Bug #1979093 “Intermittent failure adding user 'ceph-admin', exi...” : Bugs : tripleo

John Fulton (jfulton-org) on 2022-06-17

summary:

- failed adding user 'ceph-admin', exit code: 9
+ Intermittent failure adding user 'ceph-admin', exit code: 9

Revision history for this message

John Fulton (jfulton-org) wrote on 2022-06-19:

#1

Download full text (7.1 KiB)

Another intermittent failure was observed in CI once but not again. Perhaps when this bug is patched an extra task could be added to ensure authorized keys have the correct selinux context.

https://review.rdoproject.org/r/c/testproject/+/36256

001 standalone testing periodic. New failure:

First time I've seen this timeout:

fatal: [undercloud]: FAILED! => {"attempts": 12, "changed": true, "cmd": "ssh -i /home/zuul/.ssh/ceph-admin-id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ceph-admin@192.168.42.1 'echo good'", "delta": "0:00:00.063750", "end": "2022-06-18 22:10:39.793079", "msg": "non-zero return code", "rc": 255, "start": "2022-06-18 22:10:39.729329", "stderr": "Warning: Permanently added '192.168.42.1' (ED25519) to the list of known hosts.\r\nceph-admin@192.168.42.1: Permission denied (publickey).", "stderr_lines": ["Warning: Permanently added '192.168.42.1' (ED25519) to the list of known hosts.", "ceph-admin@192.168.42.1: Permission denied (publickey)."], "stdout": "", "stdout_lines": []}

The failed task [1] confirms the ceph-admin user account is unable to support ssh entry.
The account was created [2].
The journal [3] showed that selinux denied sshd from read access on the file authorized_keys.
I could add an extra task after creating the the authorized_keys key [5] which ensures the SELinux context is correct.

[1] https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/standalone/tasks/ceph-install.yml#L95

[2] https://logserver.rdoproject.org/56/36256/98/check/periodic-tripleo-ci-centos-9-scenario001-standalone-master/a453b28/logs/undercloud/etc/passwd.txt.gz

[3] https://logserver.rdoproject.org/56/36256/98/check/periodic-tripleo-ci-centos-9-scenario001-standalone-master/a453b28/logs/undercloud/var/log/extra/journal.txt.gz

[4]
Jun 18 22:10:41 standalone.localdomain setroubleshoot[86399]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l fa5095ff-f00d-4445-bacf-6c7ddf9e24d5
Jun 18 22:10:41 standalone.localdomain setroubleshoot[86399]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.

***** Plugin catchall (100. confidence) suggests **************************

                                                              If you believe that sshd should be allowed read access on the authorized_keys file by default.
                                                              Then you should report this as a bug.
                                                              You can generate a local policy module to allow this access.
                                                              Do
                                                              allow this access for now by executing:
                                                              # ausearch -c 'sshd' --raw | audit2allow -M my-sshd
                                                              # semodule -X 300 -i my-...

Another intermittent failure was observed in CI once but not again. Perhaps when this bug is patched an extra task could be added to ensure authorized keys have the correct selinux context.

https://review.rdoproject.org/r/c/testproject/+/36256

001 standalone testing periodic. New failure:

First time I've seen this timeout:

fatal: [undercloud]: FAILED! => {"attempts": 12, "changed": true, "cmd": "ssh -i /home/zuul/.ssh/ceph-admin-id_rsa -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ceph-admin@192.168.42.1 'echo good'", "delta": "0:00:00.063750", "end": "2022-06-18 22:10:39.793079", "msg": "non-zero return code", "rc": 255, "start": "2022-06-18 22:10:39.729329", "stderr": "Warning: Permanently added '192.168.42.1' (ED25519) to the list of known hosts.\r\nceph-admin@192.168.42.1: Permission denied (publickey).", "stderr_lines": ["Warning: Permanently added '192.168.42.1' (ED25519) to the list of known hosts.", "ceph-admin@192.168.42.1: Permission denied (publickey)."], "stdout": "", "stdout_lines": []}

The failed task [1] confirms the ceph-admin user account is unable to support ssh entry.
The account was created [2].
The journal [3] showed that selinux denied sshd from read access on the file authorized_keys.
I could add an extra task after creating the the authorized_keys key [5] which ensures the SELinux context is correct.

[1] https://github.com/openstack/tripleo-quickstart-extras/blob/master/roles/standalone/tasks/ceph-install.yml#L95

[2] https://logserver.rdoproject.org/56/36256/98/check/periodic-tripleo-ci-centos-9-scenario001-standalone-master/a453b28/logs/undercloud/etc/passwd.txt.gz

[3] https://logserver.rdoproject.org/56/36256/98/check/periodic-tripleo-ci-centos-9-scenario001-standalone-master/a453b28/logs/undercloud/var/log/extra/journal.txt.gz

[4]
Jun 18 22:10:41 standalone.localdomain setroubleshoot[86399]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l fa5095ff-f00d-4445-bacf-6c7ddf9e24d5
Jun 18 22:10:41 standalone.localdomain setroubleshoot[86399]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.
                                                              
                                                              *****  Plugin catchall (100. confidence) suggests   **************************
                                                              
                                                              If you believe that sshd should be allowed read access on the authorized_keys file by default.
                                                              Then you should report this as a bug.
                                                              You can generate a local policy module to allow this access.
                                                              Do
                                                              allow this access for now by executing:
                                                              # ausearch -c 'sshd' --raw | audit2allow -M my-sshd
                                                              # semodule -X 300 -i my-sshd.pp
                                                              
Jun 18 22:10:41 standalone.localdomain setroubleshoot[86399]: AnalyzeThread.run(): Set alarm timeout to 10
Jun 18 22:10:43 standalone.localdomain python3[86462]: ansible-command Invoked with chdir=/home/zuul/workspace _raw_params=source /home/zuul/workspace/hash_info.sh
                                                       export LOG_PATH="56/36256/98/check/periodic-tripleo-ci-centos-9-scenario001-standalone-master/a453b28"
                                                       export LOG_HOST_URL="https://logserver.rdoproject.org"
                                                       export SUCCESS="False"
                                                       export TOCI_JOBTYPE="periodic-tripleo-ci-centos-9-scenario001-standalone-master"
                                                       export SSL_CA_BUNDLE="/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt"
                                                       bash -xe /home/zuul/src/review.rdoproject.org/config/ci-scripts/tripleo-upstream/dlrnapi_report.sh
                                                        _uses_shell=True zuul_log_id=fa163e35-56ca-7734-6b4c-000000000009-primary warn=False argv=None executable=None creates=None removes=None stdin=None
Jun 18 22:10:49 standalone.localdomain python3[86493]: ansible-file Invoked with path=/home/zuul/workspace/logs state=directory recurse=True force=False follow=True modification_time_format=%Y%m%d%H%M.%S access_time_format=%Y%m%d%H%M.%S _original_basename=None _diff_peek=None src=None modification_time=None access_time=None mode=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None content=NOT_LOGGING_PARAMETER backup=None remote_src=None regexp=None delimiter=None directory_mode=None unsafe_writes=None
Jun 18 22:10:49 standalone.localdomain python3[86515]: ansible-stat Invoked with path=/home/zuul/workspace/logs/report.html follow=False get_checksum=True get_mime=True get_attributes=True checksum_algorithm=sha1 get_md5=None
Jun 18 22:10:50 standalone.localdomain systemd[1]: dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@13.service: Main process exited, code=killed, status=14/ALRM
Jun 18 22:10:50 standalone.localdomain systemd[1]: dbus-:1.1-org.fedoraproject.SetroubleshootPrivileged@13.service: Failed with result 'signal'.
Jun 18 22:10:50 standalone.localdomain python3[86584]: ansible-stat Invoked with path=/home/zuul/workspace/logs/zuul_console.json follow=False get_checksum=True checksum_algorithm=sha1 get_mime=True get_attributes=True get_md5=None
Jun 18 22:10:51 standalone.localdomain python3[86649]: ansible-copy Invoked with dest=/home/zuul/workspace/logs/zuul_console.json src=/home/zuul/.ansible/tmp/ansible-tmp-1655604650.4069228-28-169704872561974/source _original_basename=tmpkqaytlv4 follow=False checksum=aa53301d06abc755e726e9efdc2c4e6d83e048e8 backup=False force=True content=NOT_LOGGING_PARAMETER validate=None directory_mode=None remote_src=None local_follow=None mode=None owner=None group=None seuser=None serole=None selevel=None setype=None attributes=None regexp=None delimiter=None unsafe_writes=None
Jun 18 22:10:51 standalone.localdomain systemd[1]: dbus-:1.1-org.fedoraproject.Setroubleshootd@12.service: Main process exited, code=killed, status=14/ALRM
Jun 18 22:10:51 standalone.localdomain systemd[1]: dbus-:1.1-org.fedoraproject.Setroubleshootd@12.service: Failed with result 'signal'.
Jun 18 22:10:51 standalone.localdomain python3[86693]: ansible-stat Invoked with path=/home/zuul/workspace/logs/undercloud follow=False get_checksum=True get_mime=True get_attributes=True checksum_algorithm=sha1 get_md5=None
Jun 18 22:10:51 standalone.localdomain sshd[86694]: error: kex_exchange_identification: Connection closed by remote host
Jun 18 22:10:51 standalone.localdomain sshd[86694]: Connection closed by 103.203.57.11 port 49662

[5] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_create_admin/tasks/create_user.yml#L49-L55

Revision history for this message

John Fulton (jfulton-org) wrote on 2022-06-19:

#2

https://review.opendev.org/c/openstack/tripleo-ansible/+/846530

Ronelle Landy (rlandy) on 2022-06-24

Changed in tripleo:
importance:	Medium → Critical
tags:	added: promotion promotion-blocker

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-27: Fix proposed to python-tripleoclient (master)

#3

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/python-tripleoclient/+/847844

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-27: Change abandoned on tripleo-ansible (master)

#4

Change abandoned by "John Fulton <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/846530
Reason: https://review.opendev.org/c/openstack/python-tripleoclient/+/847844

Revision history for this message

John Fulton (jfulton-org) wrote on 2022-06-27:

#5

This patch is tested in standalone 001/004/010 by https://review.opendev.org/c/openstack/tripleo-heat-templates/+/834354

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-28: Fix proposed to python-tripleoclient (stable/wallaby)

#6

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/python-tripleoclient/+/847980

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-28: Change abandoned on python-tripleoclient (stable/wallaby)

#7

Change abandoned by "John Fulton <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/python-tripleoclient/+/847980
Reason: Created new patch by accident, instead wanted to update https://review.opendev.org/c/openstack/python-tripleoclient/+/845482

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-28: Fix merged to python-tripleoclient (master)

#8

Reviewed: https://review.opendev.org/c/openstack/python-tripleoclient/+/847844
Committed: https://opendev.org/openstack/python-tripleoclient/commit/5ee23cf83def70b541858958659dc33a6bb5b0b6
Submitter: "Zuul (22348)"
Branch: master

commit 5ee23cf83def70b541858958659dc33a6bb5b0b6
Author: John Fulton <email address hidden>
Date: Mon Jun 27 14:45:35 2022 -0400

Limit standalone ceph-admin user creation to a single host

When 'openstack overcloud ceph user enable --standalone' is
run, call Ansible with '--limit undercloud'.

    Bug #1979093 happened because Ansible was running the user
    module on the same host as if it were two hosts. The module
    is idempotent but not race safe. E.g. when user execution A
    and user execution B are run on the same host, A's check that
    the user does not exist might be true but before A goes on to
    create the user, B could have created it first depending on
    scheduling.

    The python-tripleoclient uses Ansible --limit when creating
    the ceph-admin user so only _admin nodes get the private key.
    This works for multinode but standalone only has one node, so
    for that condition redefine the limit list to that single node.

Change-Id: I2f62cdfcb88edb5552cbd7351b6240f78376c93d
Closes-Bug: #1979093

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-01: Fix merged to python-tripleoclient (stable/wallaby)

#9

Reviewed: https://review.opendev.org/c/openstack/python-tripleoclient/+/847980
Committed: https://opendev.org/openstack/python-tripleoclient/commit/186d7f4e4cd1b931918bbb375f62b4fb9d48375e
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 186d7f4e4cd1b931918bbb375f62b4fb9d48375e
Author: John Fulton <email address hidden>
Date: Mon Jun 27 14:45:35 2022 -0400

Limit standalone ceph-admin user creation to a single host

When 'openstack overcloud ceph user enable --standalone' is
run, call Ansible with '--limit undercloud'.

    Bug #1979093 happened because Ansible was running the user
    module on the same host as if it were two hosts. The module
    is idempotent but not race safe. E.g. when user execution A
    and user execution B are run on the same host, A's check that
    the user does not exist might be true but before A goes on to
    create the user, B could have created it first depending on
    scheduling.

    The python-tripleoclient uses Ansible --limit when creating
    the ceph-admin user so only _admin nodes get the private key.
    This works for multinode but standalone only has one node, so
    for that condition redefine the limit list to that single node.

    Change-Id: I2f62cdfcb88edb5552cbd7351b6240f78376c93d
    Closes-Bug: #1979093
    (cherry picked from commit 5ee23cf83def70b541858958659dc33a6bb5b0b6)

tags:

added: in-stable-wallaby

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-02: Fix included in openstack/python-tripleoclient 19.0.0

#10

This issue was fixed in the openstack/python-tripleoclient 19.0.0 release.

tripleo

Intermittent failure adding user 'ceph-admin', exit code: 9

Bug Description

Other bug subscribers

Remote bug watches