AIO Build Fails on SELinux File Context Tasks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Environment:
* OS: CentOS 7.5
* OpenStack-Ansible stable/queens branch (commit d38e190e43dfb73
* Ansible: 2.4.4.0
* All-in-one scenario: aio_basekit
* This is a fresh all-in-one install inside a VM with nested virtualization enabled.
Setting the file context appears to fail on all related tasks for the service logs. I first ran into an error with Nova (details shown below). I commented out this task from the nova_selinux role and was able to continue on until the same issue occurred with Neutron logs and changing their SELinux file context. This issue probably affects all services for CentOS deployments.
```
# openstack-ansible setup-openstack.yml
<TRUNCATED>
TASK [os_nova : Set SELinux file contexts for nova's log directory] *******
Friday 20 July 2018 15:24:18 +0000 (0:00:00.056) 0:05:34.972 ***********
fatal: [aio1]: FAILED! => {"changed": false, "failed": true, "msg": "ValueError: File spec /openstack/
PLAY RECAP *******
aio1 : ok=102 changed=7 unreachable=0 failed=1
aio1_cinder_
aio1_glance_
aio1_keystone_
aio1_nova_
```
Here are the relevant task arguments used in /etc/ansible/
```
51 - name: Set SELinux file contexts for nova's log directory
52 sefcontext:
53 target: "{{ (nova_log_
54 setype: nova_log_t
55 state: present
56 register: selinux_
```
I also added some additional debug modules to see what variables are being used here.
```
TASK [os_nova : debug] *******
Friday 20 July 2018 15:24:18 +0000 (0:00:00.218) 0:05:34.855 ***********
ok: [aio1] => {
"nova_log_dir": "/var/log/nova"
}
TASK [os_nova : debug] *******
Friday 20 July 2018 15:24:18 +0000 (0:00:00.059) 0:05:34.915 ***********
ok: [aio1] => {
"nova_
"changed": false,
"failed": false,
"stat": {
"dev": 64768,
"gid": 989,
"mode": "0777",
"path": "/var/log/nova",
"rgrp": true,
"roth": true,
"rusr": true,
"size": 24,
"uid": 992,
"wgrp": true,
"woth": true,
"wusr": true,
"xgrp": true,
"xoth": true,
"xusr": true
}
}
}
```
We've lost the only maintainer of SELinux inside OSA, so please either try to deploy without SELinux (setenforce 0) .. or patches welcome! :)