Ubuntu
nova-compute-lxd package

juju openstack charm - nova-compute-proxy - neutron-openvswitch-agent fails to start due to missing SELinux policy

Bug #1641893 reported by bugproxy
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Nova Compute Proxy Charm
Invalid
Medium
Unassigned
nova-compute-lxd (Ubuntu)
Invalid
Undecided
Skipper Bug Screeners

Bug Description

After installing and configuring openstack services on a z/KVM compute node via the juju nova-compute-proxy charm, trying to start neutron-openvswitch-agent is successful, but any attempts to connect to the rootwrap daemon cause SELinux policy violations.

In the latest version of z/KVM, there exists an RPM openstack-selinux.noarch that needs to be installed along with the neutron rpm.

---uname output---
Linux zs93k24 4.4.0-40.60.el7_2.kvmibm1_1_3.2.s390x #1 SMP Tue Oct 18 14:41:51 EDT 2016 s390x s390x s390x GNU/Linux

Machine Type = IBM/S390, s390x

---Steps to Reproduce---
1. Install clean z/KVM 1.1.3
2. Juju deploy nova-compute-proxy targeting z/KVM
3. Observe selinux failures

Likely there should be an addition to the PACKAGES list in the proxy charm to install this openstack-selinux RPM. Alternatively there may be some zkvm metapackage that handles this sort of issue.

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-11-15 04:46 EDT-------
Canonical , please assign to correct LP-component -> nova-compute-proxy charm

tags: added: architecture-s39064 bugnameltc-148623 severity-high targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → nova-compute-lxd (Ubuntu)
Ryan Beisner (1chb1n)
Changed in nova-compute-lxd (Ubuntu):
status: New → Invalid
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2016-11-22 08:38 EDT-------
*** Bug 148280 has been marked as a duplicate of this bug. ***

Revision history for this message
Frank Heimes (fheimes) wrote :

comment #5 refers to a duplicate bugzilla bug rather than a duplicate LP bug

bugproxy (bugproxy)
tags: added: targetmilestone-inin16041
removed: targetmilestone-inin---
Frank Heimes (fheimes)
tags: added: openstack-ibm
Ryan Beisner (1chb1n)
tags: added: s390x uosci
James Page (james-page)
Changed in charm-nova-compute-proxy:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2017-02-03 05:22 EDT-------
The next version of KVM Compute Node will contain an openstack metapackage that includes a reference to openstack-selinux, too.
Please update the proxy charm to install this metapackage, instead of individual rpms. The metapackage name (version independent) will be "kvmibm-openstack-compute".

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2017-02-07 05:20 EDT-------
for reference:
this is the patch review: https://review.openstack.org/#/c/428742

Revision history for this message
Vance Morris (vmorris) wrote :

I can confirm that the new metapackage will install the appropriate packages:

[root@zs93kf yum.repos.d]# yum deplist kvmibm-openstack-compute.noarch
Loaded plugins: aliases, fastestmirror, priorities
Loading mirror speeds from cached hostfile
package: kvmibm-openstack-compute.noarch 1:13.1.2-1.el7_2.kvmibm1_1_3.2
  dependency: openstack-ceilometer-compute
   provider: openstack-ceilometer-compute.noarch 1:6.1.4-2.el7_2.kvmibm1_1_3.1
  dependency: openstack-neutron-fwaas
   provider: openstack-neutron-fwaas.noarch 1:8.4.0-1.el7_2.kvmibm1_1_3.1
  dependency: openstack-neutron-metering-agent
   provider: openstack-neutron-metering-agent.noarch 1:8.4.0-1.el7_2.kvmibm1_1_3.1
  dependency: openstack-neutron-openvswitch
   provider: openstack-neutron-openvswitch.noarch 1:8.4.0-1.el7_2.kvmibm1_1_3.1
  dependency: openstack-nova-compute
   provider: openstack-nova-compute.noarch 1:13.1.2-1.el7_2.kvmibm1_1_3.2
  dependency: openstack-selinux
   provider: openstack-selinux.noarch 0.7.2-1.el7_2.kvmibm1_1_3.1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on charm-nova-compute-proxy (master)

Change abandoned by James Page (<email address hidden>) on branch: master
Review: https://review.openstack.org/428742
Reason: No updates > 6 months

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2017-09-27 05:25 EDT-------
IBM Bugzilla status- > closed. not required anymore

Andrew Cloke (andrew-cloke)
Changed in charm-nova-compute-proxy:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.