Bug 1493561
Summary: | [osp12]httpd service is dead on oc nodes due, cannot bind port due to selinux issues | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Artem Hrechanychenko <ahrechan> | ||||||
Component: | openstack-selinux | Assignee: | Lon Hohberger <lhh> | ||||||
Status: | CLOSED DUPLICATE | QA Contact: | Udi Shkalim <ushkalim> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 12.0 (Pike) | CC: | apevec, mburns, mgrepl, ohochman, rhallise, srevivo | ||||||
Target Milestone: | ga | Keywords: | Triaged | ||||||
Target Release: | 12.0 (Pike) | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2017-09-21 12:53:23 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Artem Hrechanychenko
2017-09-20 13:43:12 UTC
Checked a setup deployed without tls_everywhere. Environment: libselinux-python-2.5-11.el7.x86_64 selinux-policy-3.13.1-166.el7_4.4.noarch libselinux-2.5-11.el7.x86_64 libselinux-utils-2.5-11.el7.x86_64 httpd-2.4.6-67.el7_4.2.x86_64 selinux-policy-targeted-3.13.1-166.el7_4.4.noarch openstack-selinux-0.8.9-0.1.el7ost.noarch libselinux-ruby-2.5-11.el7.x86_64 httpd-tools-2.4.6-67.el7_4.2.x86_64 container-selinux-2.21-2.gitba103ac.el7.noarch ceph-selinux-10.2.7-32.el7cp.x86_64 openstack-tripleo-heat-templates-7.0.0-0.20170913050524.0rc2.el7ost.noarch openstack-puppet-modules-11.0.0-0.20170828113154.el7ost.noarch instack-undercloud-7.4.1-0.20170912115418.el7ost.noarch Deployment command: openstack overcloud deploy --templates \ --libvirt-type kvm \ -e /home/stack/templates/nodes_data.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ceph-ansible/ceph-ansible.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation-v6.yaml \ -e /home/stack/virt/network/network-environment-v6.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml \ -e /home/stack/virt/public_vip.yaml \ -e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml \ -e /home/stack/inject-trust-anchor-hiera.yaml \ -e /home/stack/rhos12.yaml The issue didn't reproduce: [heat-admin@overcloud-controller-0 ~]$ sudo systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Drop-In: /usr/lib/systemd/system/httpd.service.d └─openstack-dashboard.conf Active: active (running) since Wed 2017-09-20 15:38:01 UTC; 49min ago Docs: man:httpd(8) man:apachectl(8) Main PID: 94660 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" Memory: 707.9M CGroup: /system.slice/httpd.service ├─94660 /usr/sbin/httpd -DFOREGROUND ├─94662 cinder_wsgi -DFOREGROUND ├─94663 cinder_wsgi -DFOREGROUND ├─94664 cinder_wsgi -DFOREGROUND ├─94665 cinder_wsgi -DFOREGROUND ├─94666 heat_api_cloudw -DFOREGROUND ├─94667 /usr/sbin/httpd -DFOREGROUND ├─94668 /usr/sbin/httpd -DFOREGROUND ├─94669 /usr/sbin/httpd -DFOREGROUND ├─94670 /usr/sbin/httpd -DFOREGROUND ├─94671 /usr/sbin/httpd -DFOREGROUND ├─94672 /usr/sbin/httpd -DFOREGROUND ├─94673 /usr/sbin/httpd -DFOREGROUND ├─94674 /usr/sbin/httpd -DFOREGROUND └─94986 /usr/sbin/httpd -DFOREGROUND Sep 20 15:37:52 overcloud-controller-0 systemd[1]: Starting The Apache HTTP Server... Sep 20 15:38:01 overcloud-controller-0 python[94380]: Compressing... done Sep 20 15:38:01 overcloud-controller-0 python[94380]: Compressed 5 block(s) from 3 template(s) for 1 context(s). Sep 20 15:38:01 overcloud-controller-0 systemd[1]: Started The Apache HTTP Server. [heat-admin@overcloud-controller-0 ~]$ sudo getenforce Enforcing I guess "without tls_everywhere" services are not running in httpd? *** This bug has been marked as a duplicate of bug 1489863 *** Created attachment 1329048 [details]
audit.log
[stack@undercloud-0 ~]$ ssh heat-admin.24.8 "rpm -q openstack-selinux" openstack-selinux-0.8.9-0.1.el7ost.noarch Created attachment 1329051 [details]
audit.log
This is the old package - I'll have to build a new one so that we can deploy properly without manual workarounds. |