Uploaded image for project: 'RDO Project'
  1. RDO Project
  2. RDO-268

octavia-api can't access agent socket when run by httpd + mod_wsgi

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Undefined
    • None
    • None
    • openstack-selinux
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

    Description

      I found that octavia-api doesn't repond when selinux is enforced.

      This issue is not reproduced when selinux is permissive and I suspect the following denial, which is recorded in audit.log, is causing the problem.

      type=AVC msg=audit(1711009582.771:8426): avc:  denied  { getattr } for  pid=72482 comm="httpd" path="/run/octavia/status.sock" dev="tmpfs" ino=4820 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 

      Example log can be found in https://zuul.opendev.org/t/openstack/build/d857ddcfdfff436f89ac53ba3d104283 .

      Version-Release number of selected component (if applicable):

      openstack-selinux-0.8.39-0.20240219140649.f618d90.el9.noarch

      How reproducible:
      Always

      Steps to Reproduce:
      1. Make selinux enforcing
      2. Run octavia-api by httpd + mod_wsgi
      2. Attempt to create a load balancer

       

      Actual results:
      API is stuck and does not respond

       

      Expected results:
      API responds to the request

      Additional info:

      Attachments

        Activity

          People

            rhn-engineering-jpichon Julie Pichon
            tkajinami Takashi Kajinami
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: