[CentOS-devel] Problem creating CentOS cloud image, selinux bug with cloud-init?
Sebastiaan Glazenborg
sebastiaan at acore.nl
Fri Sep 11 20:29:01 UTC 2015
Hello,
I am trying to build my own CentOS cloud image, one reason is to better
understand this process and learn from it, but am having troubles
completing a fully functional image.
I have read various how-to and other documentation but I keep running in
to the same issue, maybe a bug?
Very interested in how the CentOS cloud images were created and if the
people building these ran in to the same issue.
I am following these few steps:
1. create new CentOS 7 installation using virt-install and a kickstart
to create base_image.
nothing special is done, just using the CentOS 7 iso contents to do
a minimal install + cloud-init
2. run virt-sysprep on this created base_image
3. create new kvm vm using a copy of the sysprepped disk file
Because I do this all locally on my laptop I am using a config-drive iso
that cloud-init is using to read meta-data and user-data files.
The newly created vm is booted up, console connected, and the arrives at
the prompt without having completed the various cloud-init steps.
<snip boot messages>
[ 6.683676] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 6.823284] nf_conntrack version 0.5.0 (7947 buckets, 31788 max)
[ 6.885987] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 7.076775] Ebtables v2.0 registered
[ 7.099351] Bridge firewalling registered
cloud-init[576]: Cloud-init v. 0.7.5 running 'init-local' at Fri, 11 Sep
2015 20:02:31 +0000. Up 7.13 seconds.
CentOS Linux 7 (Core)
Kernel 3.10.0-229.el7.x86_64 on an x86_64
localhost login:
And then nothing..
investigating
[root at localhost ~]# systemctl status cloud-init-local.service -l
cloud-init-local.service - Initial cloud-init job (pre-networking)
Loaded: loaded (/usr/lib/systemd/system/cloud-init-local.service;
enabled)
Active: activating (start) since Fri 2015-09-11 22:18:45 CEST; 41s
ago
Main PID: 583 (cloud-init)
CGroup: /system.slice/cloud-init-local.service
├─ 583 /usr/bin/python /usr/bin/cloud-init init --local
├─ 879 tee -a /var/log/cloud-init-output.log
├─1114 /bin/bash /etc/sysconfig/network-scripts/ifup-eth
ifcfg-eth0
└─4433 /usr/bin/python -Es /usr/bin/firewall-cmd --zone=
--change-interface=eth0
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Writing to /etc/sysconfig/network-scripts/ifcfg-eth0 -
wb: [420] 253 bytes
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode
for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode
for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Reading from /etc/sysconfig/network (quiet=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Read 37 bytes from /etc/sysconfig/network
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Writing to /etc/sysconfig/network - wb: [420] 52 bytes
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network
(recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network
(recursive=False)
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
__init__.py[DEBUG]: Attempting to run bring up interface eth0 using
command ['ifup', 'eth0']
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT]
util.py[DEBUG]: Running command ['ifup', 'eth0'] with allowed return
codes [0] (shell=False, capture=True)
[root at localhost ~]# grep denied /var/log/audit/audit.log
type=USER_AVC msg=audit(1442002754.912:331): pid=589 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
{ send_msg } for msgtype=method_return dest=:1.4 spid=578 tpid=4433
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus
exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[root at localhost ~]# audit2allow -a -M test
module test 1.0;
require {
type cloud_init_t;
type firewalld_t;
class dbus send_msg;
}
#============= firewalld_t ==============
allow firewalld_t cloud_init_t:dbus send_msg;
Now with SElinux disabled everything works fine; but thats not really
something I prefer to do outside of initial testing.
Googling: 'Running command ['ifup', 'eth0'] with allowed return codes
[0] (shell=False, capture=True)' returned this:
https://bugzilla.redhat.com/show_bug.cgi?id=1126096
But that bug report is now 1 year old...
Either I am doing something wrong or other people have run in to this
same issue no?
More information about the CentOS-devel
mailing list