[ovs-discuss] systemd issue

Ansis Atteka aatteka at nicira.com
Tue Jan 24 15:06:59 UTC 2017

On Mon, Jan 23, 2017 at 9:22 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
> Hi Ansis,
> Thanks. I am newbie to this technology. Could you please tell me how
> can I use wrong  unconfined type while creating the directory
> manually.

I would recommend you to think about Mandatory Access Control
(SElinux) in analogical way as you already think about Discretionary
Access Control (ie directory and file ownership by Linux Users) - same
caveats apply to both of them.

My guess would be that you got into this non working state by starting
ovs-* processes directly from command line (e.g. something like
./ovs-vswitchd ...). This caused ovs-* processes to start under
unconfined type and hence all the unix domain sockets and files
created by them were also created under unconfined type. And now,
later on, you are attempting to start ovs-vswitchd correctly via
systemd where this time these processes bootstrap under the SELinux
openvswitch type and hence they can't anymore clean up remnants
created by previous ovs_ process instances that were running under
unconfined type. To confirm this theory can you copy paste output of
"ps -AZf | egrep ovs" command?

To get out of this situation you need to relabel these files back to
openvswitch_* type by running restorecon command.

> Here is the output that you requested.
> [root at localhost ~]# ls -Z /var/run/openvswitch/
> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.mgmt
> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.snoop
> srwx------. root root unconfined_u:object_r:var_run_t:s0 db.sock
> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.2593.ctl
> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.pid
> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.2605.ctl
> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.pid
> [root at localhost ~]#
> Thanks,
> Muminul
> On Mon, Jan 23, 2017 at 10:46 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>> On Fri, Jan 20, 2017 at 3:48 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>> Thanks for the clarification.
>>> When I change selinux mode to permissive it goes through. I am
>>> wondering if there is a way
>>> to resolve this issue while selinux in enforcing mode.
>> This could be something as trivial as:
>> 1. deleting /var/run/openvswitch directory and/or all its contents
>> that were properly taggerd with one of openvswitch type
>> 2. manually recreating this directory under wrong unconfined type.
>> Can you post output of `ls -Z`  command for /var/run/openvswitch
>> directory and also all its contents to provide or disprove the theory
>> I have above?
>>> Thanks,
>>> Muminul
>>> On Fri, Jan 20, 2017 at 3:35 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>> On Fri, Jan 20, 2017 at 03:08:39PM -0800, Muminul Islam Russell wrote:
>>>>> Hi,
>>>>> I am using 2.3.1 version and having issue with starting openvswitch
>>>>> service with systemd.
>>>>> [root at localhost ~]# systemctl status openvswitch
>>>>> Jan 20 15:00:54 localhost systemd[1]: Starting LSB: Open vSwitch switch...
>>>>> Jan 20 15:00:54 localhost openvswitch[3196]: Starting ovsdb-server
>>>>> ovsdb-server: /var/run/openvswitch/ovsdb-server.pid: pidfile check
>>>>> failed (Permission denied), aborting
>>>> ovsdb-server tried to check whether it was already running, by reading
>>>> its own pidfile, but it couldn't read it due to a "permission denied"
>>>> error.
>>> _______________________________________________
>>> discuss mailing list
>>> discuss at openvswitch.org
>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

More information about the discuss mailing list