-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
-
False
-
Moderate
This was earlier reported in https://bugzilla.redhat.com/show_bug.cgi?id=2255412 , but I'm creating this ticket since RDO migrated from bugzilla to jira.
Description of problem:
When glance is deployed with cinder backend, glance needs sudo to connect a cinder volime
to access image data stored in the volume.
However volume connection fails because glance-rootwrap command is rejected.
```
2023-12-20 15:06:46.909 69794 DEBUG glance_store._drivers.cinder.store [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Creating a new volume: image_size=117440512 size_gb=1 type=None add /usr/lib/python3.9/site-packages/glance_store/_drivers/cinder/store.py:1015
2023-12-20 15:06:51.849 69794 DEBUG os_brick.utils [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] ==> get_connector_properties: call "{'root_helper': 'sudo glance-rootwrap /etc/glance/rootwrap.conf', 'my_ip': '2607:5300:201:2000::260', 'multipath': False, 'enforce_multipath': False, 'host': 'np0036213121', 'execute': None}" trace_logging_wrapper /usr/lib/python3.9/site-packages/os_brick/utils.py:176
2023-12-20 15:06:51.856 69794 INFO oslo.privsep.daemon [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Running privsep helper: ['sudo', 'glance-rootwrap', '/etc/glance/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/glance/glance-api.conf', '--privsep_context', 'os_brick.privileged.default', '--privsep_sock_path', '/tmp/tmppu33kea2/privsep.sock']
2023-12-20 15:06:51.888 69794 WARNING oslo.privsep.daemon [-] privsep log: sudo: PAM account management error: Authentication service cannot retrieve authentication info
2023-12-20 15:06:51.906 69794 WARNING oslo.privsep.daemon [-] privsep log: sudo: a password is required
2023-12-20 15:06:51.906 69794 CRITICAL oslo.privsep.daemon [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] privsep helper command exited non-zero (1)
2023-12-20 15:06:51.907 69794 DEBUG os_brick.utils [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] <== get_connector_properties: exception (56ms) FailedToDropPrivileges('privsep helper command exited non-zero (1)') trace_logging_wrapper /usr/lib/python3.9/site-packages/os_brick/utils.py:189
2023-12-20 15:06:51.907 69794 ERROR glance_store._drivers.cinder.store [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Failed to write to volume 0c38f81f-a52a-4dd2-ad73-3c28b67b97e5.: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2023-12-20 15:06:52.107 69794 ERROR glance.api.v2.image_data [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Failed to upload image data due to internal error: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Caught error: privsep helper command exited non-zero (1): oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi Traceback (most recent call last):
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi File "/usr/lib/python3.9/site-packages/glance/common/wsgi.py", line 1297, in _call_
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi action_result = self.dispatch(self.controller, action,
...
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi File "/usr/lib/python3.9/site-packages/oslo_privsep/daemon.py", line 358, in _init_
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi raise FailedToDropPrivileges(msg)
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi
2023-12-20 15:06:52.780 69794 INFO eventlet.wsgi.server [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] ::1 - - [20/Dec/2023 15:06:52] "PUT /v2/images/6d9ed391-5f53-451c-945a-9764b38af604/file HTTP/1.1" 500 341 6.043561
```
It seems the following selinux denial is causing the problem.
```
type=AVC msg=audit(1703084811.884:6481): avc: denied { execute } for pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
type=AVC msg=audit(1703084818.067:6524): avc: denied { execute } for pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
```
The issue is not resolved even if we enable the os_glance_use_sudo boolean.
```
os_enable_vtpm (off , off) Allow os to enable vtpm
os_glance_dac_override (on , on) Allow os to glance dac override
os_glance_use_nfs (on , on) Allow os to glance use nfs
os_glance_use_sudo (on , on) Allow os to glance use sudo
os_gnocchi_use_nfs (on , on) Allow os to gnocchi use nfs
os_haproxy_dac_override (on , on) Allow os to haproxy dac override
```
Example logs can be found in https://zuul.opendev.org/t/openstack/build/c344c5f044f1404782e0acbca93260fd
Version-Release number of selected component (if applicable):
openstack-selinux-0.8.38-0.20231218093307.f1d5b34.el9.noarch
selinux-policy-38.1.27-1.el9.noarch
How reproducible:
Always
Steps to Reproduce:
1. Make selinux enforcing
2. Deploy cinder with lvm backend
2. Deploy glance with cinder backend
3. Create an image
Actual results:
Image creation fails with 500 error
Expected results:
Image creation should succeed
Additional info: