Bug 1278430
| Summary: | Glance returns "Invalid OpenStack Identity credentials" after updating the undercloud (7.0 -> 7.1), might be due to selinux | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Udi Kalifon <ukalifon> | ||||
| Component: | rhosp-director | Assignee: | James Slagle <jslagle> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Udi Kalifon <ukalifon> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.0 (Kilo) | CC: | calfonso, dmacpher, gfidente, jslagle, kbasil, mburns, ohochman, rhallise, rhel-osp-director-maint, ssekidde, ukalifon | ||||
| Target Milestone: | y2 | Keywords: | TestOnly, Triaged | ||||
| Target Release: | 7.0 (Kilo) | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openstack-selinux-0.6.46-1.el7ost | Doc Type: | Bug Fix | ||||
| Doc Text: |
A missing SELinux rule caused Glance to return an "Invalid OpenStack Identity credentials" error. This fix adds the SELinux rule. Now Glance authenticates successfully.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2015-12-21 16:57:53 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Udi Kalifon
2015-11-05 13:06:08 UTC
Please give us a clean reproduction audit.log: 1) cp /dev/null /var/log/audit/audit.log 2) setenforce 0 3) perform test 4) attach /var/log/audit/audit.log to this bugzilla For step 3, you don't have to redo the upgrade - just the things that are otherwise failing with selinux in enforcing. Created attachment 1090102 [details]
audit.log from the instack machine
I am attaching the audit.log file, but it's not a clean file from right after the bug occurs. You will have to scroll up the file to look for it, sorry.
allow keepalived_t systemd_systemctl_exec_t:file getattr; This is what I see. Can you test again in permissive mode? setenforce 0. I don't have a y2 puddle to test this yet, but I can see that in the 8.0 final beta the bug is not fixed. Should I be seeing a cron job or is the token flushing done by some other mechanism? Should this bug be duplicated for 8.0? (In reply to Udi from comment #7) > I don't have a y2 puddle to test this yet, but I can see that in the 8.0 > final beta the bug is not fixed. Should I be seeing a cron job or is the > token flushing done by some other mechanism? Should this bug be duplicated > for 8.0? I'm not sure what token flushing has to do with this bug. This is related to an issue with applying updates from 7.0 to 7.1 or 7.2. Comment #7 is related to another bug and accidentally was posted here by mistake. Sorry. Updated from 7.0 to 7.2, and this issue is resolved. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:2651 |