You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened: After performing a dnf update -y to RHEL 8.7 and associated packages; ceph no longer successfully deploys due to an avc denial with keyrings for ceph-mgr. I don't think? this is an 8.7 issue but rather some other system packages that were updated which causes this. Setting selinux to permissive allows a deploy. An exact deployment on a host on 8.6 (with enforcing) last fully patched ~1 month ago is successful; updating to 8.7+ a month worth of updates to all other packages appears to cause this issue. No changes in the working repository from the deployment admin node.
What you expected to happen: Successful deployment with SELinux enforcing
How to reproduce it (minimal and precise):
Attempt to run a deployment on fully updated RHEL 8.7 and associated packages
The deployment will fail. Investigating a failing node it was noted the ceph manager container was not running. Attempting to start ceph-mgr@service will cause the podman container to immediately crash due to permission denial on keyrings. A restorecon on /etc/ceph and /var/lib/ceph with systemctl restart ceph-mgr@service did not seem to resolve the issue. The following denials are present in audit. Setting to permissive allows a deploy and will generate these messages:
When enforcing, this causes the container to exit on startup
-- Unit ceph-mgr@cs-csp-io2-5a01.service has finished starting up.
--
-- The start-up result is done.
Jan 14 02:44:11 cs-csp-io2-5a01 ceph-mgr-csp-io2-5a01[50295]: find: '/var/lib/ceph/mgr/ceph-csp-io2-5a01/keyring': Permission denied
Jan 14 02:44:11 cs-csp-io2-5a01 ceph-mgr-csp-io2-5a01[50295]: chown: cannot access '/var/lib/ceph/mgr/ceph-csp-io2-5a01/keyring': Permission denied
This will in turn cause deployment to fail when it expects ceph-mgr
TASK [ceph-mgr : wait for all mgr to be up] *******************************************************************************************************************************************************************
Saturday 14 January 2023 14:52:11 -0700 (0:00:00.131) 0:04:07.554 ******
FAILED - RETRYING: wait for all mgr to be up (30 retries left).
FAILED - RETRYING: wait for all mgr to be up (29 retries left).
<...>
FAILED - RETRYING: wait for all mgr to be up (1 retries left).
fatal: [dev-csp-sc1-303 -> dev-csp-sc1-301]: FAILED! => changed=false
attempts: 30
Setting all nodes to permissive or adding a catchall local policy module appears to allow deployment but both cases are less than ideal.
Environment:
OS (e.g. from /etc/os-release): PRETTY_NAME="Red Hat Enterprise Linux 8.7 (Ootpa)"
Kernel (e.g. uname -a): 4.18.0-425.10.1.el8_7.x86_64 SMP Wed Dec 14 16:00:01 EST 2022 x86_64 x86_64 x86_64 GNU/Linux
Docker version if applicable (e.g. docker version): podman 4.2.0
Ansible version (e.g. ansible-playbook --version): ansible-playbook 2.10.17
ceph-ansible version (e.g. git head or tag or stable branch): tag v6.0.28 d7bf53a
Ceph version (e.g. ceph -v): 16.2.10 via quay.io/ceph/daemon:v6.0.9-stable-6.0-pacific-centos-stream8-x86_64
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Bug Report
What happened: After performing a
dnf update -y
to RHEL 8.7 and associated packages; ceph no longer successfully deploys due to an avc denial with keyrings for ceph-mgr. I don't think? this is an 8.7 issue but rather some other system packages that were updated which causes this. Setting selinux to permissive allows a deploy. An exact deployment on a host on 8.6 (with enforcing) last fully patched ~1 month ago is successful; updating to 8.7+ a month worth of updates to all other packages appears to cause this issue. No changes in the working repository from the deployment admin node.What you expected to happen: Successful deployment with SELinux enforcing
How to reproduce it (minimal and precise):
Attempt to run a deployment on fully updated RHEL 8.7 and associated packages
The deployment will fail. Investigating a failing node it was noted the ceph manager container was not running. Attempting to start
ceph-mgr@service
will cause the podman container to immediately crash due to permission denial on keyrings. Arestorecon
on/etc/ceph
and/var/lib/ceph
withsystemctl restart ceph-mgr@service
did not seem to resolve the issue. The following denials are present in audit. Setting to permissive allows a deploy and will generate these messages:When enforcing, this causes the container to exit on startup
This will in turn cause deployment to fail when it expects ceph-mgr
Setting all nodes to permissive or adding a catchall local policy module appears to allow deployment but both cases are less than ideal.
Environment:
uname -a
): 4.18.0-425.10.1.el8_7.x86_64 SMP Wed Dec 14 16:00:01 EST 2022 x86_64 x86_64 x86_64 GNU/Linuxdocker version
): podman 4.2.0ansible-playbook --version
): ansible-playbook 2.10.17git head or tag or stable branch
): tag v6.0.28 d7bf53aceph -v
): 16.2.10 via quay.io/ceph/daemon:v6.0.9-stable-6.0-pacific-centos-stream8-x86_64The text was updated successfully, but these errors were encountered: