Bug 1601399 - [OSP14] selinux policy does not allow create instance on nfs /var/lib/nova/instances
Summary: [OSP14] selinux policy does not allow create instance on nfs /var/lib/nova/in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 14.0 (Rocky)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 14.0 (Rocky)
Assignee: Martin Schuppert
QA Contact: Archit Modi
URL:
Whiteboard:
Depends On: 1266963
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-16 10:34 UTC by Martin Schuppert
Modified: 2019-01-11 11:50 UTC (History)
10 users (show)

Fixed In Version: openstack-tripleo-heat-templates-9.0.0-0.20180919080946.0rc1.0rc1.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1599289
Environment:
Last Closed: 2019-01-11 11:50:39 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1781894 0 None None None 2018-07-16 10:34:55 UTC
OpenStack gerrit 582913 0 None None None 2018-07-16 10:34:55 UTC
Red Hat Product Errata RHEA-2019:0045 0 None None None 2019-01-11 11:50:50 UTC

Description Martin Schuppert 2018-07-16 10:34:55 UTC 
+++ This bug was initially created as a clone of Bug #1599289 +++

--- Additional comment from Martin Schuppert on 2018-07-06 08:02:50 EDT ---

With patches applied to an osp13 test env:

parameter_defaults:
    NovaNfsEnabled: True
    NovaNfsShare: '192.168.24.1:/var/nfs'

[root@compute-0 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.14,local_lock=none,addr=192.168.24.1,_netdev)

[root@compute-1 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.16,local_lock=none,addr=192.168.24.1,_netdev)


(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.small --image cirros --nic net-id=ec392c10-f897-493b-941b-a3f6a0084122 test-nfs
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-1.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ nova live-migration 22659aca-22ea-4e79-a761-a36e2953da28

(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-0.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+


Note: I had to add the following selinux module as otherwise instance start failed with permission errors.

~~~
module my-nova-nfs 1.0;

require {
        type nova_var_lib_t;
        type svirt_t;
        class file { getattr ioctl lock open read };
}

#============= svirt_t ==============
allow svirt_t nova_var_lib_t:file { getattr ioctl lock open read };
~~~
[root@compute-0 ~]# checkmodule -M -m -o my-nova-nfs.mod my-nova-nfs.te 
[root@compute-0 ~]# semodule_package -o my-nova-nfs.pp -m my-nova-nfs.mod 
[root@compute-0 ~]# semodule -i my-nova-nfs.pp

--- Additional comment from Martin Schuppert on 2018-07-09 08:23:41 EDT ---

With patches applied to an osp13 test env:

parameter_defaults:
    NovaNfsEnabled: True
    NovaNfsShare: '192.168.24.1:/var/nfs'

[root@compute-0 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.14,local_lock=none,addr=192.168.24.1,_netdev)

[root@compute-1 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.16,local_lock=none,addr=192.168.24.1,_netdev)


(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.small --image cirros --nic net-id=ec392c10-f897-493b-941b-a3f6a0084122 test-nfs
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-1.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ nova live-migration 22659aca-22ea-4e79-a761-a36e2953da28

(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-0.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+


Note: I had to add the following selinux module as otherwise instance start failed with permission errors.

~~~
module my-nova-nfs 1.0;

require {
        type nova_var_lib_t;
        type svirt_t;
        class file { getattr ioctl lock open read };
}

#============= svirt_t ==============
allow svirt_t nova_var_lib_t:file { getattr ioctl lock open read };
~~~
[root@compute-0 ~]# checkmodule -M -m -o my-nova-nfs.mod my-nova-nfs.te 
[root@compute-0 ~]# semodule_package -o my-nova-nfs.pp -m my-nova-nfs.mod 
[root@compute-0 ~]# semodule -i my-nova-nfs.pp


=> affects OSP13 (openstack-selinux-0.8.14-12.el7ost.noarch) + OSP14 (openstack-selinux-0.8.15-0.20180524134826.b63283a.el7ost.noarch)

--- Additional comment from Lon Hohberger on 2018-07-13 15:21:00 EDT ---

It sounds like the wrong label is being used for the NFS mount:

system_u:object_r:nfs_t:s0 should have access. My guess is that the mountpoint is mounted with a -ocontext=... that breaks things.

So, the virt_use_nfs boolean, which is turned on by openstack-selinux, should cover this use case. Granting svirt_t generic access to write over nova_var_lib_t isn't ideal.

--- Additional comment from Martin Schuppert on 2018-07-16 06:00:37 EDT ---

(In reply to Lon Hohberger from comment #2)
> It sounds like the wrong label is being used for the NFS mount:
> 
> system_u:object_r:nfs_t:s0 should have access. My guess is that the
> mountpoint is mounted with a -ocontext=... that breaks things.
> 
> So, the virt_use_nfs boolean, which is turned on by openstack-selinux,
> should cover this use case. Granting svirt_t generic access to write over
> nova_var_lib_t isn't ideal.

yes, right the default in THT is set to nova_var_lib_t in [1]. I'll move this to THT and submit a patch to have nfs_t as the default.


[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L68
Comment 7 errata-xmlrpc 2019-01-11 11:50:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:0045
Note You need to log in before you can comment on or make changes to this bug.