tripleo

tripleo_bootstrap task fails to check openstack-selinux package due to the lack of the privilege

Bug #1981353 reported by Yusuke Okada
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Critical
Yusuke Okada

Bug Description

Description
===========
overcloud deployment fails in the tripleo_bootstrap task.
`rpm -V openstack-selinux` command must be executed as root, but the current task is run as non-root user.

Steps to reproduce
==================
Deploy overcloud with the latest tripleo-ansible repository.

Expected result
===============
Overcloud deployed successfully

Actual result
=============
The following error occurred ande deployment failed.

Environment
===========
zed release, running on VM.
Latest tripleo-ansible and openstack-tripleo-heat-templates from git repository.

Logs & Configs
==============
Error message
https://paste.opendev.org/show/bzFAf8k7Uf6jq8cSP3S5/

Yusuke Okada (yusokada)
Changed in tripleo:
assignee: nobody → Yusuke Okada (yusokada)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/849438

Changed in tripleo:
status: New → In Progress
Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Thanks for catching this. I confirm the rpm command fails without root.

[vagrant@localhost ~]$ rpm -V openstack-selinux
ValueError: SELinux policy is not managed or store cannot be accessed.
libsemanage.semanage_create_store: Could not read from module store, active subdirectory at /var/lib/selinux/targeted/active. (Permission denied).
libsemanage.semanage_direct_connect: could not establish direct connection (Permission denied).
semodule: Could not connect to policy handler
error: %verify(openstack-selinux-0.8.32-0.20220615144412.d53c3f0.el9.noarch) scriptlet failed, exit status 1
[vagrant@localhost ~]$ sudo rpm -V openstack-selinux
[vagrant@localhost ~]$
[vagrant@localhost ~]$ sudo rpm -V openstack-selinux
[vagrant@localhost ~]$ cat /etc/redhat-release
CentOS Stream release 9
[vagrant@localhost ~]$ rpm -q openstack-selinux
openstack-selinux-0.8.32-0.20220615144412.d53c3f0.el9.noarch
[vagrant@localhost ~]$

Changed in tripleo:
importance: Undecided → Critical
Revision history for this message
Cédric Jeanneret (cjeanner) wrote :

I'm a bit surprised it fails the deploy itself: all is launched as root afaik, and the CI didn't catch it at any level, not even promotion pipe. IMHO, it's more for when we're using this as a standalone role - still, the patch is valid, of course :). We'll need to backport it to wallaby.

tags: added: wallaby-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/849496

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/849438
Committed: https://opendev.org/openstack/tripleo-ansible/commit/a89edcd010c321d4e05aa068a8fb31cb8cded344
Submitter: "Zuul (22348)"
Branch: master

commit a89edcd010c321d4e05aa068a8fb31cb8cded344
Author: Yusuke Okada <email address hidden>
Date: Mon Jul 11 15:41:49 2022 -0400

    Run package check for openstack-selinux in privileged mode

    rpm -V command needs to be run as root for some packages.
    The current script fails with openstack-selinux package, which is included in tripleo_bootstrap_packages_bootstrap.

    Closes-Bug: #1981353
    Change-Id: I278f1a99b8a7dfb2e4fbd74718cb23791002e5d4

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/849496
Committed: https://opendev.org/openstack/tripleo-ansible/commit/e5cb152f4c7cd74e8d36fcee638a91a967ee1b63
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e5cb152f4c7cd74e8d36fcee638a91a967ee1b63
Author: Yusuke Okada <email address hidden>
Date: Mon Jul 11 15:41:49 2022 -0400

    Run package check for openstack-selinux in privileged mode

    rpm -V command needs to be run as root for some packages.
    The current script fails with openstack-selinux package, which is included in tripleo_bootstrap_packages_bootstrap.

    Closes-Bug: #1981353
    Change-Id: I278f1a99b8a7dfb2e4fbd74718cb23791002e5d4
    (cherry picked from commit a89edcd010c321d4e05aa068a8fb31cb8cded344)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 5.0.0

This issue was fixed in the openstack/tripleo-ansible 5.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.