Uploaded image for project: 'RDO Project'
  1. RDO Project
  2. RDO-267

sudo by glance-api is rejected by selinux

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • openstack-selinux
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

      This was earlier reported in https://bugzilla.redhat.com/show_bug.cgi?id=2255412 , but I'm creating this ticket since RDO migrated from bugzilla to jira.

      Description of problem:

      When glance is deployed with cinder backend, glance needs sudo to connect a cinder volime
      to access image data stored in the volume.

      However volume connection fails because glance-rootwrap command is rejected.
      ```
      2023-12-20 15:06:46.909 69794 DEBUG glance_store._drivers.cinder.store [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Creating a new volume: image_size=117440512 size_gb=1 type=None add /usr/lib/python3.9/site-packages/glance_store/_drivers/cinder/store.py:1015
      2023-12-20 15:06:51.849 69794 DEBUG os_brick.utils [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] ==> get_connector_properties: call "{'root_helper': 'sudo glance-rootwrap /etc/glance/rootwrap.conf', 'my_ip': '2607:5300:201:2000::260', 'multipath': False, 'enforce_multipath': False, 'host': 'np0036213121', 'execute': None}" trace_logging_wrapper /usr/lib/python3.9/site-packages/os_brick/utils.py:176
      2023-12-20 15:06:51.856 69794 INFO oslo.privsep.daemon [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Running privsep helper: ['sudo', 'glance-rootwrap', '/etc/glance/rootwrap.conf', 'privsep-helper', '--config-file', '/etc/glance/glance-api.conf', '--privsep_context', 'os_brick.privileged.default', '--privsep_sock_path', '/tmp/tmppu33kea2/privsep.sock']
      2023-12-20 15:06:51.888 69794 WARNING oslo.privsep.daemon [-] privsep log: sudo: PAM account management error: Authentication service cannot retrieve authentication info
      2023-12-20 15:06:51.906 69794 WARNING oslo.privsep.daemon [-] privsep log: sudo: a password is required
      2023-12-20 15:06:51.906 69794 CRITICAL oslo.privsep.daemon [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] privsep helper command exited non-zero (1)
      2023-12-20 15:06:51.907 69794 DEBUG os_brick.utils [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] <== get_connector_properties: exception (56ms) FailedToDropPrivileges('privsep helper command exited non-zero (1)') trace_logging_wrapper /usr/lib/python3.9/site-packages/os_brick/utils.py:189
      2023-12-20 15:06:51.907 69794 ERROR glance_store._drivers.cinder.store [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Failed to write to volume 0c38f81f-a52a-4dd2-ad73-3c28b67b97e5.: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
      2023-12-20 15:06:52.107 69794 ERROR glance.api.v2.image_data [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Failed to upload image data due to internal error: oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] Caught error: privsep helper command exited non-zero (1): oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi Traceback (most recent call last):
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi   File "/usr/lib/python3.9/site-packages/glance/common/wsgi.py", line 1297, in _call_
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi     action_result = self.dispatch(self.controller, action,
      ...
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi   File "/usr/lib/python3.9/site-packages/oslo_privsep/daemon.py", line 358, in _init_
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi     raise FailedToDropPrivileges(msg)
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi oslo_privsep.daemon.FailedToDropPrivileges: privsep helper command exited non-zero (1)
      2023-12-20 15:06:52.161 69794 ERROR glance.common.wsgi 
      2023-12-20 15:06:52.780 69794 INFO eventlet.wsgi.server [None req-20588aa5-8aa7-4d2c-ba60-2daa8275a455 496fefb1e73845f491bf9e4042000c60 dcd5ba4cd13e4fefb00108de7346c19b - - default default] ::1 - - [20/Dec/2023 15:06:52] "PUT /v2/images/6d9ed391-5f53-451c-945a-9764b38af604/file HTTP/1.1" 500 341 6.043561

      ```

      It seems the following selinux denial is causing the problem.
      ```
      type=AVC msg=audit(1703084811.884:6481): avc:  denied  { execute } for  pid=72459 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
      type=AVC msg=audit(1703084818.067:6524): avc:  denied  { execute } for  pid=72505 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4700890 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0
      ```

      The issue is not resolved even if we enable the os_glance_use_sudo boolean.

      ```
      os_enable_vtpm                 (off  ,  off)  Allow os to enable vtpm
      os_glance_dac_override         (on   ,   on)  Allow os to glance dac override
      os_glance_use_nfs              (on   ,   on)  Allow os to glance use nfs
      os_glance_use_sudo             (on   ,   on)  Allow os to glance use sudo
      os_gnocchi_use_nfs             (on   ,   on)  Allow os to gnocchi use nfs
      os_haproxy_dac_override        (on   ,   on)  Allow os to haproxy dac override
      ```

      Example logs can be found in https://zuul.opendev.org/t/openstack/build/c344c5f044f1404782e0acbca93260fd

      Version-Release number of selected component (if applicable):
      openstack-selinux-0.8.38-0.20231218093307.f1d5b34.el9.noarch
      selinux-policy-38.1.27-1.el9.noarch

      How reproducible:
      Always

      Steps to Reproduce:
      1. Make selinux enforcing
      2. Deploy cinder with lvm backend
      2. Deploy glance with cinder backend
      3. Create an image

      Actual results:
      Image creation fails with 500 error

      Expected results:
      Image creation should succeed

      Additional info:

            rhn-engineering-jpichon Julie Pichon
            tkajinami Takashi Kajinami
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: