[Yahoo-eng-team] [Bug 1774402] [NEW] Glance scrubber SELinux denials
Public bug reported: Glance scrubber on RHEL7 from RDO with SELinux enabled get denied connecting to cinder & swift type=AVC msg=audit(1527765224.059:149655): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.066:149656): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.690:149657): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket Enabling the nis_enabled seboolean allows connections to cinder, swift looks to need allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect; ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1774402 Title: Glance scrubber SELinux denials Status in Glance: New Bug description: Glance scrubber on RHEL7 from RDO with SELinux enabled get denied connecting to cinder & swift type=AVC msg=audit(1527765224.059:149655): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.066:149656): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8776 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1527765228.690:149657): avc: denied { name_connect } for pid=1283 comm="glance-scrubber" dest=8080 scontext=system_u:system_r:glance_scrubber_t:s0 tcontext= system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket Enabling the nis_enabled seboolean allows connections to cinder, swift looks to need allow glance_scrubber_t http_cache_port_t:tcp_socket name_connect; To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1774402/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1764200] [NEW] Glance Cinder backed images & multiple regions
Public bug reported: When using the cinder backed images as per https://docs.openstack.org/cinder/latest/admin/blockstorage-volume- backed-image.html We have multiple locations, glance configured as /etc/glance/glance-api.conf [glance_store] stores = swift, cinder default_store = swift -snip- cinder_store_auth_address = https://hostname:5000/v3 cinder_os_region_name = Region cinder_store_user_name = glance cinder_store_password = Password cinder_store_project_name = cinder-images cinder_catalog_info = volume:cinder:internalURL cinder clones the volume correctly, then talks to glance to add the location of cinder:// glance then talks to cinder to validate the volume id, however this step uses the wrong cinder endpoint and checks the other region. >From /usr/lib/python2.7/site-packages/glance_store/_drivers/cinder.py It appears the region name is only used when not passing in the project/user/password. Passing the os_region_name to the cinderclient.Client call on line 351 appears to fix this. ie c = cinderclient.Client(username, password, project, auth_url=url, region_name=glance_store.cinder_os_region_name, insecure=glance_store.cinder_api_insecure, retries=glance_store.cinder_http_retries, cacert=glance_store.cinder_ca_certificates_file) ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1764200 Title: Glance Cinder backed images & multiple regions Status in Glance: New Bug description: When using the cinder backed images as per https://docs.openstack.org/cinder/latest/admin/blockstorage-volume- backed-image.html We have multiple locations, glance configured as /etc/glance/glance-api.conf [glance_store] stores = swift, cinder default_store = swift -snip- cinder_store_auth_address = https://hostname:5000/v3 cinder_os_region_name = Region cinder_store_user_name = glance cinder_store_password = Password cinder_store_project_name = cinder-images cinder_catalog_info = volume:cinder:internalURL cinder clones the volume correctly, then talks to glance to add the location of cinder:// glance then talks to cinder to validate the volume id, however this step uses the wrong cinder endpoint and checks the other region. From /usr/lib/python2.7/site-packages/glance_store/_drivers/cinder.py It appears the region name is only used when not passing in the project/user/password. Passing the os_region_name to the cinderclient.Client call on line 351 appears to fix this. ie c = cinderclient.Client(username, password, project, auth_url=url, region_name=glance_store.cinder_os_region_name, insecure=glance_store.cinder_api_insecure, retries=glance_store.cinder_http_retries, cacert=glance_store.cinder_ca_certificates_file) To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1764200/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1790446] [NEW] Glance policy and image owner
Public bug reported: Trying to restrict glance to only allow editing/deleting a tenants own images. According the the docs, this should work. "is_owner": "tenant:%(owner)s", "modify_image": "rule:is_owner", "delete_image": "rule:is_owner", However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches! With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it. How are you meant to restrict actions to the owner of an image? ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1790446 Title: Glance policy and image owner Status in Glance: New Bug description: Trying to restrict glance to only allow editing/deleting a tenants own images. According the the docs, this should work. "is_owner": "tenant:%(owner)s", "modify_image": "rule:is_owner", "delete_image": "rule:is_owner", However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches! With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it. How are you meant to restrict actions to the owner of an image? To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1790446/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp