Bug 969483 - Live block-migration
Live block-migration
Status: CLOSED DUPLICATE of bug 1100356
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-puppet-modules (Show other bugs)
3.0
x86_64 Linux
high Severity high
: ---
: 5.0 (RHEL 7)
Assigned To: Lukas Bezdicka
Jaroslav Henner
: FutureFeature
Depends On: 958057 1180600 1180602
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-31 10:06 EDT by Jaroslav Henner
Modified: 2016-04-26 13:28 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-25 08:47:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
libvirtd.conf.patch (859 bytes, patch)
2013-05-31 10:06 EDT, Jaroslav Henner
no flags Details | Diff
sysconfig.libvirtd.patch (378 bytes, patch)
2013-05-31 10:07 EDT, Jaroslav Henner
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 100234 None None None Never

  None (edit)
Description Jaroslav Henner 2013-05-31 10:06:22 EDT
Description of problem:
Live block migration doesn't need images on shared storage, packstack should configure libvirt and iptables to support it.

In order to enable it, we should change libvirtd.conf, libvirtd in sysconfig, and enable libvirt ports
iptables -I INPUT 1 -p tcp -m multiport --dports 16509,49152:49261 '
        '-m comment --comment "Libvirt migration" -j ACCEPT

Note that I think the patches I am sending should be modified to make secure connections.
Comment 1 Jaroslav Henner 2013-05-31 10:06:55 EDT
Created attachment 755302 [details]
libvirtd.conf.patch
Comment 2 Jaroslav Henner 2013-05-31 10:07:31 EDT
Created attachment 755303 [details]
sysconfig.libvirtd.patch
Comment 4 Jaroslav Henner 2013-09-27 09:17:34 EDT
There is at least one more thing that I had to do to make live block migration working: semanage permissive -a sshd_t To enable nova to ssh. But this brings a quite large security risk.
Comment 5 Attila Darazs 2013-09-27 09:22:02 EDT
Without the change Jaroslav mentioned in comment 4, we got the following denials, which need to be fixed in the policy:

[root@xxxx ~]# aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 534511
2. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
3. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 file read unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
4. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 file open unconfined_u:object_r:nova_var_lib_t:s0 denied 534511
5. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 5 file getattr unconfined_u:object_r:nova_var_lib_t:s0 denied 534512
6. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 6 dir getattr system_u:object_r:nova_var_lib_t:s0 denied 534513
7. 09/27/2013 16:03:34 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 6 dir getattr unconfined_u:object_r:nova_var_lib_t:s0 denied 534514
8. 09/27/2013 16:10:52 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 538184
9. 09/27/2013 16:10:52 sshd unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 2 dir search system_u:object_r:nova_var_lib_t:s0 denied 538185
Comment 6 Attila Darazs 2013-09-27 10:08:00 EDT
One more addition:

packstack sets up nova for vnc listening on the machine's default IP, instead of listening on all interfaces (see bug 912744).

Set this in /etc/nova/nova.conf on all compute instances to make it work:
vncserver_listen=0.0.0.0
Comment 7 Alan Pevec 2013-09-30 08:54:42 EDT
Re. Nova live migration doing SSH - it should be removed, see thread:
 http://lists.openstack.org/pipermail/openstack-dev/2013-September/015757.html
Comment 8 Nikola Dipanov 2013-09-30 09:04:51 EDT
Alan, the email you link is about migration/resize operation which is a different operation in nova than live-migration, which this bug is about.
Comment 9 Attila Darazs 2013-10-17 07:39:59 EDT
Nikola, and others: ignore Comment 5. I was not doing live migration. So indeed no SSH is needed for that. :)
Comment 10 Perry Myers 2013-11-16 00:34:06 EST
@berrange: Is there any Nova impact here, or is it just a matter of configuring our puppet modules to configure libvirt correctly?  It's not clear to me what component this should go on or who should own it.
Comment 11 Daniel Berrange 2013-11-16 05:16:06 EST
Probably just config work for packstack, though I've not tested this functionality in nova myself.
Comment 12 Lukas Bezdicka 2014-06-18 12:14:11 EDT
without openstack-selinux
rhel7:
#============= nagios_t ==============
allow nagios_t ping_exec_t:file { read execute open execute_no_trans };
allow nagios_t self:capability net_raw;
allow nagios_t self:process setcap;
allow nagios_t self:rawip_socket { getopt create setopt };

#============= neutron_t ==============
allow neutron_t tmp_t:dir create;

#============= nova_scheduler_t ==============

#!!!! This avc is allowed in the current policy
allow nova_scheduler_t passwd_file_t:file { read getattr open };

#============= rsync_t ==============

#!!!! This avc is allowed in the current policy
allow rsync_t var_lock_t:dir { write add_name };

#!!!! This avc can be allowed using the boolean 'rsync_full_access'
allow rsync_t var_lock_t:file { write create };

#============= swift_t ==============

#!!!! This avc is allowed in the current policy
allow swift_t tmpfs_t:dir { write remove_name add_name };
allow swift_t tmpfs_t:file { write getattr link read create unlink open };

#!!!! This avc is allowed in the current policy
allow swift_t tmpfs_t:filesystem getattr;

#!!!! This avc is allowed in the current policy
allow swift_t xserver_port_t:tcp_socket name_bind;
Comment 13 Lukas Bezdicka 2014-06-25 08:47:47 EDT

*** This bug has been marked as a duplicate of bug 1100356 ***

Note You need to log in before you can comment on or make changes to this bug.