OpenStack-Ansible

Live Migration failure under centos - SELinux AVC: can't use nova's ssh keys

Bug #1742732 reported by Major Hayden on 2018-01-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Medium	Major Hayden

Bug Description

When nova tries to ssh to another host to do a live migration on CentOS 7, the receiving host will have an SELinux AVC when it tries to read /var/lib/nova/.ssh/.authorized_keys. The SELinux equivalency that was set up in the past for /var/lib/nova may need to be removed and replaced with something else.

Tags:

Jean-Philippe Evrard (jean-philippe-evrard) on 2018-01-16

Changed in openstack-ansible:
status:	New → Confirmed
importance:	Low → Medium
summary:	- SELinnux AVC: can't use nova's ssh keys + Live Migration failure under centos - SELinux AVC: can't use nova's ssh + keys

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-17: Fix proposed to openstack-ansible-os_nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/534891

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-01: Fix merged to openstack-ansible-os_nova (master)

Reviewed: https://review.openstack.org/534891
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=1a483db8d0fd629dc792c6160c182def57ee3ad3
Submitter: Zuul
Branch: master

commit 1a483db8d0fd629dc792c6160c182def57ee3ad3
Author: Major Hayden <email address hidden>
Date: Wed Jan 31 09:16:14 2018 -0600

Fix SELinux file contexts for nova's ssh keys

The original SELinux file context equivalance that was added for
/var/lib/nova was too broad and needs to be made more specific.

    This patch removes the old equivalence record and replaces it with
    a specific file context rule. This allows live migrations to work
    with CentOS 7 systems that have SELinux in enforcing mode.

    Closes-Bug: 1742732
    Depends-On: I52901ac48f9a95d0fe6b010f5940b5c39fce1aba
    Change-Id: I8f7c750edc1c7b354343f07230eb17d1357001de

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-01: Fix proposed to openstack-ansible-os_nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/539948

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-02: Change abandoned on openstack-ansible-os_nova (stable/pike)

Change abandoned by Major Hayden (<email address hidden>) on branch: stable/pike
Review: https://review.openstack.org/539948
Reason: Nevermind. I don't think we need this in Pike.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix included in openstack/openstack-ansible-os_nova 17.0.0.0rc1

This issue was fixed in the openstack/openstack-ansible-os_nova 17.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-07: Related fix proposed to openstack-ansible-os_nova (stable/queens)

Related fix proposed to branch: stable/queens
Review: https://review.openstack.org/559490

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-25: Related fix proposed to openstack-ansible-os_nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/564228

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-30: Related fix merged to openstack-ansible-os_nova (master)

Reviewed: https://review.openstack.org/564228
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=6d4568f59c78acad6843bef3d458e2867aa81e4b
Submitter: Zuul
Branch: master

commit 6d4568f59c78acad6843bef3d458e2867aa81e4b
Author: Vadim Kuznetsov <email address hidden>
Date: Sat Apr 7 09:22:31 2018 -0400

Fix removal of SELinux fcontext

Delete fcontext when equivalence is in the context

Change-Id: I7f3b2c4b5b53c6152d73343af1906ed8fa46640b
Related-Bug: 1742732

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-04: Related fix merged to openstack-ansible-os_nova (stable/queens)

Reviewed: https://review.openstack.org/559490
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=511060612640b71025b633c18885b31bafcbbcdc
Submitter: Zuul
Branch: stable/queens

commit 511060612640b71025b633c18885b31bafcbbcdc
Author: Vadim Kuznetsov <email address hidden>
Date: Sat Apr 7 09:22:31 2018 -0400

Fix removal of SELinux fcontext

Delete fcontext when equivalence is in the context

    Change-Id: I7f3b2c4b5b53c6152d73343af1906ed8fa46640b
    Related-Bug: 1742732
    (cherry picked from commit 6d4568f59c78acad6843bef3d458e2867aa81e4b)

tags:

added: in-stable-queens

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.