Bug 1202944

Summary: "glance image-list" fails on F21, causing packstack install to fail
Product: [Community] RDO Reporter: Lars Kellogg-Stedman <lars>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED EOL QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: JunoCC: eglynn, fpercoco, joe, srevivo
Target Milestone: ---   
Target Release: Kilo   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 15:54:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lars Kellogg-Stedman 2015-03-17 18:41:39 UTC 
Running `packstack --allinone` on a Fedora 21 system with:

- openstack-packstack-2014.2-0.16.dev1447.g6f4d34b.fc22.noarch
- openstack-glance-2014.2.1-2.fc22.noarch

Fails with:

ERROR : Error appeared during Puppet run: 10.0.0.30_provision_glance
Error: Could not prefetch glance_image provider 'glance': Execution of '/usr/bin/glance --os-tenant-name services --os-username glance --os-password 8b38738da85746d6 --os-region-name RegionOne --os-auth-url http://10.0.0.30:35357/v2.0/ image-list' returned 1: Invalid OpenStack Identity credentials.

This is due to the following selinux AVC:

type=AVC msg=audit(1426617374.452:16284): avc:  denied  { name_connect } for  pid=19553 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0

Aka:

#============= glance_api_t ==============

#!!!! This avc can be allowed using the boolean 'glance_api_can_network'
allow glance_api_t keystone_port_t:tcp_socket name_connect;

Confirming that theory, running "setenforce 0" allows the `glance image-list` command to complete without error.
Comment 1 Flavio Percoco 2015-03-18 09:21:59 UTC 
Moving under openstack-selinux, this rule should be added there
Comment 2 Joe Doss 2015-08-12 02:07:22 UTC 
Seeing this on Fedora 22 Server with packstack installing Kilo:

type=AVC msg=audit(1439342973.418:343334): avc:  denied  { name_connect } for  pid=15393 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0

This fixes things without setenforce 0

# setsebool -P  glance_api_can_network 1

# /usr/bin/glance --os-tenant-name services --os-username glance --os-password xxxxx --os-region-name soutside --os-auth-url http://xxx:35357/ image-list
+----+------+-------------+------------------+------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+----+------+-------------+------------------+------+--------+
+----+------+-------------+------------------+------+--------+

and when rerunning packstack, the install finishes.

xxx.xxx.x.xxx_provision_glance:                      [ DONE ]              
Finalizing                                           [ DONE ]

 **** Installation completed successfully ******
Comment 3 Chandan Kumar 2016-05-19 15:54:47 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.