tripleo

Live-migration fails when selinux is enforcing

Bug #1729405 reported by Oliver Walsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Oliver Walsh
tripleo queens-2

Bug Description

The nova_migration_target sshd daemon refuses connections when selinux is enforcing.

Related bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1495599

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/517125

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/515966
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7c8127cf96a281dd5cee96e1a68bc0508b9ba4e7
Submitter: Zuul
Branch: master

commit 7c8127cf96a281dd5cee96e1a68bc0508b9ba4e7
Author: Oliver Walsh <email address hidden>
Date: Sat Oct 28 00:06:46 2017 +0100

    Only mount selinux sysfs in nova_libvirt container

    https://review.openstack.org/500952 initially just did this. Then we assumed
    every container should have the selinux sysfs.
    This causes issues with the sshd container used for live-migration.

    The advice from the selinux experts is that it should not be enabled within
    containers, so reverting back to the original fix that enables it only in the
    nova-libvirt container.

    Closes-bug: 1729405
    Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/517125
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=b3277ed2ca4df1fb1bf23565a9104d6b047e1ac1
Submitter: Zuul
Branch: stable/pike

commit b3277ed2ca4df1fb1bf23565a9104d6b047e1ac1
Author: Oliver Walsh <email address hidden>
Date: Sat Oct 28 00:06:46 2017 +0100

    Only mount selinux sysfs in nova_libvirt container

    https://review.openstack.org/500952 initially just did this. Then we assumed
    every container should have the selinux sysfs.
    This causes issues with the sshd container used for live-migration.

    The advice from the selinux experts is that it should not be enabled within
    containers, so reverting back to the original fix that enables it only in the
    nova-libvirt container.

    Closes-bug: 1729405
    Change-Id: I80bf38d7d64ab99510574af5c57423fde9b84eca
    (cherry picked from commit 7c8127cf96a281dd5cee96e1a68bc0508b9ba4e7)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.4

This issue was fixed in the openstack/tripleo-heat-templates 7.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.0.0.0b2

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.