Bug 1466410

Summary: M->N upgrade causes losing ssh access to undercloud
Product: Red Hat OpenStack Reporter: Yolanda Robla <yroblamo>
Component: instack-undercloudAssignee: Sofer Athlan-Guyot <sathlang>
Status: CLOSED ERRATA QA Contact: Amit Ugol <augol>
Severity: medium Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: atelang, ccamacho, jamsmith, jschluet, lbezdick, mbultel, mburns, mcornea, rhel-osp-director-maint, sathlang, slinaber
Target Milestone: z11Keywords: TestOnly, Triaged, ZStream
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-5.3.7-7.el7ost Doc Type: Bug Fix
Doc Text:
This update corrects a selinux permissions error that caused loss of ssh access after upgrading from a non-selinux undercloud.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-30 16:58:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yolanda Robla 2017-06-29 14:16:47 UTC 
Description of problem:


After doing the major upgrade in the undercloud from 9 to 10, i cannot enter by ssh to the undercloud anymore.
The issue is caused by selinux, because there is a wrong context for /home/stack/.ssh/authorized_keys:

cd /home/stack/.ssh/
[root@undercloud .ssh]# ls -lZ authorized_keys 
-rw-------. stack stack system_u:object_r:unlabeled_t:s0 authorized_keys
[root@undercloud .ssh]# restorecon authorized_keys
Full path required for exclude: net:[4026532200].
Full path required for exclude: net:[4026532200].
[root@undercloud .ssh]# ls -lZ authorized_keys 
-rw-------. stack stack system_u:object_r:ssh_home_t:s0  authorized_keys

After properly restoring the context, that needs to be ssh_home_t (not unlabeled_t), i can ssh to the undercloud again.
Comment 1 Yolanda Robla 2017-07-12 10:11:33 UTC 
To clarify, i come from previous versions, upgrading from 8->9 then 9->10. When i upgrade to 9, i see that the authorized_keys is also labeled incorrectly, with system_u:object_r:unlabeled_t:s0 .
But it works, because selinux in 9 is set to Permissive. When going to 10, it's set to Enforcing, and this bad labeling is causing to loose access.
Comment 2 Carlos Camacho 2018-08-10 09:47:45 UTC 
All the fixes are in place and they are so old that fixes should be available from the imports.
Comment 23 errata-xmlrpc 2019-04-30 16:58:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0921