Bug 1489863

Summary:

[OSP12] Undercloud deployment failed due to httpd service didn't started

Product:

Red Hat OpenStack

Reporter:

Artem Hrechanychenko <ahrechan>

Component:

openstack-selinux

Assignee:

Lon Hohberger <lhh>

Status:

CLOSED ERRATA

QA Contact:

Udi Shkalim <ushkalim>

Severity:

urgent

Docs Contact:

Priority:

urgent

Version:

12.0 (Pike)

CC:

ahrechan, mgrepl, rcritten, rhallise, sasha, srevivo

Target Milestone:

beta

Keywords:

Triaged

Target Release:

12.0 (Pike)

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

openstack-selinux-0.8.10-0.20170914195211.e16a8f8.2.el7ost

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Clones:

1671514 (view as bug list)

Environment:

Last Closed:

2017-12-13 22:08:14 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

Bug Blocks:

1671514

Attachments:

Description	Flags
audit.log	none

Description Artem Hrechanychenko 2017-09-08 14:01:42 UTC

Description of problem:
2017-09-08 09:48:39,206 INFO: Error: Systemd start for httpd failed!
2017-09-08 09:48:39,206 INFO: journalctl log for httpd:
2017-09-08 09:48:39,206 INFO: -- Logs begin at Fri 2017-09-08 08:08:52 EDT, end at Fri 2017-09-08 09:48:39 EDT. --
2017-09-08 09:48:39,206 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Starting The Apache HTTP Server...
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: (13)Permission denied: AH00072: make_sock: could not bind to address 192.168.24.1:6385
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: no listening sockets available, shutting down
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: AH00015: Unable to open logs
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local kill[5081]: kill: cannot find process ""
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service: control process exited, code=exited status=1
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Failed to start The Apache HTTP Server.
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Unit httpd.service entered failed state.
2017-09-08 09:48:39,207 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service failed.
2017-09-08 09:48:39,207 INFO: 
2017-09-08 09:48:39,208 INFO: Error: /Stage[main]/Apache::Service/Service[httpd]/ensure: change from stopped to running failed: Systemd start for httpd failed!
2017-09-08 09:48:39,208 INFO: journalctl log for httpd:
2017-09-08 09:48:39,208 INFO: -- Logs begin at Fri 2017-09-08 08:08:52 EDT, end at Fri 2017-09-08 09:48:39 EDT. --
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Starting The Apache HTTP Server...
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: (13)Permission denied: AH00072: make_sock: could not bind to address 192.168.24.1:6385
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: no listening sockets available, shutting down
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local httpd[5079]: AH00015: Unable to open logs
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local kill[5081]: kill: cannot find process ""
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service: control process exited, code=exited status=1
2017-09-08 09:48:39,208 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Failed to start The Apache HTTP Server.
2017-09-08 09:48:39,209 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: Unit httpd.service entered failed state.
2017-09-08 09:48:39,209 INFO: Sep 08 09:48:39 undercloud-0.redhat.local systemd[1]: httpd.service failed.
2017-09-08 09:48:39,209 INFO: 
2017-09-08 09:48:39,231 INFO: Notice: /Stage[main]/Apache::Service/Service[httpd]: Triggered 'refresh' from 3 events
2017-09-08 09:48:39,232 INFO: Notice: /Stage[main]/Keystone::Deps/Anchor[keystone::service::end]: Dependency Service[httpd] has failures: true
2017-09-08 09:48:39,232 INFO: Warning: /Stage[main]/Keystone::Deps/Anchor[keystone::service::end]: Skipping because of failed dependencies
2017-09-08 09:51:34,192 INFO: Error: Failed to apply catalog: Execution of '/bin/openstack role list --quiet --format csv' returned 1: Unable to establish connection to http://192.168.24.1:35357/v3/roles?: HTTPConnectionPool(host='192.168.24.1', port=35357): Max retries exceeded with url: /v3/roles (Caused by NewConnectionError('<requests.packages.urllib3.connection.HTTPConnection object at 0x28b6dd0>: Failed to establish a new connection: [Errno 111] Connection refused',)) (tried 48, for a total of 170 seconds)
2017-09-08 09:51:45,635 INFO: + rc=1
2017-09-08 09:51:45,635 INFO: + set -e
2017-09-08 09:51:45,636 INFO: + echo 'puppet apply exited with exit code 1'
2017-09-08 09:51:45,636 INFO: puppet apply exited with exit code 1
2017-09-08 09:51:45,636 INFO: + '[' 1 '!=' 2 -a 1 '!=' 0 ']'
2017-09-08 09:51:45,636 INFO: + exit 1
2017-09-08 09:51:45,636 INFO: [2017-09-08 09:51:45,636] (os-refresh-config) [ERROR] during configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/configure.d']' returned non-zero exit status 1]
2017-09-08 09:51:45,636 INFO: 
2017-09-08 09:51:45,636 INFO: [2017-09-08 09:51:45,636] (os-refresh-config) [ERROR] Aborting...
2017-09-08 09:51:45,644 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1683, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1309, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 599, in _run_live_command
    raise RuntimeError('%s failed. See log for details.' % name)
RuntimeError: os-refresh-config failed. See log for details.
2017-09-08 09:51:45,645 ERROR: 
#############################################################################
Undercloud install failed.

Reason: os-refresh-config failed. See log for details.

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1683, in install
    _run_orc(instack_env)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1309, in _run_orc
    _run_live_command(args, instack_env, 'os-refresh-config')
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 599, in _run_live_command
    raise RuntimeError('%s failed. See log for details.' % name)
RuntimeError: os-refresh-config failed. See log for details.
Command 'instack-install-undercloud' returned non-zero exit status 1

[stack@undercloud-0 ~]$ cat undercloud.conf 
[DEFAULT]
# Network interface on the Undercloud that will be handling the PXE
# boots and DHCP for Overcloud instances. (string value)
local_interface = eth0
# 192.168.24.0 subnet is by default used since RHOS11
local_ip = 192.168.24.1/24
network_gateway = 192.168.24.1
undercloud_public_vip = 192.168.24.2
undercloud_admin_vip = 192.168.24.3
network_cidr = 192.168.24.0/24
masquerade_network = 192.168.24.0/24
dhcp_start = 192.168.24.5
dhcp_end = 192.168.24.24
inspection_iprange = 192.168.24.100,192.168.24.120
undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem
enable_novajoin = True
ipa_otp = 7UiD50U9WLA3aAX3Um1flZ01SNwKvczNa04TrvVweulm
undercloud_hostname = undercloud-0.redhat.local
undercloud_nameservers = 172.16.0.76 
overcloud_domain_name = redhat.local

Version-Release number of selected component (if applicable):
OSP12
openstack-mistral-executor-5.0.1-0.20170830120805.4bc0950.el7ost.noarch
puppet-openstack_extras-11.3.1-0.20170825142718.352987f.el7ost.noarch
openstack-heat-api-cfn-9.0.1-0.20170830131248.2b94474.el7ost.noarch
openstack-tripleo-heat-templates-7.0.0-0.20170901051303.0rc1.el7ost.noarch
openstack-tripleo-common-containers-7.5.1-0.20170831015949.2517e1e.el7ost.1.noarch
openstack-swift-account-2.15.2-0.20170824165102.c54c6b3.el7ost.noarch
openstack-neutron-ml2-11.0.1-0.20170831212231.d6f8c44.el7ost.noarch
openstack-ironic-conductor-9.1.1-0.20170824135903.d783dff.el7ost.noarch
openstack-mistral-api-5.0.1-0.20170830120805.4bc0950.el7ost.noarch
python-openstackclient-lang-3.12.0-0.20170821150739.f67ebce.el7ost.noarch
openstack-nova-api-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
openstack-nova-conductor-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
puppet-openstacklib-11.3.1-0.20170825142820.18ee919.el7ost.noarch
openstack-keystone-12.0.1-0.20170830123737.6a67918.el7ost.noarch
openstack-neutron-11.0.1-0.20170831212231.d6f8c44.el7ost.noarch
openstack-ironic-inspector-6.0.1-0.20170824132804.0e72dcb.el7ost.noarch
python-openstackclient-3.12.0-0.20170821150739.f67ebce.el7ost.noarch
openstack-mistral-common-5.0.1-0.20170830120805.4bc0950.el7ost.noarch
openstack-tripleo-ui-7.3.1-0.20170830131652.f61181a.el7ost.noarch
openstack-selinux-0.8.9-0.1.el7ost.noarch
openstack-nova-placement-api-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
openstack-glance-15.0.0-0.20170830130905.9820166.el7ost.noarch
openstack-nova-common-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
openstack-swift-object-2.15.2-0.20170824165102.c54c6b3.el7ost.noarch
openstack-neutron-common-11.0.1-0.20170831212231.d6f8c44.el7ost.noarch
openstack-heat-api-9.0.1-0.20170830131248.2b94474.el7ost.noarch
openstack-ironic-common-9.1.1-0.20170824135903.d783dff.el7ost.noarch
openstack-tripleo-validations-7.3.1-0.20170831052729.67faa39.el7ost.noarch
openstack-zaqar-5.0.1-0.20170830120218.9207f7e.el7ost.noarch
openstack-swift-container-2.15.2-0.20170824165102.c54c6b3.el7ost.noarch
openstack-ironic-api-9.1.1-0.20170824135903.d783dff.el7ost.noarch
openstack-tempest-16.1.1-0.20170830101230.e70e0fe.el7ost.noarch
openstack-mistral-engine-5.0.1-0.20170830120805.4bc0950.el7ost.noarch
openstack-nova-scheduler-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
openstack-puppet-modules-11.0.0-0.20170828113153.71ad01c.el7ost.1.noarch
openstack-swift-proxy-2.15.2-0.20170824165102.c54c6b3.el7ost.noarch
openstack-tripleo-puppet-elements-7.0.0-0.20170831100659.2094778.el7ost.noarch
openstack-heat-engine-9.0.1-0.20170830131248.2b94474.el7ost.noarch
openstack-tripleo-common-7.5.1-0.20170831015949.2517e1e.el7ost.1.noarch
openstack-nova-compute-16.0.1-0.20170830161812.cdf08b7.el7ost.noarch
python-openstacksdk-0.9.17-0.20170821143340.7946243.el7ost.noarch
openstack-neutron-openvswitch-11.0.1-0.20170831212231.d6f8c44.el7ost.noarch
openstack-heat-common-9.0.1-0.20170830131248.2b94474.el7ost.noarch
openstack-tripleo-image-elements-7.0.0-0.20170830150703.526772d.el7ost.noarch

How reproducible:


Steps to Reproduce:

1)Deploy freeipa service on different node - http://etherpad.corp.redhat.com/osp12-internal-SSL-using-freeIPA
2)edit undrcloud.conf on undercloud node according to http://tripleo.org/install/advanced_deployment/ssl.html#tls-everywhere-for-the-overcloud
3) deploy undercloud 

Actual results:
Undercloud install failed.


Expected results:
Undercloud install completed

Additional info:

Comment 3 Artem Hrechanychenko 2017-09-08 14:18:11 UTC

[stack@undercloud-0 ~]$ sudo ausearch -m AVC
----
time->Fri Sep  8 09:33:35 2017
type=PROCTITLE msg=audit(1504877615.040:940): proctitle=67726570002D71497345005E696E7374616C6C5B5B3A73706163653A5D5D2B697076365B5B3A73706163653A5D5D2B2F62696E2F28747275657C66616C736529002F6574632F6D6F6470726F62652E636F6E66002F6574632F6D6F6470726F62652E642F6C6F636B642E636F6E66002F6574632F6D6F6470726F62652E642F74
type=SYSCALL msg=audit(1504877615.040:940): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7ffe96387f49 a2=0 a3=0 items=0 ppid=26119 pid=26129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="grep" exe="/usr/bin/grep" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1504877615.040:940): avc:  denied  { read } for  pid=26129 comm="grep" name="lockd.conf" dev="vda1" ino=8596051 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
time->Fri Sep  8 09:33:35 2017
type=PROCTITLE msg=audit(1504877615.040:941): proctitle=67726570002D71497345005E696E7374616C6C5B5B3A73706163653A5D5D2B697076365B5B3A73706163653A5D5D2B2F62696E2F28747275657C66616C736529002F6574632F6D6F6470726F62652E636F6E66002F6574632F6D6F6470726F62652E642F6C6F636B642E636F6E66002F6574632F6D6F6470726F62652E642F74
type=SYSCALL msg=audit(1504877615.040:941): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=7ffe96387f64 a2=0 a3=0 items=0 ppid=26119 pid=26129 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="grep" exe="/usr/bin/grep" subj=system_u:system_r:iptables_t:s0 key=(null)
type=AVC msg=audit(1504877615.040:941): avc:  denied  { read } for  pid=26129 comm="grep" name="tuned.conf" dev="vda1" ino=8595095 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
----
time->Fri Sep  8 09:48:09 2017
type=PROCTITLE msg=audit(1504878489.926:1288): proctitle=7375646F006E657574726F6E2D726F6F74777261702D6461656D6F6E002F6574632F6E657574726F6E2F726F6F74777261702E636F6E66
type=SYSCALL msg=audit(1504878489.926:1288): arch=c000003e syscall=2 success=no exit=-13 a0=7fae5cc076ed a1=0 a2=1b6 a3=24 items=0 ppid=4219 pid=4288 auid=4294967295 uid=0 gid=990 euid=0 suid=0 fsuid=0 egid=0 sgid=990 fsgid=0 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:neutron_t:s0 key=(null)
type=AVC msg=audit(1504878489.926:1288): avc:  denied  { search } for  pid=4288 comm="sudo" name="sssd" dev="vda1" ino=192938588 scontext=system_u:system_r:neutron_t:s0 tcontext=system_u:object_r:sssd_conf_t:s0 tclass=dir
----
time->Fri Sep  8 09:48:39 2017
type=PROCTITLE msg=audit(1504878519.137:1300): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=SYSCALL msg=audit(1504878519.137:1300): arch=c000003e syscall=49 success=no exit=-13 a0=6 a1=555b47dbe5e8 a2=10 a3=7ffd834f7f4c items=0 ppid=1 pid=5079 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1504878519.137:1300): avc:  denied  { name_bind } for  pid=5079 comm="httpd" src=6385 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Comment 4 Lon Hohberger 2017-09-12 13:26:30 UTC

Can you please attach a full audit.log from a permissive run?

The call trace is important here, since I kind of need to understand why iptables is executing grep in the first place.

Comment 5 Artem Hrechanychenko 2017-09-12 18:58:59 UTC

Created attachment 1324999 [details]
audit.log

Comment 6 Lon Hohberger 2017-09-13 14:31:54 UTC

Thanks - this is peculiar.

type=AVC msg=audit(1505242381.916:1184): avc:  denied  { name_bind } for  pid=14940 comm="httpd" src=6385 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

	Was caused by:
	The boolean nis_enabled was set incorrectly. 
	Description:
	Allow nis to enabled

	Allow access by executing:
	# setsebool -P nis_enabled 1

... this is turned on by having openstack-selinux installed. Is it not presently installed or something?

Comment 7 Rob Crittenden 2017-09-13 14:58:17 UTC

I'm seeing the same issue from an oooq install. I have openstack-selinux-0.8.9-0.1.el7ost.noarch installed.

# semanage boolean --list | grep  nis_enabled
nis_enabled                    (off  ,  off)  Allow nis to enabled

Comment 8 Lon Hohberger 2017-09-13 16:01:20 UTC

OK, so it's installed (and the boolean is set) in the overcloud-full image.

Comment 9 Lon Hohberger 2017-09-13 16:02:12 UTC

This seems to be specific to the undercloud - it's like the boolean is getting turned off somehow.

Comment 10 Lon Hohberger 2017-09-13 17:00:13 UTC

Rob, could you also check:
  os_nova_use_execmem
  neutron_can_network
  httpd_use_openstack 

?

Comment 11 Lon Hohberger 2017-09-13 17:33:00 UTC

Rob said they're all 'on'.

This is unfortunate, since it means something is explicitly disabling the nis_enabled boolean between the time openstack-selinux is installed and the time httpd is started.

This may very well not be an openstack-selinux bug.

Comment 12 Lon Hohberger 2017-09-14 19:47:54 UTC

I was unable to find what might be disabling the nis_enabled boolean, so I removed the need to use it.

https://github.com/redhat-openstack/openstack-selinux/commit/e16a8f8ef52cc5147b73dda508f7da41368b7ea8

Comment 13 Lon Hohberger 2017-09-14 19:48:35 UTC

The patch passes all previously-known AVCs, but may suffer from others that were masked while nis_enabled was used.

Comment 16 Lon Hohberger 2017-09-21 12:53:23 UTC

*** Bug 1493561 has been marked as a duplicate of this bug. ***

Comment 18 Lon Hohberger 2017-09-22 16:54:43 UTC

https://github.com/redhat-openstack/openstack-selinux/commit/52b3fe8e139e068d638a3c11dc1f4cb45d49cb1d

Comment 19 Lon Hohberger 2017-09-22 17:35:35 UTC

The reason the issue wasn't fixed during deployments is because of the fact that  images are built in effectively a chroot, rendering the kernel's selinux policy unavailable.

Thus, the block in local_settings.sh which asks the kernel policy if it is enabled, followed by setting a bunch of booleans wasn't executing, rendering the original fix useless on images.  One of the booleans it was setting was os_httpd_wsgi, which gives httpd access to bind to any port (a la nis_enabled).

This is why it worked correctly after normal installation in baremetal or virtualized environments, but was failing in all of our CI tests.

Comment 20 Lon Hohberger 2017-09-22 20:14:34 UTC

Preliminary checks on overcloud-full-12.0-20170922.2:
 * Image contains openstack-selinux-0.8.10-0.20170914195211.e16a8f8.2.el7ost.noarch (GOOD)
 * All booleans are correctly set (GOOD)
 * nis_enabled is no longer a part of openstack-selinux (GOOD)
 * All os-* modules are installed (GOOD)

Will help review CI results when they are available.

Comment 22 Artem Hrechanychenko 2017-11-06 14:06:57 UTC

VERIFIED

(undercloud) [stack@undercloud-0 ~]$ sudo rpm -qa "*stack*"
openstack-mistral-engine-5.1.1-0.20171027222844.fd979d9.el7ost.noarch
openstack-puppet-modules-11.0.0-0.20170828113154.el7ost.noarch
openstack-neutron-openvswitch-11.0.1-3.el7ost.noarch
openstack-heat-engine-9.0.1-0.20171023060845.be1e2e9.el7ost.noarch
instack-7.0.1-1.el7ost.noarch
openstack-tripleo-puppet-elements-7.0.1-0.20171020122223.82d7e6c.el7ost.noarch
openstack-nova-common-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-swift-account-2.15.2-0.20170927035729.0344d6e.el7ost.noarch
openstack-heat-common-9.0.1-0.20171023060845.be1e2e9.el7ost.noarch
openstack-tripleo-common-7.6.3-0.20171028055750.el7ost.noarch
openstack-mistral-common-5.1.1-0.20171027222844.fd979d9.el7ost.noarch
openstack-tripleo-validations-7.4.1-2.el7ost.noarch
openstack-nova-api-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-nova-conductor-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-keystone-12.0.1-0.20171012013909.5c9ccce.el7ost.noarch
puppet-openstack_extras-11.3.1-0.20170906070209.b99c3a4.el7ost.noarch
python-openstackclient-lang-3.12.0-1.el7ost.noarch
openstack-ironic-common-9.1.2-0.20171025074857.cf3665f.el7ost.noarch
python-openstacksdk-0.9.17-1.el7ost.noarch
openstack-tripleo-image-elements-7.0.1-0.20171020101256.2e61e31.el7ost.noarch
instack-undercloud-7.4.2-2.el7ost.noarch
openstack-mistral-executor-5.1.1-0.20171027222844.fd979d9.el7ost.noarch
openstack-selinux-0.8.11-0.20171013192233.ce13ba7.el7ost.noarch
openstack-nova-placement-api-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-glance-15.0.1-0.20171017090105.06af2eb.el7ost.noarch
openstack-swift-object-2.15.2-0.20170927035729.0344d6e.el7ost.noarch
openstack-neutron-common-11.0.1-3.el7ost.noarch
openstack-neutron-ml2-11.0.1-3.el7ost.noarch
openstack-swift-proxy-2.15.2-0.20170927035729.0344d6e.el7ost.noarch
openstack-heat-api-cfn-9.0.1-0.20171023060845.be1e2e9.el7ost.noarch
openstack-ironic-api-9.1.2-0.20171025074857.cf3665f.el7ost.noarch
openstack-zaqar-5.0.1-0.20171027110724.4f07aed.el7ost.noarch
puppet-openstacklib-11.3.1-0.20170921022915.6e2b844.el7ost.noarch
openstack-swift-container-2.15.2-0.20170927035729.0344d6e.el7ost.noarch
openstack-neutron-11.0.1-3.el7ost.noarch
openstack-ironic-conductor-9.1.2-0.20171025074857.cf3665f.el7ost.noarch
openstack-tempest-17.1.0-1.el7ost.noarch
openstack-tripleo-heat-templates-7.0.3-0.20171024200823.el7ost.noarch
openstack-tripleo-common-containers-7.6.3-0.20171028055750.el7ost.noarch
openstack-mistral-api-5.1.1-0.20171027222844.fd979d9.el7ost.noarch
openstack-nova-scheduler-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-ironic-inspector-6.0.1-0.20170920142417.77e2b1a.el7ost.noarch
openstack-tripleo-ui-7.4.2-2.el7ost.noarch
openstack-nova-compute-16.0.3-0.20171028031400.60d6e87.el7ost.noarch
openstack-heat-api-9.0.1-0.20171023060845.be1e2e9.el7ost.noarch
python-openstackclient-3.12.0-1.el7ost.noarch


(undercloud) [stack@undercloud-0 ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 23 Artem Hrechanychenko 2017-11-06 14:08:56 UTC

(undercloud) [stack@undercloud-0 ~]$ sudo rpm -qa "*selinux*"
libselinux-utils-2.5-11.el7.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.5.noarch
libselinux-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.5.noarch
libselinux-python-2.5-11.el7.x86_64
openstack-selinux-0.8.11-0.20171013192233.ce13ba7.el7ost.noarch
container-selinux-2.28-1.git85ce147.el7.noarch
libselinux-ruby-2.5-11.el7.x86_64

Comment 26 errata-xmlrpc 2017-12-13 22:08:14 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:3462