Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

While selinux on KVM host was reconfigured from enforcing' to disabled', rpower failed to power previous created KVM guest on. #3284

Closed
neo954 opened this issue Jun 19, 2017 · 5 comments
Closed

While selinux on KVM host was reconfigured from enforcing' to disabled', rpower failed to power previous created KVM guest on. #3284

neo954 opened this issue Jun 19, 2017 · 5 comments
Assignees
@immarvin @zet809
Labels
component:virtualization status:won't fix type:bug
Milestone
2.13.8

Comments

@neo954
Copy link
Contributor

neo954 commented Jun 19, 2017

Software environment

  • xCAT management node runs xCAT 2.13.4 GA edition on ppc64le or x86-64 architecture
  • KVM host with RHEL 7.3 + RHV 4.1 on ppc64le or x86-64 architecture

Recreation steps

On the KVM host, enable selinux. Make sure it is in the enforcing state.

[root@kvmhost ~] # getenforce
Enforcing

On the xCAT management node, create one KVM guest on the KVM host with command mkvm.

[root@xcatmn ~] # mkvm kvmguest

And then, power the newly created KVM guest on, and off.

[root@xcatmn ~] # rpower kvmguest on
[root@xcatmn ~] # rpower kvmguest off

Back to the KVM host, edit configuration file /etc/sysconfig/selinux and disable the selinux setting. Reboot the KVM host. After rebooting, make sure selinux is in the disabled state.

[root@kvmhost ~] # getenforce
Disabled

Switch to the xCAT management node, and try to power the KVM guest on with xCAT command rpower. It will get the following error message.

[root@xcatmn ~] # rpower kvmguest on
kvmguest: Error: unsupported configuration: Unable to find security driver for model selinux
@neo954
Copy link
Contributor Author

neo954 commented Jun 19, 2017

While a KVM guest was created while selinux set to enforcing, a seclabel section similar to the following was added to the definition XML of the KVM guest.

<seclabel type='dynamic' model='selinux' relabel='yes'>
  <label>system_u:system_r:svirt_t:s0:c408,c616</label>
  <imagelabel>system_u:object_r:svirt_image_t:s0:c408,c616</imagelabel>
</seclabel>

And xCAT saved this XML to its database, in kvm_nodedata table. While a KVM guest need to be powered on, this save XML copy will be used to redefine to KVM guest on the KVM host.

Actually, the seclabel section above was ask for the selinux security model on the KVM host. When it is lack, the KVM guest simply refuse to boot.

@immarvin immarvin added this to the 2.13.6 milestone Jun 19, 2017
@neo954
Copy link
Contributor Author

neo954 commented Jun 19, 2017

A simple workaround of this issue is run rmvm and then mkvm against the affected KVM guest. This will remove the XML copy saved in xCAT database, and recreate the KVM guest while selinux is disabled on the KVM host. After the KVM guest re-creation, it can be powered on straight-forward.

@daniceexi
Copy link
Contributor

@neo954 What caused this While selinux on KVM host was reconfigured from `enforcing' to `disabled'?

@zet809
Copy link

zet809 commented Aug 30, 2017

Remove the milestone since we didn't plan to fix it.

@zet809 zet809 removed this from the 2.13.6 milestone Aug 30, 2017
@neo954
Copy link
Contributor Author

neo954 commented Sep 28, 2017

I will close this one.

@neo954 neo954 closed this as completed Sep 28, 2017
@whowutwut whowutwut added this to the 2.13.8 milestone Jan 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@immarvin immarvin

@zet809 zet809

Labels
component:virtualization status:won't fix type:bug
Projects
None yet
Milestone
2.13.8
Development

No branches or pull requests
5 participants
@immarvin @zet809 @whowutwut @daniceexi @neo954