[CentOS-devel] Problem creating CentOS cloud image, selinux bug with cloud-init?

Sebastiaan Glazenborg sebastiaan at acore.nl
Fri Sep 11 20:29:01 UTC 2015 

Hello,

I am trying to build my own CentOS cloud image, one reason is to better
understand this process and learn from it, but am having troubles
completing a fully functional image.

I have read various how-to and other documentation but I keep running in
to the same issue, maybe a bug?
Very interested in how the CentOS cloud images were created and if the
people building these ran in to the same issue.



I am following these few steps:

 1. create new CentOS 7 installation using virt-install and a kickstart
to create base_image.
    nothing special is done, just using the CentOS 7 iso contents to do
a minimal install + cloud-init

 2. run virt-sysprep on this created base_image

 3. create new kvm vm using a copy of the sysprepped disk file

Because I do this all locally on my laptop I am using a config-drive iso
that cloud-init is using to read meta-data and user-data files.

The newly created vm is booted up, console connected, and the arrives at
the prompt without having completed the various cloud-init steps.

<snip boot messages>
[    6.683676] ip_tables: (C) 2000-2006 Netfilter Core Team
[    6.823284] nf_conntrack version 0.5.0 (7947 buckets, 31788 max)
[    6.885987] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    7.076775] Ebtables v2.0 registered
[    7.099351] Bridge firewalling registered
cloud-init[576]: Cloud-init v. 0.7.5 running 'init-local' at Fri, 11 Sep
2015 20:02:31 +0000. Up 7.13 seconds.

CentOS Linux 7 (Core)
Kernel 3.10.0-229.el7.x86_64 on an x86_64

localhost login:


And then nothing..





investigating


[root at localhost ~]# systemctl status cloud-init-local.service -l

cloud-init-local.service - Initial cloud-init job (pre-networking)
   Loaded: loaded (/usr/lib/systemd/system/cloud-init-local.service;
enabled)
   Active: activating (start) since Fri 2015-09-11 22:18:45 CEST; 41s
ago
 Main PID: 583 (cloud-init)
   CGroup: /system.slice/cloud-init-local.service
           ├─ 583 /usr/bin/python /usr/bin/cloud-init init --local
           ├─ 879 tee -a /var/log/cloud-init-output.log
           ├─1114 /bin/bash /etc/sysconfig/network-scripts/ifup-eth
ifcfg-eth0
           └─4433 /usr/bin/python -Es /usr/bin/firewall-cmd --zone=
--change-interface=eth0

Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Writing to /etc/sysconfig/network-scripts/ifcfg-eth0 -
wb: [420] 253 bytes
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode
for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode
for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Reading from /etc/sysconfig/network (quiet=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Read 37 bytes from /etc/sysconfig/network
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Writing to /etc/sysconfig/network - wb: [420] 52 bytes
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network
(recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network
(recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
__init__.py[DEBUG]: Attempting to run bring up interface eth0 using
command ['ifup', 'eth0']
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Running command ['ifup', 'eth0'] with allowed return
codes [0] (shell=False, capture=True)






[root at localhost ~]# grep denied /var/log/audit/audit.log 

type=USER_AVC msg=audit(1442002754.912:331): pid=589 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied
{ send_msg } for msgtype=method_return dest=:1.4 spid=578 tpid=4433
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'



[root at localhost ~]# audit2allow -a -M test

module test 1.0;

require {
	type cloud_init_t;
	type firewalld_t;
	class dbus send_msg;
}

#============= firewalld_t ==============
allow firewalld_t cloud_init_t:dbus send_msg;





Now with SElinux disabled everything works fine; but thats not really
something I prefer to do outside of initial testing.

Googling: 'Running command ['ifup', 'eth0'] with allowed return codes
[0] (shell=False, capture=True)' returned this:
https://bugzilla.redhat.com/show_bug.cgi?id=1126096

But that bug report is now 1 year old...

Either I am doing something wrong or other people have run in to this
same issue no?

More information about the CentOS-devel mailing list