Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1599289 - [OSP13] selinux policy does not allow create instance on nfs /var/lib/nova/instances
Summary: [OSP13] selinux policy does not allow create instance on nfs /var/lib/nova/in...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z3
: 13.0 (Queens)
Assignee: Martin Schuppert
QA Contact: Archit Modi
URL:
Whiteboard:
: 1625539 (view as bug list)
Depends On:
Blocks: 1598396
TreeView+ depends on / blocked
 
Reported: 2018-07-09 12:18 UTC by Martin Schuppert
Modified: 2018-11-13 22:27 UTC (History)
12 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.0.4-23.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1598396
: 1601399 (view as bug list)
Environment:
Last Closed: 2018-11-13 22:27:09 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1781894 None None None 2018-07-16 10:21:11 UTC
OpenStack gerrit 582949 None stable/queens: MERGED tripleo-heat-templates: Instance create fails due to wrong default secontext with NFS (I2a28462b6f6bc9f8a41a81ea8c65471f... 2018-10-10 10:46:29 UTC
Red Hat Product Errata RHBA-2018:3587 None None None 2018-11-13 22:27:46 UTC

Internal Links: 1598396

Comment 1 Martin Schuppert 2018-07-09 12:23:41 UTC
With patches applied to an osp13 test env:

parameter_defaults:
    NovaNfsEnabled: True
    NovaNfsShare: '192.168.24.1:/var/nfs'

[root@compute-0 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.14,local_lock=none,addr=192.168.24.1,_netdev)

[root@compute-1 ~]# mount |grep nfs4
192.168.24.1:/var/nfs on /var/lib/nova/instances type nfs4 (rw,relatime,context=system_u:object_r:nova_var_lib_t:s0,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.24.16,local_lock=none,addr=192.168.24.1,_netdev)


(overcloud) [stack@undercloud-0 ~]$ openstack server create --flavor m1.small --image cirros --nic net-id=ec392c10-f897-493b-941b-a3f6a0084122 test-nfs
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-1.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+

(overcloud) [stack@undercloud-0 ~]$ nova live-migration 22659aca-22ea-4e79-a761-a36e2953da28

(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| ID                                   | Name     | Status | Task State | Power State | Networks            | Image Name | Image ID                             | Flavor Name | Flavor ID                            | Availability Zone | Host                           | Properties |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+
| 22659aca-22ea-4e79-a761-a36e2953da28 | test-nfs | ACTIVE | None       | Running     | private=192.168.0.5 | cirros     | 4d956919-6e5d-4968-9040-1c0fc4b15401 | m1.small    | c681e5a6-23c9-4de0-bc99-3b21afb87c9a | nova              | compute-0.external.localdomain |            |
+--------------------------------------+----------+--------+------------+-------------+---------------------+------------+--------------------------------------+-------------+--------------------------------------+-------------------+--------------------------------+------------+


Note: I had to add the following selinux module as otherwise instance start failed with permission errors.

~~~
module my-nova-nfs 1.0;

require {
        type nova_var_lib_t;
        type svirt_t;
        class file { getattr ioctl lock open read };
}

#============= svirt_t ==============
allow svirt_t nova_var_lib_t:file { getattr ioctl lock open read };
~~~
[root@compute-0 ~]# checkmodule -M -m -o my-nova-nfs.mod my-nova-nfs.te 
[root@compute-0 ~]# semodule_package -o my-nova-nfs.pp -m my-nova-nfs.mod 
[root@compute-0 ~]# semodule -i my-nova-nfs.pp


=> affects OSP13 (openstack-selinux-0.8.14-12.el7ost.noarch) + OSP14 (openstack-selinux-0.8.15-0.20180524134826.b63283a.el7ost.noarch)

Comment 2 Lon Hohberger 2018-07-13 19:21:00 UTC
It sounds like the wrong label is being used for the NFS mount:

system_u:object_r:nfs_t:s0 should have access. My guess is that the mountpoint is mounted with a -ocontext=... that breaks things.

So, the virt_use_nfs boolean, which is turned on by openstack-selinux, should cover this use case. Granting svirt_t generic access to write over nova_var_lib_t isn't ideal.

Comment 3 Martin Schuppert 2018-07-16 10:00:37 UTC
(In reply to Lon Hohberger from comment #2)
> It sounds like the wrong label is being used for the NFS mount:
> 
> system_u:object_r:nfs_t:s0 should have access. My guess is that the
> mountpoint is mounted with a -ocontext=... that breaks things.
> 
> So, the virt_use_nfs boolean, which is turned on by openstack-selinux,
> should cover this use case. Granting svirt_t generic access to write over
> nova_var_lib_t isn't ideal.

yes, right the default in THT is set to nova_var_lib_t in [1]. I'll move this to THT and submit a patch to have nfs_t as the default.


[1] https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/nova-compute.yaml#L68

Comment 5 Matthew Booth 2018-09-06 16:58:26 UTC
*** Bug 1625539 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2018-11-13 22:27:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3587


Note You need to log in before you can comment on or make changes to this bug.