Bug 1039020

Summary: openshift-broker refuses to start: (13)Permission denied: AH02291: Cannot access directory '/var/log/openshift/broker/httpd/' for main error log
Product: [Fedora] Fedora Reporter: Marek Goldmann <mgoldman>
Component: openshift-origin-brokerAssignee: Troy Dawson <tdawson>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: admiller, bleanhar, oorigin, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-03 17:58:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Marek Goldmann 2013-12-06 11:33:25 UTC 
Description of problem:

After doing https://bugzilla.redhat.com/show_bug.cgi?id=1039010#c2 I got now this:

Job for openshift-broker.service failed. See 'systemctl status openshift-broker.service' and 'journalctl -xn' for details.
[root@localhost /]# systemctl status openshift-broker.service
openshift-broker.service - The OpenShift Origin Broker
   Loaded: loaded (/usr/lib/systemd/system/openshift-broker.service; disabled)
   Active: failed (Result: exit-code) since piÄ… 2013-12-06 12:07:11 CET; 1s ago
  Process: 3662 ExecStart=/usr/sbin/httpd $OPTIONS -k start (code=exited, status=1/FAILURE)

gru 06 12:07:11 localhost.localdomain systemd[1]: Starting The OpenShift Origin Broker...
gru 06 12:07:11 localhost.localdomain httpd[3662]: WARNING: The 'PassengerUseGlobalQueue' option is obsolete: global queueing is now always turned on. Please remove this option from your configuration file.
gru 06 12:07:11 localhost.localdomain httpd[3662]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
gru 06 12:07:11 localhost.localdomain httpd[3662]: (13)Permission denied: AH02291: Cannot access directory '/var/log/openshift/broker/httpd/' for main error log
gru 06 12:07:11 localhost.localdomain httpd[3662]: AH00014: Configuration check failed
gru 06 12:07:11 localhost.localdomain systemd[1]: openshift-broker.service: control process exited, code=exited status=1
gru 06 12:07:11 localhost.localdomain systemd[1]: Failed to start The OpenShift Origin Broker.
gru 06 12:07:11 localhost.localdomain systemd[1]: Unit openshift-broker.service entered failed state.

Version-Release number of selected component (if applicable):

openshift-origin-broker-1.10.2.1-1.fc20.noarch

How reproducible:
Always
Comment 1 Marek Goldmann 2013-12-06 11:35:00 UTC 
$ ls -hall /var/log/openshift/broker/httpd/
total 8,0K
drwxr-x---. 2 apache apache 4,0K 08-06 22:58 .
drwxr-x---. 3 apache apache 4,0K 12-06 11:09 ..
Comment 2 Arash S. 2014-06-24 16:45:56 UTC 
(In reply to Marek Goldmann from comment #1)
> $ ls -hall /var/log/openshift/broker/httpd/
> total 8,0K
> drwxr-x---. 2 apache apache 4,0K 08-06 22:58 .
> drwxr-x---. 3 apache apache 4,0K 12-06 11:09 ..

Hi there, I had the same problem, so I changes the security level, now it looks like this:
$ namei -m /var/log/openshift/broker/httpd/
f: /var/log/openshift/broker/httpd/
 dr-xr-xr-x /
 drwxr-xr-x var
 drwxr-xr-x log
 drwxr-xr-x openshift
 drwxr-x--- broker
 drwxr-x--- httpd

More than that, I found out in the journal entries, that there is something not quite right with SELinux policies:
*****  Plugin catchall (100. confidence) suggests   **************************
                                                      
                                                      If you believe that httpd should be allowed search access on the  directory by default.
                                                      Then you should report this as a bug.
                                                      You can generate a local policy module to allow this access.
                                                      Do
                                                      allow this access for now by executing:
                                                      # 
                                                      # semodule -i mypol.pp

Doing exactly that:
$ grep httpd /var/log/audit/audit.log | audit2allow -M mypol
$ semodule -i mypol.pp
solved all my problems.

Cheers,
A.
Comment 3 Troy Dawson 2014-10-03 17:58:54 UTC 
The openshift origin broker is retired and no longer supported on Fedora 20+.  Because of that, this bug won't be fixed.
It is suggested to migrate your openshift project to RHEL/Scientific Linux/CentOS.