Deploying openshift fails on RHEL8 due to selinux issues

Bug #1821437 reported by Martin André on 2019-03-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Undecided
Martin André

Bug Description

Originally reported by Marius Cornea at https://bugzilla.redhat.com/show_bug.cgi?id=1691879

Deployment on RHEL8 fails while running /usr/bin/tripleo-deploy-openshift:

 [root@undercloud-0 stack]# cat /var/lib/mistral/openshift/openshift/playbook.log
--config-download-dir is deprecated, use --plan instead
Trying to pull 192.168.24.1:8787/openshift3/ose-ansible:v3.11...Getting image source signatures
Copying blob 2cb1196a3b27: 72.31 MiB / 72.31 MiB 5s
Copying blob c9c433594a59: 1.21 KiB / 1.21 KiB 5s
Copying blob b9bf6fa9627f: 128.46 MiB / 128.46 MiB 5s
Copying config 0498430e0cc8: 5.57 KiB / 5.57 KiB 0s
Writing manifest to image destination
Storing signatures
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftInfra_groups.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftInfra_hosts.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftInfra_openshift_glusterfs.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftMaster_groups.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftMaster_hosts.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftMaster_openshift_master.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftWorker_groups.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftWorker_hosts.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/OpenShiftWorker_openshift_glusterfs.yml': Permission denied
cp: cannot stat '/var/lib/mistral/openshift/openshift/inventory/groups.yml': Permission denied

Additional debugging shows we need to add 'z' option while mounting the /var/lib/mistral/openshift:

(undercloud) [stack@undercloud-0 ~]$ ls -l /var/lib/mistral/openshift/openshift
total 20
-rw-rw-r--. 1 tripleo-admin tripleo-admin 383 Mar 22 16:00 global_gluster_vars.yml
-rw-rw-r--. 1 tripleo-admin tripleo-admin 3206 Mar 22 16:01 global_vars.yml
drwxr-xr-x. 2 tripleo-admin root 4096 Mar 22 16:01 inventory
-rw-rw-r--. 1 tripleo-admin tripleo-admin 1190 Mar 22 16:01 playbook.log
-rw-rw-r--. 1 tripleo-admin tripleo-admin 1262 Mar 22 16:01 playbook.yml

(undercloud) [stack@undercloud-0 ~]$ sudo podman run --net=host -u 0 -v /var/lib/mistral/openshift:/var/lib/mistral/openshift -t 192.168.24.1:8787/openshift3/ose-ansible:v3.11 ls -l /var/lib/mistral/openshift/openshift/
ls: cannot access /var/lib/mistral/openshift/openshift/global_gluster_vars.yml: Permission denied
ls: cannot access /var/lib/mistral/openshift/openshift/global_vars.yml: Permission denied
ls: cannot access /var/lib/mistral/openshift/openshift/playbook.yml: Permission denied
total 8
-?????????? ? ? ? ? ? global_gluster_vars.yml
-?????????? ? ? ? ? ? global_vars.yml
drwxr-xr-x. 2 1002 root 4096 Mar 22 20:01 inventory
-rw-rw-r--. 1 1002 1003 1190 Mar 22 20:01 playbook.log
-?????????? ? ? ? ? ? playbook.yml

(undercloud) [stack@undercloud-0 ~]$ sudo podman run --net=host -u 0 -v /var/lib/mistral/openshift:/var/lib/mistral/openshift:z -t 192.168.24.1:8787/openshift3/ose-ansible:v3.11 ls -l /var/lib/mistral/openshift/openshift/
total 20
-rw-rw-r--. 1 1002 1003 383 Mar 22 20:00 global_gluster_vars.yml
-rw-rw-r--. 1 1002 1003 3206 Mar 22 20:01 global_vars.yml
drwxr-xr-x. 2 1002 root 4096 Mar 22 20:01 inventory
-rw-rw-r--. 1 1002 1003 1190 Mar 22 20:01 playbook.log
-rw-rw-r--. 1 1002 1003 1262 Mar 22 20:01 playbook.yml

Fix proposed to branch: master
Review: https://review.openstack.org/645979

Changed in tripleo:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/645979
Committed: https://git.openstack.org/cgit/openstack/tripleo-common/commit/?id=e732fff8fd5533eeb0d8b714c53ce6174c215ed6
Submitter: Zuul
Branch: master

commit e732fff8fd5533eeb0d8b714c53ce6174c215ed6
Author: Martin André <email address hidden>
Date: Sat Mar 23 08:28:44 2019 +0100

    Mount openshift-ansible working dir with 'z' option

    On RHEL8, deployment fails with a bunch of permission issue while the
    openshift-ansible container image tries to read files from /var/lib/mistral/openshift/openshift/inventory/.

    We need to add 'z' option while mounting the
    /var/lib/mistral/openshift volume.

    Change-Id: I24067f97eb36e475f873e3a3ea06a488fef95d90
    Closes-Bug: #1821437

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-common 10.6.1 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers