tripleo

Allow to run docker-puppet.py with SELinux enabled

Bug #1807680 reported by Mike Fedosin on 2018-12-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Undecided	Mike Fedosin

Bug Description

docker-puppet.py for keepalived and haproxy fails after specifying --selinux-enabled in /etc/sysconfig/docker:

We can see that the failure is caused by:

        "+ /usr/bin/puppet apply --summarize --detailed-exitcodes --color=false --logdest syslog --logdest console --modulepath=/etc/puppet/modules:/usr/share/openstack-puppet/modules --tags file,file_line,concat,augeas,cron,haproxy_config /etc/config.pp",
        "Error: Could not create resources for managing Puppet's files and directories in sections [:main, :agent, :ssl]: Permission denied - /usr/share/openstack-puppet/modules",
        "Error: Could not prepare for execution: Could not create resources for managing Puppet's files and directories in sections [:main, :agent, :ssl]: Permission denied - /usr/share/openstack-puppet/modules",
        "Permission denied - /usr/share/openstack-puppet/modules",

We can also notice the following SElinux denials which appear to be related:

># grep denied /var/log/audit/audit.log
type=AVC msg=audit(1544149222.195:19193): avc: denied { read } for pid=64980 comm="puppet" name="79c0a0162fb2c129196dc9f9fde2b44b3195b73a80485d05bd48a4772cca5e27" dev="tmpfs" ino=1356607 scontext=system_u:system_r:container_t:s0:c22,c364 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1544149222.246:19196): avc: denied { read } for pid=64986 comm="puppet" name="521e31f211a50e0e665da6c251613a7abaa3a65f34b7800aa6a90b760cb82804" dev="tmpfs" ino=1358896 scontext=system_u:system_r:container_t:s0:c737,c943 tcontext=system_u:object_r:container_var_run_t:s0 tclass=dir permissive=0

Tags:

Revision history for this message

Mike Fedosin (mfedosin) wrote on 2018-12-10:

Related bug description: https://bugzilla.redhat.com/show_bug.cgi?id=1657321

Changed in tripleo:
assignee:	nobody → Mike Fedosin (mfedosin)
status:	New → Confirmed

OpenStack Infra (hudson-openstack) on 2018-12-10

Changed in tripleo:
status:	Confirmed → In Progress

Mike Fedosin (mfedosin) on 2018-12-10

summary:

- Allow to deploy containerized overcloud with SELinux
+ Allow to run docker-puppet.py with SELinux enabled

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/624069

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/623649
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=dcdf75b94f7a46a1095da5a9b2afc1dbcd14ac56
Submitter: Zuul
Branch: master

commit dcdf75b94f7a46a1095da5a9b2afc1dbcd14ac56
Author: Mike Fedosin <email address hidden>
Date: Sat Dec 8 15:43:21 2018 +0100

Allow to run docker-puppet.py with SELinux enabled

    In docker-puppet.py script we try to relable
    /usr/share/openstack-puppet/modules by adding ":z" suffix
    in the end.

Unfortunatelly this operation is not allowed in docker with
enabled SELinux. Docker's error message is:

    Error response from daemon: error setting label on mount source
    '/usr/share/openstack-puppet/modules': SELinux relabeling of
    /usr/share/openstack-puppet/modules is not allowed:
    "Relabeling content in /usr is not allowed.".

It leads to the fact that during the configuration the jobs fails
with "Permission denied - /usr/share/openstack-puppet/modules"

    There is no need to relable that folder since it's read-only.
    After removing ":z" it is possible to deploy the overcloud with
    enabled SELinux.

Closes-Bug: #1807680

Change-Id: I11c7c5e9594fe0cdb2a114f81033651e411c9e3c

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Fix proposed to tripleo-heat-templates (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/624236

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-10: Fix proposed to tripleo-heat-templates (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/624238

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-11: Fix merged to tripleo-heat-templates (stable/queens)

Reviewed: https://review.openstack.org/624238
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=621b9d91d8c069b1e560bad8e130c12f2fb30ad3
Submitter: Zuul
Branch: stable/queens

commit 621b9d91d8c069b1e560bad8e130c12f2fb30ad3
Author: Mike Fedosin <email address hidden>
Date: Sat Dec 8 15:43:21 2018 +0100

Allow to run docker-puppet.py with SELinux enabled

    In docker-puppet.py script we try to relable
    /usr/share/openstack-puppet/modules by adding ":z" suffix
    in the end.

Unfortunatelly this operation is not allowed in docker with
enabled SELinux. Docker's error message is:

It leads to the fact that during the configuration the jobs fails
with "Permission denied - /usr/share/openstack-puppet/modules"

    There is no need to relable that folder since it's read-only.
    After removing ":z" it is possible to deploy the overcloud with
    enabled SELinux.

Closes-Bug: #1807680

Change-Id: I11c7c5e9594fe0cdb2a114f81033651e411c9e3c
(cherry picked from commit dcdf75b94f7a46a1095da5a9b2afc1dbcd14ac56)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-12: Fix merged to tripleo-heat-templates (stable/rocky)

Reviewed: https://review.openstack.org/624236
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=df0c4f3fb96cad200f811e09a63958e7f2cd765e
Submitter: Zuul
Branch: stable/rocky

commit df0c4f3fb96cad200f811e09a63958e7f2cd765e
Author: Mike Fedosin <email address hidden>
Date: Sat Dec 8 15:43:21 2018 +0100

Allow to run docker-puppet.py with SELinux enabled

    In docker-puppet.py script we try to relable
    /usr/share/openstack-puppet/modules by adding ":z" suffix
    in the end.

Unfortunatelly this operation is not allowed in docker with
enabled SELinux. Docker's error message is:

It leads to the fact that during the configuration the jobs fails
with "Permission denied - /usr/share/openstack-puppet/modules"

    There is no need to relable that folder since it's read-only.
    After removing ":z" it is possible to deploy the overcloud with
    enabled SELinux.

Closes-Bug: #1807680

Change-Id: I11c7c5e9594fe0cdb2a114f81033651e411c9e3c
(cherry picked from commit dcdf75b94f7a46a1095da5a9b2afc1dbcd14ac56)

tags:

added: in-stable-rocky

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-12-13: Change abandoned on tripleo-heat-templates (stable/rocky)

Change abandoned by Martin André (<email address hidden>) on branch: stable/rocky
Review: https://review.openstack.org/624069
Reason: Already merged in https://review.openstack.org/#/c/624236/