Live-migration fails from baremetal to containerized compute, selinux disabled in nova_libvirt container

Bug #1715171 reported by Oliver Walsh
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Oliver Walsh

Bug Description

Live migration from a baremetal compute to a contererized compute fails with "libvirtError: unsupported configuration: Unable to find security driver for label selinux"

Migration from a host with selinux enabled to a host with selinux disabled is not supported.

Also reported in https://bugzilla.redhat.com/show_bug.cgi?id=1488503

Oliver Walsh (owalsh)
Changed in tripleo:
assignee: nobody → Oliver Walsh (owalsh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/500951

Changed in tripleo:
importance: Critical → High
tags: added: pike-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/500952

Changed in tripleo:
status: Triaged → In Progress
Changed in tripleo:
milestone: pike-rc2 → queens-1
Revision history for this message
Oliver Walsh (owalsh) wrote :

NB overlayfs2 isn't fully supported until RHEL/CentOS 7.4 (https://bugzilla.redhat.com/show_bug.cgi?id=1297929) however we appear to avoid the known issues.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (master)

Reviewed: https://review.openstack.org/500951
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=978c6485f69f13e6fcc5d44e55baf294707dd8c0
Submitter: Jenkins
Branch: master

commit 978c6485f69f13e6fcc5d44e55baf294707dd8c0
Author: Oliver Walsh <email address hidden>
Date: Tue Sep 5 19:15:46 2017 +0100

    Add selinux policy rpms to base container image

    Required to enable selinux within containers.

    Change-Id: I521c5351ad6020911106464bf712cf92e6fb0fca
    Related-bug: #1715171

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/500952
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=520f889a31f1ea6ee2bad86d1dbb3c0435604d10
Submitter: Jenkins
Branch: master

commit 520f889a31f1ea6ee2bad86d1dbb3c0435604d10
Author: Oliver Walsh <email address hidden>
Date: Tue Sep 5 19:19:17 2017 +0100

    Enable selinux in containers

    We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3.
    It will fail if security_inode_copy_up is not found in the kernel symbols:
    https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661
    NB this has been reduced to a warning upstream:
    https://github.com/moby/moby/commit/885b29df096db1d6746ece4b3a298a1ffe85716d

    Instead this just bind mounts /sys/fs/selinux in containers-common.yaml.

    Everything appears to work at initial glance. Pingtest succeeds, and
    live-migration between baremetal and containerized computes works.

    Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c
    Depends-On: I521c5351ad6020911106464bf712cf92e6fb0fca
    Closes-bug: #1715171

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-common (stable/pike)

Related fix proposed to branch: stable/pike
Review: https://review.openstack.org/502656

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/502681

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/502681
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=185071236718ca1bfbb46a857cef1a8e0a5c14c0
Submitter: Jenkins
Branch: stable/pike

commit 185071236718ca1bfbb46a857cef1a8e0a5c14c0
Author: Oliver Walsh <email address hidden>
Date: Tue Sep 5 19:19:17 2017 +0100

    Enable selinux in containers

    We cannot use the --selinux-enabled docker daemon option on CentOS/RHEL 7.3.
    It will fail if security_inode_copy_up is not found in the kernel symbols:
    https://github.com/projectatomic/docker/blob/docker-1.12.6/daemon/daemon_unix.go#L661
    NB this has been reduced to a warning upstream:
    https://github.com/moby/moby/commit/885b29df096db1d6746ece4b3a298a1ffe85716d

    Instead this just bind mounts /sys/fs/selinux in containers-common.yaml.

    Everything appears to work at initial glance. Pingtest succeeds, and
    live-migration between baremetal and containerized computes works.

    Change-Id: I018221bf7ae9ab9ece193b55f1ce31eb1591046c
    Closes-bug: #1715171
    (cherry picked from commit 520f889a31f1ea6ee2bad86d1dbb3c0435604d10)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to tripleo-common (stable/pike)

Reviewed: https://review.openstack.org/502656
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=d15286afd8375a78760505f338cfdf0b9383868c
Submitter: Jenkins
Branch: stable/pike

commit d15286afd8375a78760505f338cfdf0b9383868c
Author: Oliver Walsh <email address hidden>
Date: Tue Sep 5 19:15:46 2017 +0100

    Add selinux policy rpms to base container image

    Required to enable selinux within containers.

    Change-Id: I521c5351ad6020911106464bf712cf92e6fb0fca
    Related-bug: #1715171
    (cherry picked from commit 978c6485f69f13e6fcc5d44e55baf294707dd8c0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 7.0.1

This issue was fixed in the openstack/tripleo-heat-templates 7.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 8.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.