tripleo

Undercloud installation fails with RHEL-7.3 on selinux

Bug #1635030 reported by James Slagle
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Unassigned

Bug Description

Description of problem:
$ cat undercloud_install.log
...
+ '[' -x /usr/sbin/semanage ']'
10:08:16 + mkdir -p /opt/stack/selinux-policy
10:08:16 ++ dirname /tmp/tmpoAwezY/post-install.d/86-selinux
10:08:16 + checkmodule -M -m -o /tmp/ipxe.mod /tmp/tmpoAwezY/post-install.d/../selinux/ipxe.te
10:08:16 checkmodule: Module name ironic-ipxe is different than the output base filename ipxe
10:08:16 checkmodule: loading policy configuration from /tmp/tmpoAwezY/post-install.d/../selinux/ipxe.te
10:08:16 INFO: 2016-10-17 06:08:11,747 -- ############### End stdout/stderr logging ###############
10:08:16 ERROR: 2016-10-17 06:08:11,747 -- Hook FAILED.
10:08:16 ERROR: 2016-10-17 06:08:11,747 -- Failed running command ['dib-run-parts', u'/tmp/tmpoAwezY/post-install.d']
10:08:16 File "/usr/lib/python2.7/site-packages/instack/main.py", line 163, in main
10:08:16 em.run()
10:08:16 File "/usr/lib/python2.7/site-packages/instack/runner.py", line 79, in run
10:08:16 self.run_hook(hook)
10:08:16 File "/usr/lib/python2.7/site-packages/instack/runner.py", line 174, in run_hook
10:08:16 raise Exception("Failed running command %s" % command)
10:08:16 ERROR: 2016-10-17 06:08:11,747 -- None
10:08:16 Traceback (most recent call last):
10:08:16 File "<string>", line 1, in <module>
10:08:16 File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 519, in install
10:08:16 _run_instack(instack_env)
10:08:16 File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 454, in _run_instack
10:08:16 _run_live_command(args, instack_env, 'instack')
10:08:16 File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command
10:08:16 raise RuntimeError('%s failed. See log for details.', name)
10:08:16 RuntimeError: ('%s failed. See log for details.', 'instack')
10:08:16 ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1
10:08:16 Traceback (most recent call last):
10:08:16 File "/usr/lib/python2.7/site-packages/cliff/app.py", line 295, in run_subcommand
10:08:16 result = cmd.run(parsed_args)
10:08:16 File "/usr/lib/python2.7/site-packages/cliff/command.py", line 53, in run
10:08:16 self.take_action(parsed_args)
10:08:16 File "/usr/lib/python2.7/site-packages/rdomanager_oscplugin/v1/undercloud.py", line 33, in take_action
10:08:16 subprocess.check_call("instack-install-undercloud")
10:08:16 File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
10:08:16 raise CalledProcessError(retcode, cmd)
10:08:16 CalledProcessError: Command 'instack-install-undercloud' returned non-zero exit status 1
10:08:16 DEBUG: openstackclient.shell clean_up InstallPlugin
10:08:16 DEBUG: openstackclient.shell got an error: Command 'instack-install-undercloud' returned non-zero exit status 1
10:08:16 ERROR: openstackclient.shell Traceback (most recent call last):
10:08:16 File "/usr/lib/python2.7/site-packages/openstackclient/shell.py", line 176, in run
10:08:16 return super(OpenStackShell, self).run(argv)
10:08:16 File "/usr/lib/python2.7/site-packages/cliff/app.py", line 230, in run
10:08:16 result = self.run_subcommand(remainder)
10:08:16 File "/usr/lib/python2.7/site-packages/cliff/app.py", line 295, in run_subcommand
10:08:16 result = cmd.run(parsed_args)
10:08:16 File "/usr/lib/python2.7/site-packages/cliff/command.py", line 53, in run
10:08:16 self.take_action(parsed_args)
10:08:16 File "/usr/lib/python2.7/site-packages/rdomanager_oscplugin/v1/undercloud.py", line 33, in take_action
10:08:16 subprocess.check_call("instack-install-undercloud")
10:08:16 File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call
10:08:16 raise CalledProcessError(retcode, cmd)
10:08:16 CalledProcessError: Command 'instack-install-undercloud' returned non-zero exit status 1

Version-Release number of selected component (if applicable):
OSPd7-9

Steps to reproduce:
1) Download RHEL-7.3 (unreleased bits)

2) $ cat undercloud.conf
[DEFAULT]
# Network interface on the Undercloud that will be handling the PXE
# boots and DHCP for Overcloud instances. (string value)
local_interface = eth0

3)$ cat undercloud_deploy.sh
#!/bin/bash
openstack undercloud install --debug &> undercloud_install.log

4)$ sh undercloud_deploy.sh
# Fails with error above and return value "1"

Expected results:
installation will pass

Additional info:
It seems the problem is related to selinux policies, related files:

$ cat /tmp/tmpoAwezY/post-install.d/86-selinux
#!/bin/bash
set -eux
set -o pipefail

# Install the selinux policy
[ -x /usr/sbin/semanage ] || exit 0

mkdir -p /opt/stack/selinux-policy

# Compile the selinux policy
checkmodule -M -m -o /tmp/ipxe.mod $(dirname $0)/../selinux/ipxe.te
sudo semodule_package -m /tmp/ipxe.mod -o /opt/stack/selinux-policy/ipxe.pp

See original description
Revision history for this message
James Slagle (james-slagle) wrote :

Lon Hohberger says:

the new checkmodule contains a CLI change which causes it to error out if the module name and file name differ.

description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to instack-undercloud (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/388889

Revision history for this message
Brent Eagles (beagles) wrote :

Duplicate of https://bugs.launchpad.net/tripleo/+bug/1630740 ?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (stable/mitaka)

Reviewed: https://review.openstack.org/388889
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=d0b205c489cb66b50146889e617cabc728dd8952
Submitter: Jenkins
Branch: stable/mitaka

commit d0b205c489cb66b50146889e617cabc728dd8952
Author: James Slagle <email address hidden>
Date: Wed Oct 19 16:08:48 2016 -0400

    Make module name and file name equivalent

    Newer checkmodule commands have a requirement that the selinux module
    name and file name are equivalent. This patch updates the ipxe element
    to match that requirement.

    This patch is applied directly to mitaka since the ipxe element was
    removed in newton. Upon merging the plan is to apply to liberty as well.

    Change-Id: Id01e8084a238d939bbef2c82e1baa82812dc64b3
    Closes-Bug: #1635030

tags: added: in-stable-mitaka
Revision history for this message
Rachappa B Goni (grachapp) wrote :

Further to this issue we got two more errors related to selinux policy compilation

1.
+ make -f /usr/share/selinux/devel/Makefile tripleo-selinux-mariadb.pp
Compiling targeted tripleo-selinux-mariadb module
/usr/bin/checkmodule: Module name tripleo_selinux_mariadb is different than the output base filename tripleo-selinux-mariadb
/usr/bin/checkmodule: loading policy configuration from tmp/tripleo-selinux-mariadb.tmp
make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1
[2016-11-03 04:14:06,473] (os-refresh-config) [ERROR] during configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/configure.d']' returned non-zero exit status 2]

2.
+ make -f /usr/share/selinux/devel/Makefile tripleo-selinux-mariadb.pp
Compiling targeted tripleo-selinux-mariadb module
/usr/bin/checkmodule: Module name tripleo_selinux_mariadb is different than the output base filename tripleo-selinux-mariadb
/usr/bin/checkmodule: loading policy configuration from tmp/tripleo-selinux-mariadb.tmp
make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1
[2016-11-03 04:14:06,473] (os-refresh-config) [ERROR] during configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/configure.d']' returned non-zero exit status 2]

Corrections:

1.
--- tripleo-selinux-mariadb.te.org 2016-11-03 05:02:04.031000000 -0400
+++ /usr/share/tripleo-image-elements/selinux/custom-policies/tripleo-selinux-mariadb.te 2016-11-03 04:31:26.818000000 -0400
@@ -1,5 +1,5 @@

-module tripleo_selinux_mariadb 1.0;
+module tripleo-selinux-mariadb 1.0;

 require {
        type haproxy_t;

2.
--- tripleo-selinux-rabbitmq.te.org 2016-11-03 05:01:48.939000000 -0400
+++ /usr/share/tripleo-image-elements/selinux/custom-policies/tripleo-selinux-rabbitmq.te 2016-11-03 04:36:43.327000000 -0400
@@ -1,5 +1,5 @@

-module tripleo_selinux_rabbitmq 1.0;
+module tripleo-selinux-rabbitmq 1.0;

 require {
         type rabbitmq_var_lib_t;

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/instack-undercloud 4.2.1

This issue was fixed in the openstack/instack-undercloud 4.2.1 release.

Alex Schultz (alex-schultz)
Changed in tripleo:
status: New → Fix Released
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.