Bug 1652035

Summary: deployment with undercloud_ssl fails on : sudo: PAM account management error: Authentication service cannot retrieve authentication info
Product: Red Hat OpenStack Reporter: pkomarov
Component: rhosp-directorAssignee: RHOS Maint <rhos-maint>
Status: CLOSED DUPLICATE QA Contact: Gurenko Alex <agurenko>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.0 (Liberty)CC: berrange, dasmith, dbecker, eglynn, jhakimra, kchamart, mburns, morazi, owalsh, pkomarov, sbauza, sgordon, vromanso
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-23 16:14:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1651357    

Description pkomarov 2018-11-21 13:09:07 UTC 
Description of problem:

Deployment with undercloud_ssl failes on : nova-api service failure : PAM account management error: Authentication service cannot retrieve authentication info

Version-Release number of selected component (if applicable):
2018-09-28.1

How reproducible:
always



Steps to Reproduce:
Deployment with undercloud_ssl

Actual results:
undercloud deployment failes

Expected results:
undercloud deployment succeeds 

Additional info:
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.636 29039 DEBUG oslo_concurrency.processutils [-] CMD "sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c" returned: 1 in 0.028s execute /usr/lib/python2.7/site-packages/oslo_concurrency
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.processutils [-] u'sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c' failed. Not Retrying. execute /usr/lib/python2.7/site-packages/oslo_concurrency/pr
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.lockutils [-] Lock "iptables" released by "nova.network.linux_net._apply" :: held 4.331s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:265
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command.
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Exit code: 1
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stdout: u''
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n'
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova Traceback (most recent call last):
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova   File "/usr/bin/nova-api", line 10, in <module>
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova     sys.exit(main())
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova   File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 55, in main
[root@undercloud-0 ~]# rpm -qf /usr/lib/python2.7/site-packages/nova/cmd/api.py
Comment 1 pkomarov 2018-11-21 14:46:08 UTC 
sos reports are at : 

http://rhos-release.virt.bos.redhat.com/log/pkomarov_sosreports/BZ1652035/
Comment 2 Ollie Walsh 2018-11-22 17:32:51 UTC 
sudo (and PAM) is clearly broken
Comment 3 Ollie Walsh 2018-11-23 12:44:19 UTC 
Looks like an selinux denial:
type=AVC msg=audit(1542809260.000:1407): avc:  denied  { execute } for  pid=25419 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4535567 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0

However sudo appears to be working for ironic-condutor.
Comment 4 Ollie Walsh 2018-11-23 13:04:30 UTC 
The description implies that this issue only occurs when undercloud_ssl is enabled. Is that correct?
Comment 5 Ollie Walsh 2018-11-23 16:14:33 UTC 

*** This bug has been marked as a duplicate of bug 1640528 ***