Comment 0 for bug 1967956

Revision history for this message
Alexander Balderson (asbalderson) wrote :

On a deployment of Focal Ussuri which was CIS hardened SQA had two tempest tests which failed to resize a server, and then revert the resize.

the two tests which failed were:
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_confirm
and
tempest.api.compute.servers.test_server_actions.ServerActionsTestJSON.test_resize_server_revert

The nova compute logs show:
: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.648 653208 ERROR nova.virt.libvirt.driver [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Failed to start libvirt guest: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.697 653208 INFO os_vif [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] Successfully unplugged vif VIFOpenVSwitch(active=False,address=fa:16:3e:14:5f:7c,bridge_name='br-int',has_traffic_filtering=True,id=c6c15dff-9201-49e9-9d86-4ce684138f53,network=Network(611f2961-05f5-4361-a30f-bcf384865f6f),plugin='ovs',port_profile=VIFPortProfileOpenVSwitch,preserve_on_delete=False,vif_name='tapc6c15dff-92')
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [req-b7c2648b-b61c-47b0-b965-015a39eb60a2 da22df534509496fba235127688ca2af c35da82188de4fba8f79f2d59119c4fa - f23c501bf80845fda352e6ca6e0e5bbe f23c501bf80845fda352e6ca6e0e5bbe] [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Setting instance vm_state to ERROR: libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] Traceback (most recent call last):
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 10047, in _error_out_instance_on_exception
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] yield
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5904, in _finish_resize_helper
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] network_info = self._finish_resize(context, instance, migration,
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5842, in _finish_resize
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self._set_instance_info(instance, old_flavor)
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 220, in __exit__
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self.force_reraise()
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/oslo_utils/excutils.py", line 196, in force_reraise
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] six.reraise(self.type_, self.value, self.tb)
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/six.py", line 703, in reraise
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] raise value
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/compute/manager.py", line 5825, in _finish_resize
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] self.driver.finish_migration(context, migration, instance,
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] File "/usr/lib/python3/dist-packages/nova/virt/libvirt/driver.py", line 10410, in finish_migration
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] guest = self._create_domain_and_network(context, xml, instance,
...
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a] libvirt.libvirtError: Cannot access storage file '/var/lib/nova/instances/b3247fa2-fdef-4608-b661-0677fd68f96a/disk' (as uid:64055, gid:108): Permission denied
2022-04-03 03:18:09.700 653208 ERROR nova.compute.manager [instance: b3247fa2-fdef-4608-b661-0677fd68f96a]

for both tests.

our CIS rule set is

RULESET1="1.1.1.1 1.1.1.2 1.1.1.3 1.1.1.4 1.1.1.5 1.1.1.6 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.12 1.1.13 1.1.14 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.1.24 1.2.1 1.2.2 1.3.1 1.3.2 1.3.3 1.4.1 1.4.2 1.5.1 1.5.2 1.5.3 1.6.1 1.6.2 1.6.3 1.6.4 1.7.1.1 1.7.1.2 1.7.1.3 1.8.1.1 1.8.1.2 1.8.1.3 1.8.1.4 1.8.1.5 1.8.1.6 1.9 1.10"
RULESET2="2.1.1 2.1.2 2.2.1.1 2.2.1.2 2.2.1.3 2.2.1.4 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 2.2.10 2.2.11 2.2.12 2.2.13 2.2.14 2.2.15 2.2.17 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 2.4"
RULESET3="3.1.2 3.2.1 3.2.2 3.3.1 3.3.2 3.3.3 3.3.4 3.3.5 3.3.6 3.3.7 3.3.8 3.3.9 3.5.1.1 3.5.1.2 3.5.1.3 3.5.1.4 3.5.1.5 3.5.1.6 3.5.1.7 3.5.2.1 3.5.2.2 3.5.2.3 3.5.2.4 3.5.2.5 3.5.2.6 3.5.2.7 3.5.2.8 3.5.2.9 3.5.2.10 3.5.3.1.1 3.5.3.1.2 3.5.3.2.1 3.5.3.2.2 3.5.3.2.3 3.5.3.2.4 3.5.3.3.1 3.5.3.3.2 3.5.3.3.3 3.5.3.3.4"
RULESET4="4.2.1.1 4.2.1.2 4.2.1.3 4.2.1.4 4.2.1.5 4.2.1.6 4.2.2.1 4.2.2.2 4.2.2.3 4.2.3 4.3 4.4"
RULESET5="5.1.1 5.1.2 5.1.3 5.1.4 5.1.5 5.1.6 5.1.7 5.1.8 5.1.9 5.2.1 5.2.2 5.2.3 5.2.4 5.2.6 5.2.7 5.2.8 5.2.9 5.2.10 5.2.11 5.2.12 5.2.13 5.2.14 5.2.15 5.2.16 5.2.17 5.2.18 5.2.19 5.2.21 5.2.22 5.3.1 5.3.2 5.3.3 5.3.4 5.4.1.1 5.4.1.2 5.4.1.3 5.4.1.4 5.4.1.5 5.4.2 5.4.3 5.4.4 5.4.5 5.5 5.6"
RULESET6="6.1.2 6.1.3 6.1.4 6.1.5 6.1.6 6.1.7 6.1.8 6.1.9 6.1.10 6.1.11 6.1.126.1.13 6.1.14 6.2.1 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17"

metal systems get the additional rules:
"4.1.1.1 4.1.1.2 4.1.1.3 4.1.1.4 4.1.2.1 4.1.2.2 4.1.2.3 4.1.3 4.1.4 4.1.5 4.1.6 4.1.7 4.1.8 4.1.6 4.1.7 4.1.8 4.1.9 4.1.10 4.1.11 4.1.12 4.1.13 4.1.14 4.1.15 4.1.16 4.1.17