tripleo

SELinux boolean os_enable_vtpm does not exist

Bug #1998348 reported by Ananya Banerjee
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Invalid
Critical
Unassigned
tripleo antelope-1

Bug Description

Centos 9 component standalone jobs are failing standalone deploy with
FATAL | Enable os_enable_vtpm SELinux boolean for vTPM | standalone | error={"changed": false, "msg": "SELinux boolean os_enable_vtpm does not exist."}

https://logserver.rdoproject.org/04/46304/2/check/periodic-tripleo-ci-centos-9-standalone-baremetal-master/320a653/logs/undercloud/home/zuul/standalone_deploy.log.txt.gz

https://logserver.rdoproject.org/04/46304/2/check/periodic-tripleo-ci-centos-9-scenario001-standalone-common-master/ebc455e/job-output.txt

This is because whenever SELinux is permissive `rpm -V openstack-selinux' doesnt work (from what Tengu found out - logs below in comment)

For now the workaround is to downgrade selinux-policy package.

Github issue: https://github.com/containers/container-selinux/issues/198

See original description
Revision history for this message
Ananya Banerjee (frenzyfriday) wrote :
Download full text (5.2 KiB)

This is what Tengu found out:

[zuul@standalone ~]$ sudo rpm -Vv openstack-selinux
......... /usr/share/licenses/openstack-selinux
......... l /usr/share/licenses/openstack-selinux/COPYING
......... /usr/share/openstack-selinux
......... /usr/share/openstack-selinux/0.8.36
......... /usr/share/openstack-selinux/0.8.36/local_settings.sh
......... /usr/share/selinux/packages/os-barbican.pp.bz2
......... /usr/share/selinux/packages/os-certmonger.pp.bz2
......... /usr/share/selinux/packages/os-cinder.pp.bz2
......... /usr/share/selinux/packages/os-collectd.pp.bz2
......... /usr/share/selinux/packages/os-dnsmasq.pp.bz2
......... /usr/share/selinux/packages/os-glance.pp.bz2
......... /usr/share/selinux/packages/os-gnocchi.pp.bz2
......... /usr/share/selinux/packages/os-haproxy.pp.bz2
......... /usr/share/selinux/packages/os-httpd.pp.bz2
......... /usr/share/selinux/packages/os-ipxe.pp.bz2
......... /usr/share/selinux/packages/os-keepalived.pp.bz2
......... /usr/share/selinux/packages/os-keystone.pp.bz2
......... /usr/share/selinux/packages/os-logrotate.pp.bz2
......... /usr/share/selinux/packages/os-mongodb.pp.bz2
......... /usr/share/selinux/packages/os-mysql.pp.bz2
......... /usr/share/selinux/packages/os-neutron.pp.bz2
......... /usr/share/selinux/packages/os-nova.pp.bz2
......... /usr/share/selinux/packages/os-octavia.pp.bz2
......... /usr/share/selinux/packages/os-ovs-el9.pp.bz2
......... /usr/share/selinux/packages/os-ovs.pp.bz2
......... /usr/share/selinux/packages/os-pbis.pp.bz2
......... /usr/share/selinux/packages/os-podman.pp.bz2
......... /usr/share/selinux/packages/os-rabbitmq.pp.bz2
......... /usr/share/selinux/packages/os-redis.pp.bz2
......... /usr/share/selinux/packages/os-rsync.pp.bz2
......... /usr/share/selinux/packages/os-rsyslog.pp.bz2
......... /usr/share/selinux/packages/os-swift.pp.bz2
......... /usr/share/selinux/packages/os-timemaster.pp.bz2
......... /usr/share/selinux/packages/os-virt.pp.bz2
SELinux is permissive
[zuul@standalone ~]$ sudo setenforce 1
[zuul@standalone ~]$ sudo rpm -Vv openstack-selinux
......... /usr/share/licenses/openstack-selinux
......... l /usr/share/licenses/openstack-selinux/COPYING
......... /usr/share/openstack-selinux
......... /usr/share/openstack-selinux/0.8.36
......... /usr/share/openstack-selinux/0.8.36/local_settings.sh
......... /usr/share/selinux/packages/os-barbican.pp.bz2
......... /usr/share/selinux/packages/os-certmonger.pp.bz2
......... /usr/share/selinux/packages/os-cinder.pp.bz2
......... /usr/share/selinux/packages/os-collect...

Read more...

Changed in tripleo:
status: New → Triaged
importance: Undecided → Critical
milestone: none → antelope-1
tags: added: ci promotion-blocker
description: updated
description: updated
Revision history for this message
Julie Pichon (jpichon) wrote :

The title is a generic error, adding a link to the troubleshooting doc here as well in case it helps someone else coming across this bug in the future: https://github.com/redhat-openstack/openstack-selinux/blob/master/doc/TROUBLESHOOTING.md#how-to-resolve-selinux-boolean-os_enable_vtpm-does-not-exist

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-quickstart (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-quickstart/+/866180

Revision history for this message
Marios Andreou (marios-b) wrote :

Seems to be gone we have latest two runs in build history as green today @ https://review.rdoproject.org/zuul/builds?job_name=periodic-tripleo-ci-centos-9-scenario001-standalone-common-master

2022-12-02 06:07:05 SUCCESS
2022-12-01 06:06:54 SUCCESS

marking invalid, please move back to triaged with a comment if you disagree

Changed in tripleo:
status: Triaged → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-quickstart (master)

Change abandoned by "Ghanshyam <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/tripleo-quickstart/+/866180
Reason: TrieplO project is retiring now, for details, please see https://review.opendev.org/c/openstack/governance/+/905145 or reach out to OpenStack TC.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.