[ovs-discuss] systemd issue

Ansis Atteka aatteka at nicira.com
Tue Jan 24 20:06:24 UTC 2017


On Tue, Jan 24, 2017 at 8:06 PM,
Muminul Islam Russell <misla011 at fiu.edu> wrote:
> Thanks a lot for detailed information.
>
>
> [root at localhost ~]# ps -AZf | egrep ovs
> system_u:system_r:openvswitch_t:s0 root   3079     1  0 10:07 ?
> 00:00:00 ovsdb-server: monitoring pid 3080 (healthy)

> system_u:system_r:openvswitch_t:s0 root   3080  3079  0 10:07 ?
> 00:00:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer
> -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock
> --private-key=db:Open_vSwitch,SSL,private_key
> --certificate=db:Open_vSwitch,SSL,certificate
> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir
> --log-file=/var/log/openvswitch/ovsdb-server.log
> --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor

> system_u:system_r:openvswitch_t:s0 root   3089     1  0 10:07 ?
> 00:00:00 ovs-vswitchd: monitoring pid 3090 (healthy)

> system_u:system_r:openvswitch_t:s0 root   3090  3089  0 10:07 ?
> 00:00:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer
> -vsyslog:err -vfile:info --mlockall --no-chdir
> --log-file=/var/log/openvswitch/ovs-vswitchd.log
> --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor


As can be seen from the above `ps -Z` output both ovs-vswitchd and
ovsbd-server processes are running under the expected openvswitch_t
type; also it is apparent that there are no extra ovs-* process
running under unconfined type preventing these ones to start properly.
So it the pid file with wrong SElinux label must be a remnant from one
of the previous times you started openvswitch.

Do you have a reason to suspect that in the past there was  at least
single time where you started openvswitch in any other way than via
systemctl? If yes, than that is probably the problem and just change
SElinux context for /var/run/openvswitch via restorecon command to fix
the issue.


> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3104 2492
> 0 10:08 pts/0 00:00:00 grep -E --color=auto ovs
>
> ---
> Muminul
>
> On Tue, Jan 24, 2017 at 7:06 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>> On Mon, Jan 23, 2017 at 9:22 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>> Hi Ansis,
>>>
>>> Thanks. I am newbie to this technology. Could you please tell me how
>>> can I use wrong  unconfined type while creating the directory
>>> manually.
>>
>> I would recommend you to think about Mandatory Access Control
>> (SElinux) in analogical way as you already think about Discretionary
>> Access Control (ie directory and file ownership by Linux Users) - same
>> caveats apply to both of them.
>>
>> My guess would be that you got into this non working state by starting
>> ovs-* processes directly from command line (e.g. something like
>> ./ovs-vswitchd ...). This caused ovs-* processes to start under
>> unconfined type and hence all the unix domain sockets and files
>> created by them were also created under unconfined type. And now,
>> later on, you are attempting to start ovs-vswitchd correctly via
>> systemd where this time these processes bootstrap under the SELinux
>> openvswitch type and hence they can't anymore clean up remnants
>> created by previous ovs_ process instances that were running under
>> unconfined type. To confirm this theory can you copy paste output of
>> "ps -AZf | egrep ovs" command?
>>
>> To get out of this situation you need to relabel these files back to
>> openvswitch_* type by running restorecon command.
>>
>>
>>
>>>
>>> Here is the output that you requested.
>>> [root at localhost ~]# ls -Z /var/run/openvswitch/
>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.mgmt
>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.snoop
>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 db.sock
>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.2593.ctl
>>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.pid
>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.2605.ctl
>>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.pid
>>> [root at localhost ~]#
>>>
>>> Thanks,
>>> Muminul
>>>
>>> On Mon, Jan 23, 2017 at 10:46 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>>>> On Fri, Jan 20, 2017 at 3:48 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>>>> Thanks for the clarification.
>>>>>
>>>>> When I change selinux mode to permissive it goes through. I am
>>>>> wondering if there is a way
>>>>> to resolve this issue while selinux in enforcing mode.
>>>>
>>>> This could be something as trivial as:
>>>> 1. deleting /var/run/openvswitch directory and/or all its contents
>>>> that were properly taggerd with one of openvswitch type
>>>> 2. manually recreating this directory under wrong unconfined type.
>>>>
>>>>
>>>> Can you post output of `ls -Z`  command for /var/run/openvswitch
>>>> directory and also all its contents to provide or disprove the theory
>>>> I have above?
>>>>
>>>>>
>>>>> Thanks,
>>>>> Muminul
>>>>>
>>>>> On Fri, Jan 20, 2017 at 3:35 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>>>> On Fri, Jan 20, 2017 at 03:08:39PM -0800, Muminul Islam Russell wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I am using 2.3.1 version and having issue with starting openvswitch
>>>>>>> service with systemd.
>>>>>>>
>>>>>>> [root at localhost ~]# systemctl status openvswitch
>>>>>>>
>>>>>>> Jan 20 15:00:54 localhost systemd[1]: Starting LSB: Open vSwitch switch...
>>>>>>> Jan 20 15:00:54 localhost openvswitch[3196]: Starting ovsdb-server
>>>>>>> ovsdb-server: /var/run/openvswitch/ovsdb-server.pid: pidfile check
>>>>>>> failed (Permission denied), aborting
>>>>>>
>>>>>> ovsdb-server tried to check whether it was already running, by reading
>>>>>> its own pidfile, but it couldn't read it due to a "permission denied"
>>>>>> error.
>>>>> _______________________________________________
>>>>> discuss mailing list
>>>>> discuss at openvswitch.org
>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss


More information about the discuss mailing list