2103969 – [RHOSP 17.0] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics

Bug 2103969 - [RHOSP 17.0] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics

Summary: [RHOSP 17.0] Ceilometer can't read /run/libvirt resulting in no 'cpu' metrics

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	high
Target Milestone:	z1
Target Release:	17.0
Assignee:	Leif Madsen
QA Contact:	Leonid Natapov
Docs Contact:	mgeary
URL:
Whiteboard:
Depends On:	2103964 2122656
Blocks:	2103970 2103971
TreeView+	depends on / blocked

Reported:	2022-07-05 12:41 UTC by Leif Madsen
Modified:	2023-01-25 12:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-0.20221102130639.feca772.el9ost
Doc Type:	Bug Fix
Doc Text:	Cause: Improper volume mount to /run/libvirt in the ceilometer-agent-compute container. Consequence: The ceilometer-agent-compute can not read the /run/libvirt directory resulting in an inability to poll for CPU metrics on compute nodes. Fix: The appropriate global permissions have been applied to /run/libvirt directory. Result: It is now possible to poll for CPU telemetry with ceilometer-agent-compute container on the compute nodes, resulting in CPU telemetry data via the compute service (nova).
Clone Of:	2103964
Clones:	2103970 (view as bug list)
Environment:
Last Closed:	2023-01-25 12:28:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	857476	None	MERGED	Correct label for /run/libvirt	2022-09-22 02:33:39 UTC
Red Hat Issue Tracker	OSP-16241	None	None	None	2022-07-05 12:46:50 UTC
Red Hat Product Errata	RHBA-2023:0271	None	None	None	2023-01-25 12:29:35 UTC

Comment 5 Leonid Natapov 2022-08-24 12:55:19 UTC

I am moving this bug back to assign because we found out that selinux prevents reading /run/libvirt. See the log bellow.
A new fix would add "z" option to the original "ro".


type=AVC msg=audit(1661320143.727:562520): avc:  denied  { write } for  pid=669402 comm="ceilometer-poll" name="virtqemud-sock-ro" dev="tmpfs" ino=93846 scontext=system_u:system_r:container_t:s0:c526,c1012 tcontext=system_u:object_r:virt_var_run_t:s0 tclass=sock_file permissive=0

Comment 6 Leif Madsen 2022-08-24 14:28:55 UTC

Upstream change after further testing by Yadnesh, Leonid, and myself has been proposed at https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854421

Once merged, will begin the backport process for both upstream and downstream. New target to have this resolved is now RHOSP 17.0 z1 with a Known Issue release note being added here to inform others of this issue. Once merged to master upstream is completed, I will begin the process of backporting the fix to 17.0, 16.2, and 16.1 for their next respective releases.

Comment 8 Leif Madsen 2022-08-30 14:37:18 UTC

Per discussion on IRC with Takashi and others, it looks like there is some work that would happen outside of ceilometer-agent-compute itself to allow the proper SELinux permissions and access to the files required without triggering a full relabel of the path via the 'z' flag for the bind mount of the containers volume. Tracking dependency for this issue is now at https://bugzilla.redhat.com/show_bug.cgi?id=2122656 and I will likely abandon my change request. I will likely want to revert the change upstream from 'shared' to 'ro' but I will check with others before proposing.

Comment 13 Leonid Natapov 2023-01-17 20:01:33 UTC

No permission denied errors.

from ceilometer-agent-compute-container-puppet.yaml 

- /run/libvirt:/run/libvirt:shared,z

Comment 18 errata-xmlrpc 2023-01-25 12:28:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.0.1 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:0271

Note You need to log in before you can comment on or make changes to this bug.