Description of problem:
During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error.
Version-Release number of selected component (if applicable):
instack-undercloud-8.4.0-4
How reproducible:
Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens
Actual results:
The upgrade fails with a permission issue running semanage.
Expected results:
The SELinux context should be corrected automatically and the upgrade should succeed.
Additional info:
2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed.
2018-04-26 08:51:45,093 DEBUG: An exception occurred
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install
_post_config(instack_env, upgrade)
File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config
_ensure_ssh_selinux_permission()
File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission
_run_command(cmd)
File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command
env=env).decode('utf-8')
File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
2018-04-26 08:51:45,099 ERROR:
#############################################################################
Undercloud upgrade failed.
Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
See the previous output for details about what went wrong. The full install
log can be found at /home/stack/.instack/install-undercloud.log.
#############################################################################
Comment 8Yurii Prokulevych
2018-05-29 07:01:38 UTC
Verified with instack-undercloud-8.4.1-4.el7ost.noarch and next files:
[stack@undercloud-0 ~ (undercloud-13-TLV)]$ ls -lZ .ssh/
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. stack stack system_u:object_r:tmp_t:s0 id_rsa_overcloud
-rw-r--r--. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub
openstack undercloud upgrade
...
#######################################################
Undercloud upgrade complete.
The file containing this installation's passwords is at
/home/stack/undercloud-passwords.conf.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2018:2086
Description of problem: During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error. Version-Release number of selected component (if applicable): instack-undercloud-8.4.0-4 How reproducible: Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens Actual results: The upgrade fails with a permission issue running semanage. Expected results: The SELinux context should be corrected automatically and the upgrade should succeed. Additional info: 2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed. 2018-04-26 08:51:45,093 DEBUG: An exception occurred Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install _post_config(instack_env, upgrade) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config _ensure_ssh_selinux_permission() File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission _run_command(cmd) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command env=env).decode('utf-8') File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output raise CalledProcessError(retcode, cmd, output=output) CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1 2018-04-26 08:51:45,099 ERROR: ############################################################################# Undercloud upgrade failed. Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1 See the previous output for details about what went wrong. The full install log can be found at /home/stack/.instack/install-undercloud.log. #############################################################################