Bug 1572143

Summary: Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux contexts need correction
Product: Red Hat OpenStack Reporter: Andrew Austin <aaustin>
Component: instack-undercloudAssignee: Jose Luis Franco <jfrancoa>
Status: CLOSED ERRATA QA Contact: Yurii Prokulevych <yprokule>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: augol, ccamacho, emacchi, jfrancoa, jschluet, jstransk, knylande, mbracho, mburns, yprokule
Target Milestone: betaKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-8.4.1-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:53:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrew Austin 2018-04-26 09:30:32 UTC
Description of problem:
During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error.

Version-Release number of selected component (if applicable):
instack-undercloud-8.4.0-4

How reproducible:
Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens

Actual results:

The upgrade fails with a permission issue running semanage.

Expected results:

The SELinux context should be corrected automatically and the upgrade should succeed.

Additional info:

2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed.

2018-04-26 08:51:45,093 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install
    _post_config(instack_env, upgrade)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config
    _ensure_ssh_selinux_permission()
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission
    _run_command(cmd)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command
    env=env).decode('utf-8')
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
2018-04-26 08:51:45,099 ERROR: 
#############################################################################
Undercloud upgrade failed.

Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################

Comment 8 Yurii Prokulevych 2018-05-29 07:01:38 UTC
Verified with instack-undercloud-8.4.1-4.el7ost.noarch and next files:

[stack@undercloud-0 ~ (undercloud-13-TLV)]$ ls -lZ .ssh/
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. stack stack system_u:object_r:tmp_t:s0       id_rsa_overcloud
-rw-r--r--. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub


openstack undercloud upgrade
...

#######################################################
Undercloud upgrade complete.

The file containing this installation's passwords is at
/home/stack/undercloud-passwords.conf.

Comment 12 errata-xmlrpc 2018-06-27 13:53:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086