Verifying the Image Service Installation in OpenStack Installation Guide for Red Hat Enterprise Linux, CentOS, and Fedora  - havana

Bug #1245668 reported by Ed Balduf
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openstack-manuals
Fix Released
High
Unassigned

Bug Description

I've been working through this guide an when you get to this step, it doesn't work. The problem being that selinux is not letting qpidd operate properly. This is a clean install of Fedora 19 (Infrastructure server, virtualization) and then following all of the instructions step by step in this guide. I simply just changed enforcing to permissive and all works, and I'm fine with that, but the guide should be updated somewhere to reflect configuring selinux, and probably not at this page, but this is where i found it.

-----------------------------------
Built: 2013-10-28T14:43:24 00:00
git SHA: 1d83a5b51bdcb5b22c8e0a5429f8da7d616ba62b
URL: http://docs.openstack.org/trunk/install-guide/install/yum/content/glance-verify.html
source File: file:/home/jenkins/workspace/openstack-install-deploy-guide-fedora/doc/install-guide/section_glance-verify.xml
xml:id: glance-verify

Revision history for this message
Tom Fifield (fifieldt) wrote :

Thanks for taking the time to report Edward! We'll get on this.

Changed in openstack-manuals:
status: New → Confirmed
importance: Undecided → High
milestone: none → havana
tags: added: install-guide
Revision history for this message
Stephen Gordon (sgordon) wrote :

Is there any audit.log information to assist with debugging the root cause? The only SELinux configuration expected that is specific to OpenStack is installation of the openstack-selinux package that includes the policy files.

I notice installation of this package is only mentioned in the context of Cinder in the guide as it stands today.

Revision history for this message
Ed Balduf (ebalduf) wrote :
Download full text (4.8 KiB)

Here is the interpreted audit log before and after the setenforce=0. RAW data below that.

638. 10/28/2013 20:31:24 connect 8488 glance-api unset 364
639. 10/28/2013 20:31:24 connect 8488 glance-api unset 363
640. 10/28/2013 20:32:24 write 8763 setenforce root 365
641. 10/28/2013 20:32:33 connect 8488 glance-api unset 366

type=SYSCALL msg=audit(1382992234.909:360): arch=c000003e syscall=42 success=no exit=-13 a0=13 a1=7fff0d155e10 a2=10 a3=1 items=0 ppid=8483 pid=8488 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 ses=4294967295 tty=(none) comm="glance-api" exe="/usr/bin/python2.7" subj=system_u:system_r:glance_api_t:s0 key=(null)
type=AVC msg=audit(1382992250.535:361): avc: denied { name_connect } for pid=8488 comm="glance-api" dest=5672 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1382992250.535:361): arch=c000003e syscall=42 success=no exit=-13 a0=13 a1=7fff0d155e10 a2=1c a3=0 items=0 ppid=8483 pid=8488 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 ses=4294967295 tty=(none) comm="glance-api" exe="/usr/bin/python2.7" subj=system_u:system_r:glance_api_t:s0 key=(null)
type=AVC msg=audit(1382992250.536:362): avc: denied { name_connect } for pid=8488 comm="glance-api" dest=5672 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1382992250.536:362): arch=c000003e syscall=42 success=no exit=-13 a0=13 a1=7fff0d155e10 a2=10 a3=1 items=0 ppid=8483 pid=8488 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 ses=4294967295 tty=(none) comm="glance-api" exe="/usr/bin/python2.7" subj=system_u:system_r:glance_api_t:s0 key=(null)
type=AVC msg=audit(1382992284.305:363): avc: denied { name_connect } for pid=8488 comm="glance-api" dest=5672 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1382992284.305:363): arch=c000003e syscall=42 success=no exit=-13 a0=13 a1=7fff0d155e10 a2=1c a3=0 items=0 ppid=8483 pid=8488 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 ses=4294967295 tty=(none) comm="glance-api" exe="/usr/bin/python2.7" subj=system_u:system_r:glance_api_t:s0 key=(null)
type=AVC msg=audit(1382992284.305:364): avc: denied { name_connect } for pid=8488 comm="glance-api" dest=5672 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1382992284.305:364): arch=c000003e syscall=42 success=no exit=-13 a0=13 a1=7fff0d155e10 a2=10 a3=1 items=0 ppid=8483 pid=8488 auid=4294967295 uid=161 gid=161 euid=161 suid=161 fsuid=161 egid=161 sgid=161 fsgid=161 ses=4294967295 tty=(none) comm="glance-api" exe="/usr/bin/python2.7" subj=system_u:system_r:glance_api_t:s0 key=(null)
type=MAC_STATUS msg=audit(1382992344.693:365): enforcing=0 old_enforcing=1 auid=0 ses=1
type=SYSCALL msg=audit(1382992344.693:365): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff1484a370 a2=1 a3=0 items=0 ppid=1152 pid=...

Read more...

Changed in openstack-manuals:
assignee: nobody → chandankumar (chandankumar-093047)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (master)

Fix proposed to branch: master
Review: https://review.openstack.org/63538

Changed in openstack-manuals:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-manuals (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/64681

Changed in openstack-manuals:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (master)

Reviewed: https://review.openstack.org/63538
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=f07a1ff75a7e4c157fa0dbb7654bb9ca7a7fd16b
Submitter: Jenkins
Branch: master

commit f07a1ff75a7e4c157fa0dbb7654bb9ca7a7fd16b
Author: Chandan Kumar <email address hidden>
Date: Sat Dec 21 03:55:06 2013 +0530

    Added openstack-selinux to openstack-packages

    Closes-Bug:#1245668

    Change-Id: I24613b5f0f67277fb0062f385fdf0bddb4d1a69e
    backport: havana

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-manuals (stable/havana)

Reviewed: https://review.openstack.org/64681
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=eb358c6cf66db08baaecd67acde11adec7188583
Submitter: Jenkins
Branch: stable/havana

commit eb358c6cf66db08baaecd67acde11adec7188583
Author: Chandan Kumar <email address hidden>
Date: Sat Dec 21 03:55:06 2013 +0530

    Added openstack-selinux to openstack-packages

    Closes-Bug:#1245668

    Change-Id: I24613b5f0f67277fb0062f385fdf0bddb4d1a69e
    backport: havana
    (cherry picked from commit f07a1ff75a7e4c157fa0dbb7654bb9ca7a7fd16b)

tags: added: in-stable-havana
Revision history for this message
Tom Fifield (fifieldt) wrote :

The bug with selinux is still present:

type=AVC msg=audit(1388999124.442:109): avc: denied { name_connect } for pid=1954 comm="httpd" dest=5000 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1388999124.442:109): arch=c000003e syscall=42 success=no exit=-13 a0=e a1=7f129482d770 a2=10 a3=f items=0 ppid=1927 pid=1954 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

This is the dashboard being prevent from accessing keystone.

Changed in openstack-manuals:
status: Fix Released → Confirmed
assignee: chandankumar (chandankumar-093047) → nobody
Revision history for this message
Andreas Jaeger (jaegerandi) wrote :

Tom, is the openstack-selinux package installed?

Revision history for this message
Tom Fifield (fifieldt) wrote :

yes, of course :)

Revision history for this message
Tom Fifield (fifieldt) wrote :

(for proof: Package openstack-selinux-0.1.3-2.el6ost.noarch already installed and latest version)

Revision history for this message
Stephen Gordon (sgordon) wrote :

Looks like a separate bug to the one originally reported here (completely different audit trace presented), should be raised as an RDO bug.

Changed in openstack-manuals:
status: Confirmed → Fix Released
Revision history for this message
Tom Fifield (fifieldt) wrote :
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-manuals 15.0.0

This issue was fixed in the openstack/openstack-manuals 15.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.