Bug 1172122

Summary: ceilometer-api has no permission to open its log file
Product: Red Hat OpenStack Reporter: Amit Ugol <augol>
Component: openstack-selinuxAssignee: Ryan Hallisey <rhallise>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0 (Juno)CC: lhh, mgrepl, yeylon
Target Milestone: ---Keywords: ZStream
Target Release: 6.0 (Juno)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-15 13:56:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amit Ugol 2014-12-09 12:44:32 UTC 
Description of problem:
ceilometer-api has no permission to open its log file (/var
Though later the file is being written to, on boot there is no permission to do so.
There wasn't anything worth while in the logs (because ceilometer cannot write to the log at the time) but ABRT did notice it and have created a report from it.
The only helpful file in it was 'reason' which contains this single line:
__init__.py:925:_open:IOError: [Errno 13] Permission denied: '/var/log/ceilometer/api.log'

This was reproduced on each reboot.

switching selinux from enforcing to permissive seems to have negated this issue.

Version-Release number of selected component (if applicable):
openstack-selinux-0.6.1-2.el7ost.noarch

How reproducible:
100%

Steps to Reproduce:
1. install latest puddle (2014-12-05.2) + ceilometer while selinux is enforcing
2. reboot

Actual results:
ABRT has detected 1 problem(s). For more info run: abrt-cli list --since 1418124790
[root@puma38 ~]# abrt-cli list --since 1418124790
id 3c6c84f6ea6ca4cfe93c5156385fd3650649c4da
Directory:      /var/tmp/abrt/Python-2014-12-09-13:29:30-1513
count:          2
executable:     /usr/bin/ceilometer-api
package:        openstack-ceilometer-api-2014.2-2.el7ost
time:           Tue 09 Dec 2014 01:29:30 PM IST
uid:            166
Run 'abrt-cli report /var/tmp/abrt/Python-2014-12-09-13:29:30-1513' for creating a case in Red Hat Customer Portal

Expected results:
No outstanding issues

Additional info:
# ls -l /var/log/ceilometer/api.log 
-rw-r--r--. 1 ceilometer ceilometer 44059 Dec  9 14:21 /var/log/ceilometer/api.log
Comment 1 Amit Ugol 2014-12-09 12:46:36 UTC 
sorry, log file is /var/log/ceilometer/api.log.
Other then this, Ceilometer seems to be responsive but I did not try to perform something more complex then sanity.
Comment 2 Ryan Hallisey 2014-12-09 12:56:11 UTC 
What version of openstack-selinux are you running? There is an issue with 0.6.1-2 - 0.6.2-2 which is fixed in the latest version openstack-selinux-0.6.3-1.el7ost that causes all the written policy to be ignored.

If you're still having issues attach your /var/log/audit/audit.log after running in permissive.
Comment 4 Amit Ugol 2014-12-10 04:11:03 UTC 
@Ryan as stated in the initial report this is openstack-selinux-0.6.1-2.el7ost.noarch. This version was included in the latest puddle that is designated to be Juno beta2 (from our POV).
From what I understand I'll need to receive openstack-selinux 6.3+ in the next release. I'll keep an eye on this issue.
Comment 7 Lon Hohberger 2015-04-15 13:56:18 UTC 
This should be resolved in the current release.