Bug 1206740

Summary: On CentOS7.1 packstack --allinone fails to start Apache because of binding error on port 5000
Product: [Community] RDO Reporter: Dax Kelson <dkelson>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED EOL QA Contact: Ofer Blaut <oblaut>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: JunoCC: dkelson, lars, rhallise, ricardo.arguello, somlo, srevivo
Target Milestone: ---   
Target Release: Kilo   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-19 15:59:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2015-03-27 22:53:28 UTC 
Description of problem:

Fresh install of CentOS 7 box updated with CR repo (to bring it up to 7.1).

Short version of problem: Apache can't bind to port 5000 unless SELinux is in permissive mode

Long version of problem:

Running packstack --allinone fails with:

172.16.225.133_keystone.pp:                       [ ERROR ]           
Applying Puppet manifests                         [ ERROR ]

ERROR : Error appeared during Puppet run: 172.16.225.133_keystone.pp
Error: /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not restart Service[httpd]: Execution of '/usr/bin/systemctl restart httpd' returned 1: Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.


# journalctl -xn
-- Logs begin at Fri 2015-03-27 09:17:32 MDT, end at Fri 2015-03-27 16:44:20 MDT. --
Mar 27 16:44:20 allinone.local systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun with start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has begun starting up.
Mar 27 16:44:20 allinone.local httpd[62622]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000
Mar 27 16:44:20 allinone.local httpd[62622]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000
Mar 27 16:44:20 allinone.local httpd[62622]: no listening sockets available, shutting down
Mar 27 16:44:20 allinone.local httpd[62622]: AH00015: Unable to open logs
Mar 27 16:44:20 allinone.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 27 16:44:20 allinone.local kill[62624]: kill: cannot find process ""
Mar 27 16:44:20 allinone.local systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 27 16:44:20 allinone.local systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit httpd.service has failed.
-- 
-- The result is failed.
Mar 27 16:44:20 allinone.local systemd[1]: Unit httpd.service entered failed state.

# semanage port -a -t http_port_t -p tcp 5000
ValueError: Port tcp/5000 already defined


# semanage port -l  | grep 5000
cluster_port_t                 tcp      5149, 40040, 50006-50008
cluster_port_t                 udp      5149, 50006-50008
commplex_main_port_t           tcp      5000
commplex_main_port_t           udp      5000
hplip_port_t                   tcp      1782, 2207, 2208, 8290, 50000, 50002, 8292, 9100, 9101, 9102, 9220, 9221, 9222, 9280, 9281, 9282, 9290, 9291
Comment 1 Dax Kelson 2015-03-29 14:42:40 UTC 
# semanage port -l | grep ^http_port_t
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000
Comment 2 Gabriel Somlo 2015-03-30 18:24:06 UTC 
Running

    semanage port -m -t http_port_t -p tcp 5000

does get me past this error.

Meta-question: I'm on F21, and encountered this after switching from the
default repositories (which offer openstack-*-2014.1.*) to
https://repos.fedorapeople.org/repos/openstack/openstack-juno/
(where everything seems to be at *-2014.2.*). Neither set of packages
seems to really allow "packstack --allinone" install, but it sure would
be nice if there were "One True Package Group" to file bugs against :)
Comment 3 Lars Kellogg-Stedman 2015-03-30 19:30:13 UTC 
When reporting selinux bugs, it is tremendously helpful if you can attach the audit.log containing the selinux AVC messages to the bug report. Thanks!
Comment 4 Gabriel Somlo 2015-03-30 20:06:29 UTC 
type=AVC msg=audit(1427732394.576:20642): avc:  denied  { name_bind } for  pid=20847 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=0
Comment 5 Ryan Hallisey 2015-04-07 19:20:42 UTC 
This AVC was fixed in openstack-selinux-0.6.9-1.el7ost.
https://bugzilla.redhat.com/show_bug.cgi?id=1180230.

Are you sure you have the openstack-selinux package installed?
Comment 6 Gabriel Somlo 2015-04-07 19:42:20 UTC 
I'm on fedora 21, and apparently there's no dedicated openstack-selinux package there. The problem is identical, though, and there was nothing RHEL specific in the metadata, so I figured this is the perfect spot to add my +1. If I'm wrong about that, please advise. Thanks !
Comment 7 Dax Kelson 2015-04-07 20:50:11 UTC 
(In reply to Ryan Hallisey from comment #5)
> This AVC was fixed in openstack-selinux-0.6.9-1.el7ost.
> https://bugzilla.redhat.com/show_bug.cgi?id=1180230.
> 
> Are you sure you have the openstack-selinux package installed?

# rpm -q openstack-selinux
openstack-selinux-0.5.19-2.el7ost.noarch

Which is the newest one available in:

https://repos.fedorapeople.org/repos/openstack/openstack-juno/epel-7/

Perhaps openstack-selinux-0.6.9-1.el7ost or newer should get pushed into that repo?
Comment 8 Ryan Hallisey 2015-04-09 13:22:17 UTC 
Correct.  We'll update the repo.
Comment 9 Chandan Kumar 2016-05-19 15:59:19 UTC 
This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.