tripleo

Bug #1799484
Comment #3

Comment 3 for bug 1799484

Revision history for this message

Cédric Jeanneret (cjeanner) wrote on 2018-10-23:

OK, the "real" issue is apparently here:

2018-10-23 17:07:49.342 58988 DEBUG neutron.agent.linux.utils [-] Running command (rootwrap daemon): ['ip', 'netns', 'exec', 'qdhcp-3c92f030-45b4-4927-a83f-b2141a18877f', 'dnsmasq', '--no-hosts', '--no-resolv', '--except-interface=lo', '--
pid-file=/var/lib/neutron/dhcp/3c92f030-45b4-4927-a83f-b2141a18877f/pid', '--dhcp-hostsfile=/var/lib/neutron/dhcp/3c92f030-45b4-4927-a83f-b2141a18877f/host', '--addn-hosts=/var/lib/neutron/dhcp/3c92f030-45b4-4927-a83f-b2141a18877f/addn_hosts', '--dhcp-optsfile=/var/lib/neutron/dhcp/3c92f030-45b4-4927-a83f-b2141a18877f/opts', '--dhcp-leasefile=/var/lib/neutron/dhcp/3c92f030-45b4-4927-a83f-b2141a18877f/leases', '--dhcp-match=set:ipxe,175', '--bind-interfaces', '--interface=tape2d00740-20', '--dhcp-range=set:tag0,192.168.24.0,static,255.255.255.0,86400s', '--dhcp-option-force=option:mtu,1500', '--dhcp-lease-max=256', '--conf-file=', '--domain=localdomain'] execute_rootwrap_daemon /usr/lib/python2.7/site-packages/neutron/agent/linux/utils.py:103

The dhcp-agent container wants to spawn that command through another container, the very one that exits with a non-0 status.

A "podman inspect <said container>" shows that, apparently, no SELinux tags are added to the volumes, and this can be the root cause of the issue, especially for those ones:

            {
                "destination": "/run/netns",
                "type": "bind",
                "source": "/run/netns",
                "options": [
                    "shared",
                    "rbind",
                    "rw"
                ]
            },
            {
                "destination": "/var/lib/neutron",
                "type": "bind",
                "source": "/var/lib/neutron",
                "options": [
                    "rbind",
                    "rw",
                    "rprivate"
                ]
            },

The /var/lib/neutron should be "shared,z", as well as the "/run/netns", as those two are shared with different containers, hence with different SELinux contexts/namespace.

OK, the "real" issue is apparently here:

The dhcp-agent container wants to spawn that command through another container, the very one that exits with a non-0 status.

A "podman inspect <said container>" shows that, apparently, no SELinux tags are added to the volumes, and this can be the root cause of the issue, especially for those ones:

The /var/lib/neutron should be "shared,z", as well as the "/run/netns", as those two are shared with different containers, hence with different SELinux contexts/namespace.