OpenStack Compute (nova)

Virtlogd recreates console.log file as root:root after live migration

Bug #1746188 reported by Daniel Russell
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
Undecided
Unassigned

Bug Description

Hi,

Description / Steps to reproduce
================================

When instances are launched, they get the following console/serial configuration :

    <serial type="pty">
      <log file="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log" append="off"/>
      <target type="isa-serial" port="0"/>
    </serial>
    <console type="pty">
      <log file="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log" append="off"/>
      <target type="serial" port="0"/>\n
    </console>

If I look at the permissions for the console.log I see :

[root@<snip> nova]# ls -l /var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log
-rw-------. 1 nova openstack 0 Jan 30 11:09 /var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log
[root@<snip> nova]#

If I then live migrate the instance to another host (or complete a resize operation), virtlogd deletes the console.log and then recreates it as root:root.

[root@<snip> nova]# ls -l /var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log
-rw-------. 1 root root 0 Jan 30 11:14 /var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log
[root@<snip> nova]#

This looks to be because when the instance is configured with append="off", it ends up setting trunc to True in https://github.com/libvirt/libvirt/blob/93575f345116fe1413f6fe3109227b8be2f416da/src/util/virrotatingfile.c#L260-L265 and deletes the console log before recreating. As virtlogd is running as root and it doesn't seem to chown anything, it becomes root:root.

The first migration completes successfully but subsequent ones fail due to permissions errors trying to access the console.log.

If I change virt/libvirt/config.py to set append="on", the log isn't recreated (but I know have a problem with an ever growing log file).

Expected result
===============
Console.log still have nova:openstack ownership

Actual result
=============
Console.log has root:root ownership

Environment
===========
This is a libvirt + KVM environment on CentOS 7.

nova - 16.0.3
libvirt - 3.2.0-14.el7_4.7
qemu - 2.9.0-16.el7_4.13.1

In /etc/libvirt/qemu.conf, I have the following configured :
user = "nova"
group = "openstack"
dynamic_ownership = 0

SElinux is enabled, and if I set it to permissive and make it error for that folder, I get records like :

(virtlogd attempting delete)
time->Tue Jan 30 12:43:27 2018
type=PROCTITLE msg=audit(1517276607.013:90227): proctitle="/usr/sbin/virtlogd"
type=PATH msg=audit(1517276607.013:90227): item=1 name="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log" inode=1898807 dev=00:27 mode=0100600 ouid=162 ogid=1100 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=DELETE
type=PATH msg=audit(1517276607.013:90227): item=0 name="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/" inode=1898806 dev=00:27 mode=040755 ouid=162 ogid=1100 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=PARENT
type=CWD msg=audit(1517276607.013:90227): cwd="/"
type=SYSCALL msg=audit(1517276607.013:90227): arch=c000003e syscall=87 success=yes exit=0 a0=7f406c000d30 a1=7f406c000cd9 a2=0 a3=6e6f632f36353935 items=2 ppid=1 pid=25859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
type=AVC msg=audit(1517276607.013:90227): avc: denied { unlink } for pid=25859 comm="virtlogd" name="console.log" dev="0:39" ino=1898807 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1517276607.013:90227): avc: denied { remove_name } for pid=25859 comm="virtlogd" name="console.log" dev="0:39" ino=1898807 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=AVC msg=audit(1517276607.013:90227): avc: denied { write } for pid=25859 comm="virtlogd" name="e53cf7b4-e11a-445f-b4e3-006120e8d8006" dev="0:39" ino=1898806 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

(virtlogd attempting create)
time->Tue Jan 30 12:43:27 2018
type=PROCTITLE msg=audit(1517276607.018:90231): proctitle="/usr/sbin/virtlogd"
type=PATH msg=audit(1517276607.018:90231): item=1 name="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/console.log" inode=1898807 dev=00:27 mode=0100600 ouid=0 ogid=99 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=NORMAL
type=PATH msg=audit(1517276607.018:90231): item=0 name="/var/lib/nova/instances/e53cf7b4-e11a-445f-b4e3-006120e8d800/" inode=1898806 dev=00:27 mode=040755 ouid=162 ogid=1100 rdev=00:00 obj=system_u:object_r:nfs_t:s0 objtype=PARENT
type=CWD msg=audit(1517276607.018:90231): cwd="/"
type=SYSCALL msg=audit(1517276607.018:90231): arch=c000003e syscall=2 success=yes exit=15 a0=7f406c000d30 a1=80441 a2=180 a3=7f406c000d90 items=2 ppid=1 pid=25859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
type=AVC msg=audit(1517276607.018:90231): avc: denied { create } for pid=25859 comm="virtlogd" name="console.log" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
type=AVC msg=audit(1517276607.018:90231): avc: denied { add_name } for pid=25859 comm="virtlogd" name="console.log" scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir

Sylvain Bauza (sylvain-bauza)
tags: added: console libvirt openstack-version.pike
Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

Looks related to https://bugs.launchpad.net/nova/+bug/1634282 where we just accept a permission issue.

Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

Also related to https://bugs.launchpad.net/nova/+bug/1609298 which is still open

Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote :

Honestly, trying to get some context on console permissions issues is very difficult. But given that we merged https://review.openstack.org/#/c/349541/3 and later with https://review.openstack.org/454593 and https://review.openstack.org/#/c/466088/ we are now in a position where we say "please use dynamic_ownership=1, it should work"

Also, as it was stated by https://bugs.launchpad.net/nova/+bug/1597644/comments/22 Nova shouldn't support dynamic_ownership=0.

So, could you please try to modify qemu.conf by changing that option to 1 and see if that fixes your problem ?

Putting the bug as Invalid, but feel free to ping me on IRC and reopen the bug if you consider that outcome not valid.

Changed in nova:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.