Delete Transient Ports. -- Subject: Unit ovs-delete-transient-ports.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit ovs-delete-transient-ports.service has failed. -- audit.log: type=AVC msg=audit(1524118211.426:2419): avc: denied { create } for pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0 audit2allow: # echo "type=AVC msg=audit(1524118211.426:2419): avc: denied { create } for pid=3238 comm="runuser" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=netlink_audit_socket permissive=0" | audit2allow #============= openvswitch_t ============== allow openvswitch_t self:netlink_audit_socket create;
I bet that this is another dup of bug 1560436. Please upgrade selinux-policy-targeted to 3.13.1-166.el7_4.9. *** This bug has been marked as a duplicate of bug 1560436 ***
(In reply to Dan Kenigsberg from comment #1) > I bet that this is another dup of bug 1560436. > Please upgrade selinux-policy-targeted to 3.13.1-166.el7_4.9. > > *** This bug has been marked as a duplicate of bug 1560436 *** Bingo! Looks like the updated package was only released (on CentOS) overnight: # grep selinux-policy-targeted.noarch /var/log/yum.log Apr 20 03:51:43 Updated: selinux-policy-targeted.noarch 3.13.1-166.el7_4.9 I can confirm that this fixes the issue. Thanks Dan.