-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
2
-
False
-
-
False
-
None
-
rhel-net-ovs-dpdk
-
-
-
ssg_networking
Our bare metal OCP 4.15.5 worker nodes rebooted after we installed a machineconfig to enable a bond interface. The machineconfig contains no changes other than installing three nmconnection profiles in /etc/NetworkManager/system-connections (one for the bond, and one for each of the member interfaces).
After rebooting, openshift failed to start up. The bond interface was configured correctly, but ovsdb-server was failing to start:
Feb 07 21:59:09 wrk-1 ovs-ctl[1947]: ovsdb-server: failed to create temporary file (Permission denied)
This was due to an AVC denial:
type=AVC msg=audit(1707343149.248:61): avc: denied { read write open } for pid=1947 comm="ovsdb-server" path=2F746D702F233137202864656C6574656429 dev="tmpfs" ino=17 scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 type=AVC msg=audit(1707343149.249:62): avc: denied { create } for pid=1947 comm="ovsdb-server" name="tmpfUnu7dX" scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
In order to resolve this problem, we had to install the following local policy:
module local 1.0; require { type openvswitch_t; type tmpfs_t; class file { create open read write }; } #============= openvswitch_t ============== allow openvswitch_t tmpfs_t:file { create open read write };
With this policy in place, ovsdb-server was able to start up, which unblocked the rest of the system.
The nodes are all running CoreOS 414.92.202311281318-0.