Bug 1638548

Summary: On RHEL 7.6 Undercloud installation fails on nova-api: sudo in nova-rootwrap blocked by SELinux
Product: Red Hat OpenStack Reporter: Pavel Sedlák <psedlak>
Component: openstack-selinuxAssignee: Zoli Caplovic <zcaplovi>
Status: CLOSED ERRATA QA Contact: Jon Schlueter <jschluet>
Severity: high Docs Contact:
Priority: urgent    
Version: 9.0 (Mitaka)CC: ccopello, jschluet, lhh, mgrepl, pkomarov, slinaber, zcaplovi
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.8.15-1.el7ost Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: 1638547
: 1641671 (view as bug list) Environment:
Last Closed: 2018-10-31 16:17:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1638547, 1640528    
Bug Blocks: 1641671, 1641743, 1641746    

Description Pavel Sedlák 2018-10-11 21:16:28 UTC 
+++ This bug was initially created as a clone of Bug #1638547 +++

Description of problem:

During installation of undercloud for OSP8 and/or OSP9 using:
> openstack undercloud install
it fails on nova-api
> Error: Could not start Service[nova-api]: Execution of '/bin/systemctl start openstack-nova-api' returned 1: Job for openstack-nova-api.service failed because a timeout was exceeded. See "systemctl status openstack-nova-api.service" and "journalctl -xe" for details.

in nova.log exception show failure of sudo nova-rootwrap:
> 2018-10-11 13:55:47.710 4825 DEBUG oslo_concurrency.processutils [-] u'sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c' failed. Not Retrying. execute /usr/lib/python2.7/site-packages/oslo_concurrency/processutils.py:375
> 2018-10-11 13:55:47.711 4825 DEBUG oslo_concurrency.lockutils [-] Lock "iptables" released by "nova.network.linux_net._apply" :: held 3.790s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:265
> 2018-10-11 13:55:47.713 4825 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command.
> Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
> Exit code: 1
> Stdout: u''
> Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n'
> 2018-10-11 13:55:47.713 4825 ERROR nova Traceback (most recent call last):
> 2018-10-11 13:55:47.713 4825 ERROR nova   File "/usr/bin/nova-api", line 10, in <module>
> 2018-10-11 13:55:47.713 4825 ERROR nova     sys.exit(main())
> ...
> 2018-10-11 13:55:47.713 4825 ERROR nova   File "/usr/lib/python2.7/site-packages/nova/utils.py", line 272, in execute
> 2018-10-11 13:55:47.713 4825 ERROR nova     return processutils.execute(*cmd, **kwargs)
> 2018-10-11 13:55:47.713 4825 ERROR nova   File "/usr/lib/python2.7/site-packages/oslo_concurrency/processutils.py", line 342, in execute
> 2018-10-11 13:55:47.713 4825 ERROR nova     cmd=sanitized_cmd)
> 2018-10-11 13:55:47.713 4825 ERROR nova ProcessExecutionError: Unexpected error while running command.
> 2018-10-11 13:55:47.713 4825 ERROR nova Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
> 2018-10-11 13:55:47.713 4825 ERROR nova Exit code: 1
> 2018-10-11 13:55:47.713 4825 ERROR nova Stdout: u''
> 2018-10-11 13:55:47.713 4825 ERROR nova Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n'

in audit.log is visible about 65 entries like:
> type=AVC msg=audit(1539280257.488:1159): avc:  denied  { execute } for  pid=1782 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4531529 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0


Version-Release number of selected component (if applicable):
this happens on two osp versions, OSP8:
> openstack-selinux.noarch         0.8.14-15.el7ost       @rhelosp-8.0-puddle
> selinux-policy.noarch            3.13.1-229.el7         @rhelosp-rhel-7.6-server
and in case of OSP9:
> openstack-selinux.noarch             0.8.14-15.el7ost   @rhelosp-9.0-puddle     
> selinux-policy.noarch                3.13.1-229.el7     @rhelosp-rhel-7.6-server


How reproducible:
always

Steps to Reproduce:
1. on rhel-7.6 machine add RHOSP-8 repositories
2. install python-tripleoclient
3. openstack undercloud install

Actual results:
it fails, and in output there is error about systemctl start nova-api failed

Expected results:
undercloud installation succeeded without errors
Comment 1 Lon Hohberger 2018-10-18 12:33:46 UTC 
auth_use_pam(neutron_t)
init_rw_utmp(neutron_t)

?
Comment 2 Lon Hohberger 2018-10-18 12:34:07 UTC 
s/neutron_t/nova_t/g
Comment 3 Lon Hohberger 2018-10-19 16:02:23 UTC 
https://github.com/redhat-openstack/openstack-selinux/commit/91e66b392ffc44f5c751bf4d6422f4c966f45678
Comment 7 errata-xmlrpc 2018-10-31 16:17:08 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3435
Comment 8 Michele Baldessari 2018-11-21 19:46:24 UTC 
*** Bug 1647008 has been marked as a duplicate of this bug. ***