[ovs-discuss] systemd issue
Muminul Islam Russell
misla011 at fiu.edu
Tue Jan 24 21:01:55 UTC 2017
Thanks a lot. I got the full context.
Best,
Muminul
On Tue, Jan 24, 2017 at 12:06 PM, Ansis Atteka <aatteka at nicira.com> wrote:
> On Tue, Jan 24, 2017 at 8:06 PM,
> Muminul Islam Russell <misla011 at fiu.edu> wrote:
>> Thanks a lot for detailed information.
>>
>>
>> [root at localhost ~]# ps -AZf | egrep ovs
>> system_u:system_r:openvswitch_t:s0 root 3079 1 0 10:07 ?
>> 00:00:00 ovsdb-server: monitoring pid 3080 (healthy)
>
>> system_u:system_r:openvswitch_t:s0 root 3080 3079 0 10:07 ?
>> 00:00:00 ovsdb-server /etc/openvswitch/conf.db -vconsole:emer
>> -vsyslog:err -vfile:info --remote=punix:/var/run/openvswitch/db.sock
>> --private-key=db:Open_vSwitch,SSL,private_key
>> --certificate=db:Open_vSwitch,SSL,certificate
>> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert --no-chdir
>> --log-file=/var/log/openvswitch/ovsdb-server.log
>> --pidfile=/var/run/openvswitch/ovsdb-server.pid --detach --monitor
>
>> system_u:system_r:openvswitch_t:s0 root 3089 1 0 10:07 ?
>> 00:00:00 ovs-vswitchd: monitoring pid 3090 (healthy)
>
>> system_u:system_r:openvswitch_t:s0 root 3090 3089 0 10:07 ?
>> 00:00:00 ovs-vswitchd unix:/var/run/openvswitch/db.sock -vconsole:emer
>> -vsyslog:err -vfile:info --mlockall --no-chdir
>> --log-file=/var/log/openvswitch/ovs-vswitchd.log
>> --pidfile=/var/run/openvswitch/ovs-vswitchd.pid --detach --monitor
>
>
> As can be seen from the above `ps -Z` output both ovs-vswitchd and
> ovsbd-server processes are running under the expected openvswitch_t
> type; also it is apparent that there are no extra ovs-* process
> running under unconfined type preventing these ones to start properly.
> So it the pid file with wrong SElinux label must be a remnant from one
> of the previous times you started openvswitch.
>
> Do you have a reason to suspect that in the past there was at least
> single time where you started openvswitch in any other way than via
> systemctl? If yes, than that is probably the problem and just change
> SElinux context for /var/run/openvswitch via restorecon command to fix
> the issue.
>
>
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 3104 2492
>> 0 10:08 pts/0 00:00:00 grep -E --color=auto ovs
>>
>> ---
>> Muminul
>>
>> On Tue, Jan 24, 2017 at 7:06 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>>> On Mon, Jan 23, 2017 at 9:22 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>>> Hi Ansis,
>>>>
>>>> Thanks. I am newbie to this technology. Could you please tell me how
>>>> can I use wrong unconfined type while creating the directory
>>>> manually.
>>>
>>> I would recommend you to think about Mandatory Access Control
>>> (SElinux) in analogical way as you already think about Discretionary
>>> Access Control (ie directory and file ownership by Linux Users) - same
>>> caveats apply to both of them.
>>>
>>> My guess would be that you got into this non working state by starting
>>> ovs-* processes directly from command line (e.g. something like
>>> ./ovs-vswitchd ...). This caused ovs-* processes to start under
>>> unconfined type and hence all the unix domain sockets and files
>>> created by them were also created under unconfined type. And now,
>>> later on, you are attempting to start ovs-vswitchd correctly via
>>> systemd where this time these processes bootstrap under the SELinux
>>> openvswitch type and hence they can't anymore clean up remnants
>>> created by previous ovs_ process instances that were running under
>>> unconfined type. To confirm this theory can you copy paste output of
>>> "ps -AZf | egrep ovs" command?
>>>
>>> To get out of this situation you need to relabel these files back to
>>> openvswitch_* type by running restorecon command.
>>>
>>>
>>>
>>>>
>>>> Here is the output that you requested.
>>>> [root at localhost ~]# ls -Z /var/run/openvswitch/
>>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.mgmt
>>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 br0.snoop
>>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 db.sock
>>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.2593.ctl
>>>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovsdb-server.pid
>>>> srwx------. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.2605.ctl
>>>> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 ovs-vswitchd.pid
>>>> [root at localhost ~]#
>>>>
>>>> Thanks,
>>>> Muminul
>>>>
>>>> On Mon, Jan 23, 2017 at 10:46 AM, Ansis Atteka <aatteka at nicira.com> wrote:
>>>>> On Fri, Jan 20, 2017 at 3:48 PM, Muminul Islam Russell <misla011 at fiu.edu> wrote:
>>>>>> Thanks for the clarification.
>>>>>>
>>>>>> When I change selinux mode to permissive it goes through. I am
>>>>>> wondering if there is a way
>>>>>> to resolve this issue while selinux in enforcing mode.
>>>>>
>>>>> This could be something as trivial as:
>>>>> 1. deleting /var/run/openvswitch directory and/or all its contents
>>>>> that were properly taggerd with one of openvswitch type
>>>>> 2. manually recreating this directory under wrong unconfined type.
>>>>>
>>>>>
>>>>> Can you post output of `ls -Z` command for /var/run/openvswitch
>>>>> directory and also all its contents to provide or disprove the theory
>>>>> I have above?
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Muminul
>>>>>>
>>>>>> On Fri, Jan 20, 2017 at 3:35 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>>>>> On Fri, Jan 20, 2017 at 03:08:39PM -0800, Muminul Islam Russell wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I am using 2.3.1 version and having issue with starting openvswitch
>>>>>>>> service with systemd.
>>>>>>>>
>>>>>>>> [root at localhost ~]# systemctl status openvswitch
>>>>>>>>
>>>>>>>> Jan 20 15:00:54 localhost systemd[1]: Starting LSB: Open vSwitch switch...
>>>>>>>> Jan 20 15:00:54 localhost openvswitch[3196]: Starting ovsdb-server
>>>>>>>> ovsdb-server: /var/run/openvswitch/ovsdb-server.pid: pidfile check
>>>>>>>> failed (Permission denied), aborting
>>>>>>>
>>>>>>> ovsdb-server tried to check whether it was already running, by reading
>>>>>>> its own pidfile, but it couldn't read it due to a "permission denied"
>>>>>>> error.
>>>>>> _______________________________________________
>>>>>> discuss mailing list
>>>>>> discuss at openvswitch.org
>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
More information about the discuss
mailing list