[ovs-discuss] systemd issue

Muminul Islam Russell misla011 at fiu.edu
Tue Jan 24 18:06:59 UTC 2017 

Thanks a lot for detailed information.


[root at localhost ~]# ps -AZf | egrep ovs
system_u:system_r:openvswitch_t:s0 root   3079     1  0 10:07 ?
00:00:00 ovsdb-server: monitoring pid 3080 (healthy)
system_u:system_r:openvswitch_t:s0 root   3080  3079  0 10:07 ?
00:00:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer
-vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock
--private-key=db:Open_vSwitch,SSL,private_key
--certificate=db:Open_vSwitch,SSL,certificate
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir
--log-file=/var/log/openvswitch/ovsdb-server.log
--pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
system_u:system_r:openvswitch_t:s0 root   3089     1  0 10:07 ?
00:00:00 ovs-vswitchd: monitoring pid 3090 (healthy)
system_u:system_r:openvswitch_t:s0 root   3090  3089  0 10:07 ?
00:00:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer
-vsyslog:err -vfile:info --mlockall --no-chdir
--log-file=/var/log/openvswitch/ovs-vswitchd.log
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3104 2492
0 10:08 pts/0 00:00:00 grep -E --color=auto ovs

---
Muminul

On Tue, Jan 24, 2017 at 7:06 AM, Ansis Atteka <aatteka at nicira.com> wrote:
> On Mon, Jan 23, 2017 at 9:22 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>> Hi Ansis,
>>
>> Thanks. I am newbie to this technology. Could you please tell me how
>> can I use wrong  unconfined type while creating the directory
>> manually.
>
> I would recommend you to think about Mandatory Access Control
> (SElinux) in analogical way as you already think about Discretionary
> Access Control (ie directory and file ownership by Linux Users) - same
> caveats apply to both of them.
>
> My guess would be that you got into this non working state by starting
> ovs-* processes directly from command line (e.g. something like
> ./ovs-vswitchd ...). This caused ovs-* processes to start under
> unconfined type and hence all the unix domain sockets and files
> created by them were also created under unconfined type. And now,
> later on, you are attempting to start ovs-vswitchd correctly via
> systemd where this time these processes bootstrap under the SELinux
> openvswitch type and hence they can't anymore clean up remnants
> created by previous ovs_ process instances that were running under
> unconfined type. To confirm this theory can you copy paste output of
> "ps -AZf | egrep ovs" command?
>
> To get out of this situation you need to relabel these files back to
> openvswitch_* type by running restorecon command.
>
>
>
>>
>> Here is the output that you requested.
>> [root at localhost ~]# ls -Z /var/run/openvswitch/
>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.mgmt
>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.snoop
>> srwx------. root root unconfined_u:object_r:var_run_t:s0 db.sock
>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.2593.ctl
>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.pid
>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.2605.ctl
>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.pid
>> [root at localhost ~]#
>>
>> Thanks,
>> Muminul
>>
>> On Mon, Jan 23, 2017 at 10:46 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>>> On Fri, Jan 20, 2017 at 3:48 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>>> Thanks for the clarification.
>>>>
>>>> When I change selinux mode to permissive it goes through. I am
>>>> wondering if there is a way
>>>> to resolve this issue while selinux in enforcing mode.
>>>
>>> This could be something as trivial as:
>>> 1. deleting /var/run/openvswitch directory and/or all its contents
>>> that were properly taggerd with one of openvswitch type
>>> 2. manually recreating this directory under wrong unconfined type.
>>>
>>>
>>> Can you post output of `ls -Z`  command for /var/run/openvswitch
>>> directory and also all its contents to provide or disprove the theory
>>> I have above?
>>>
>>>>
>>>> Thanks,
>>>> Muminul
>>>>
>>>> On Fri, Jan 20, 2017 at 3:35 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>>> On Fri, Jan 20, 2017 at 03:08:39PM -0800, Muminul Islam Russell wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am using 2.3.1 version and having issue with starting openvswitch
>>>>>> service with systemd.
>>>>>>
>>>>>> [root at localhost ~]# systemctl status openvswitch
>>>>>>
>>>>>> Jan 20 15:00:54 localhost systemd[1]: Starting LSB: Open vSwitch switch...
>>>>>> Jan 20 15:00:54 localhost openvswitch[3196]: Starting ovsdb-server
>>>>>> ovsdb-server: /var/run/openvswitch/ovsdb-server.pid: pidfile check
>>>>>> failed (Permission denied), aborting
>>>>>
>>>>> ovsdb-server tried to check whether it was already running, by reading
>>>>> its own pidfile, but it couldn't read it due to a "permission denied"
>>>>> error.
>>>> _______________________________________________
>>>> discuss mailing list
>>>> discuss at openvswitch.org
>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

More information about the discuss mailing list