And we have the following denial:
/var/log/audit/audit.log.1:type=AVC msg=audit(1599582437.978:2102): avc: denied { net_broadcast } for pid=5066 comm="ovs-vswitchd" capability=11 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability permissive=0
So we have a change where it passed in check but not in gate (https:/ /review. opendev. org/#/c/ 750071/). The difference in the packages consisted of:
pass: selinux- 0.8.23- 0.2020082110510 0.f05f4b2. el7.noarch tripleo- heat-templates- 10.6.3- 0.2020090513001 4.2026fa4. el7.noarch neutron- 14.4.1- 0.2020040401162 7.4aae155. el7.noarch
openstack-
openstack-
puppet-
fail: selinux- 0.8.24- 0.2020082612141 9.53b8b2e. el7.noarch tripleo- heat-templates- 10.6.3- 0.2020090817301 8.2026fa4. el7.noarch neutron- 14.4.1- 0.2020090816163 7.080fd53. el7.noarch
openstack-
openstack-
puppet-
Given that this was a change to THT, it leaves openstack-selinux or puppet-neutron as the culprit.
The only change in puppet-neutron is https:/ /review. opendev. org/#/c/ 749969/ which lowered the number of workers.
Alternatively I did notice that selinux is enabled on the stein job upstream (this should be permissive)
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
https:/ /b711d185688da3 b864bc- 5593d50c131879f 6a486eeedbad80e 3c.ssl. cf2.rackcdn. com/750071/ 1/gate/ tripleo- ci-centos- 7-standalone- upgrade- stein/91e3191/ logs/undercloud /var/log/ extra/selinux. txt
And we have the following denial: audit/audit. log.1:type= AVC msg=audit( 1599582437. 978:2102) : avc: denied { net_broadcast } for pid=5066 comm="ovs-vswitchd" capability=11 scontext= system_ u:system_ r:openvswitch_ t:s0 tcontext= system_ u:system_ r:openvswitch_ t:s0 tclass=capability permissive=0
/var/log/
https:/ /b711d185688da3 b864bc- 5593d50c131879f 6a486eeedbad80e 3c.ssl. cf2.rackcdn. com/750071/ 1/gate/ tripleo- ci-centos- 7-standalone- upgrade- stein/91e3191/ logs/undercloud /var/log/ extra/denials. txt
However we had the same denial on the passing job. So if this is code related, it likely is the number of workers change in puppet-neutron. audit/audit. log.1:type= AVC msg=audit( 1599307009. 320:2793) : avc: denied { net_broadcast } for pid=5013 comm="ovs-vswitchd" capability=11 scontext= system_ u:system_ r:openvswitch_ t:s0 tcontext= system_ u:system_ r:openvswitch_ t:s0 tclass=capability permissive=0 /storage. gra.cloud. ovh.net/ v1/AUTH_ dcaab5e32b234d5 6b626f72581e364 4c/zuul_ opendev_ logs_a9d/ 750071/ 1/check/ tripleo- ci-centos- 7-standalone- upgrade- stein/a9d2f90/ logs/undercloud /var/log/ extra/denials. txt
/var/log/
https:/
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
https:/ /storage. gra.cloud. ovh.net/ v1/AUTH_ dcaab5e32b234d5 6b626f72581e364 4c/zuul_ opendev_ logs_a9d/ 750071/ 1/check/ tripleo- ci-centos- 7-standalone- upgrade- stein/a9d2f90/ logs/undercloud /var/log/ extra/selinux. txt
The openstack-selinux changes are likely: /github. com/redhat- openstack/ openstack- selinux/ commit/ f6ad869bb125b8a 1834f62bfa1aeff e2a10ef504 /github. com/redhat- openstack/ openstack- selinux/ pull/67
https:/
https:/
Since the denial is the same between each version, I'm thinking it's the lowering of ovn metadata workers.