tripleo

container-puppet.sh fails if SElinux is enforced and Paunch disabled

Bug #1864501 reported by Emilien Macchi on 2020-02-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Emilien Macchi	tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

When disabling Paunch & enabling SElinux, container-puppet.sh script (entrypoint of all Puppet containers) fail to read content from /tmp/puppet-tmp:
http://paste.openstack.org/show/789937/

We need to update OpenStack SElinux podman policy to allows that.

Tags:

Emilien Macchi (emilienm) on 2020-02-24

Changed in tripleo:
milestone:	none → ussuri-3
importance:	Undecided → High
status:	New → Triaged
tags:	added: train-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-24: Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/709562

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2020-02-24:

Patch for openstack-selinux is proposed:
https://github.com/redhat-openstack/openstack-selinux/pull/58

Changed in tripleo:
assignee:	nobody → Cédric Jeanneret (cjeanner)

Emilien Macchi (emilienm) on 2020-02-24

Changed in tripleo:
assignee:	Cédric Jeanneret (cjeanner) → Emilien Macchi (emilienm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-25: Related fix proposed to tripleo-ansible (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/709646

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-25: Related fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/709562
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=99448e20feabf141a49d6953d980c2de6a7c4b07
Submitter: Zuul
Branch: master

commit 99448e20feabf141a49d6953d980c2de6a7c4b07
Author: Emilien Macchi <email address hidden>
Date: Mon Feb 24 10:58:53 2020 -0500

container_puppet_config: disable SElinux labelling

    This is a leftover from container-puppet.py that was missed in the
    migration to Ansible. If we don't do that, SElinux will report alerts
    because the entrypoint (container-puppet.sh) tries to copy (and
    therefore read) the content of /tmp/puppet-tmp which isn't readable per
    current OpenStack SElinux podman policies.

    While this is done in the policy, let's port the configuration that was
    done before in container-puppet.py and this patch will be reverted once
    the policy is less restritive.

Change-Id: I5baefe16f313cc17d369c9f16529516fc8d6f6e5
Related-Bug: #1864501

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-02-26: Related fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/709646
Committed: https://git.openstack.org/cgit/openstack/tripleo-ansible/commit/?id=888f6d72cbc97c6f41a8101b75485fa9a0590449
Submitter: Zuul
Branch: stable/train

commit 888f6d72cbc97c6f41a8101b75485fa9a0590449
Author: Emilien Macchi <email address hidden>
Date: Mon Feb 24 10:58:53 2020 -0500

container_puppet_config: disable SElinux labelling

    While this is done in the policy, let's port the configuration that was
    done before in container-puppet.py and this patch will be reverted once
    the policy is less restritive.

    Change-Id: I5baefe16f313cc17d369c9f16529516fc8d6f6e5
    Related-Bug: #1864501
    (cherry picked from commit 99448e20feabf141a49d6953d980c2de6a7c4b07)

tags:

added: in-stable-train

Emilien Macchi (emilienm) on 2020-03-30

Changed in tripleo:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.