Bug 1028855

Summary: packstack fails to install on minimum Fedora 19 install with selinux enabled
Product: [Community] RDO Reporter: Joe Julian <joe>
Component: openstack-packstackAssignee: Martin Magr <mmagr>
Status: CLOSED WONTFIX QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aortega, derekh, gdubreui, joe, yeylon
Target Milestone: ---   
Target Release: Havana   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-19 05:42:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joe Julian 2013-11-11 04:17:06 UTC 
Description of problem:
I tried to install using the instructions at http://openstack.redhat.com/Quickstart on a freshly installed "minimum install" of Fedora 19. The installation failed twice.

I disabled selinux, "setenforce 0", and tried again with success.

Checking the audit log after the successful completion, I see that most of the denials claim that they're now allowed. This looks like it might be a puppet resource ordering problem.

Version-Release number of selected component (if applicable):
openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch

Actual results:
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
Error: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:
Error: /Stage[main]/Vswitch::Ovs/Service[openvswitch]/ensure: change from stopped to running failed: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:


# audit2allow < /var/log/audit/audit.log


#============= glance_api_t ==============

#!!!! This avc is allowed in the current policy
allow glance_api_t amqp_port_t:tcp_socket name_connect;

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:dir { read remove_name };

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:file { read write rename unlink };

#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t proc_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;

#============= swift_t ==============
allow swift_t file_t:dir { read getattr open };

#!!!! This avc is allowed in the current policy
allow swift_t self:tcp_socket accept;

#!!!! This avc is allowed in the current policy
allow swift_t var_t:dir { write remove_name add_name };
allow swift_t var_t:file { rename read lock create write getattr unlink open };
Comment 2 Alvaro Lopez Ortega 2013-11-15 13:21:08 UTC 
I'll have to check whether openstack-selinux is correctly installed. If it were, this wouldn't be a packstack bug.
Comment 3 Alvaro Lopez Ortega 2013-11-15 13:22:10 UTC 
Actually, this isn't a RHOS issue but RDO. Moving it to the right product.
Comment 4 Martin Magr 2014-01-22 12:12:02 UTC 
By any chance do you still have installation logs? Please check /var/tmp/packstack/<timestamp>-<hash>/manifests and attach any file named <IP>_<failed-manifest>.pp.log to this bug.
Comment 5 Gilles Dubreuil 2014-03-19 05:42:17 UTC 
(In reply to Joe Julian from comment #0)
> Description of problem:
> I tried to install using the instructions at
> http://openstack.redhat.com/Quickstart on a freshly installed "minimum
> install" of Fedora 19. The installation failed twice.
> 
> I disabled selinux, "setenforce 0", and tried again with success.
> 
> Checking the audit log after the successful completion, I see that most of
> the denials claim that they're now allowed. This looks like it might be a
> puppet resource ordering problem.
> 
> Version-Release number of selected component (if applicable):
> openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch
> 

Hi Julian, 

The package you're using is targeting Fedora 20.

This isn't an issue anymore with Fedora 20 which is the currently supported Fedora version for current RDO.

Besides workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1066112 - The issing log file issue for mariadb.

Regards,
Gilles

PS: Note workaround for mariabdb
Comment 6 Joe Julian 2015-05-18 15:20:45 UTC 
I gave up and installed by hand.