Description of problem: If the compute node is a VM, instances will fail to launch because SELinux blocks access to the image file. Version-Release number of selected component (if applicable): On the VM (not working): selinux-policy-3.7.19-195.el6_4.3.noarch openstack-selinux-0.1.2-10.el6ost.noarch On the physical machine (working): selinux-policy-3.7.19-195.el6.noarch package openstack-selinux is not installed How reproducible: Always Steps to Reproduce: 1. Install RHEL physical machine with RHEL VM. 2. Use packstack --gen-answer-file/--answer-file to install RHOS on the RHEL VM. I changed the NTP server, SSH keys, floating IPs and Horizon SSL. All other options were left at their defaults. 3. Manually add the physical machine as a nova compute node. 4. Add QCOW2 image and launch instances. Actual results: The physical machine works fine; instances can be created. The VM fails to generate working instances (the status shows error). I get these errors in the audit.log: type=AVC msg=audit(1366998480.516:23372): avc: denied { read } for pid=32383 comm="qemu-kvm" name="64b951fc68d1c11fe1abf1c06e8e4198745135a7" dev=dm-1 ino=393831 scontext=unconfined_u:system_r:svirt_t:s0:c356,c996 tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1366998480.516:23373): avc: denied { getattr } for pid=32383 comm="qemu-kvm" path="/var/lib/nova/instances/_base/64b951fc68d1c11fe1abf1c06e8e4198745135a7" dev=dm-1 ino=393831 scontext=unconfined_u:system_r:svirt_t:s0:c356,c996 tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file type=AVC msg=audit(1366998480.516:23374): avc: denied { read } for pid=32383 comm="qemu-kvm" name="64b951fc68d1c11fe1abf1c06e8e4198745135a7" dev=dm-1 ino=393831 scontext=unconfined_u:system_r:svirt_t:s0:c356,c996 tcontext=unconfined_u:object_r:nova_var_lib_t:s0 tclass=file Expected results: I should be able to instantiate instances on the VM compute node. Additional info: Listing of the directory mentioned above on both machines. Notice the different permissions (user and SELinux): VM (not working): # ls -Z /var/lib/nova/instances/_base/ -rw-r--r--. nova nova unconfined_u:object_r:nova_var_lib_t:s0 64b951fc68d1c11fe1abf1c06e8e4198745135a7 Physical (working): # ls -Z /var/lib/nova/instances/_base/ -rw-r--r--. qemu qemu system_u:object_r:virt_content_t:s0 64b951fc68d1c11fe1abf1c06e8e4198745135a7 Workarounds: 1. setenforce 0 2. chcon -t virt_content_t /var/lib/nova/instances/_base/* Running either of these on the VM allows an instance to be created properly.
This looks like a 6.4.z libvirt update is somehow missing. Can you check 'rpm -q libvirt' in the physical host?
libvirt is supposed to transition things to the right contexts; a bug was fixed in 6.4.z which was preventing this from occurring. # rpm -q libvirt libvirt-0.10.2-18.el6_4.4.x86_64
Ah, I should have mentioned that this was on RHEL 6.4 GA except for the SELinux policy updates required by RHOS. I'll grab libvirt and test again.
Updating libvirt to the version mentioned above does fix the issue.
*** This bug has been marked as a duplicate of bug 915349 ***