Bug 1820115

Summary: rhosp16-openstack-nova-compute-ironic container-config Exited (1) nova_statedir_owner
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-tripleo-heat-templatesAssignee: Ollie Walsh <owalsh>
Status: CLOSED ERRATA QA Contact: David Rosenfeld <drosenfe>
Severity: medium Docs Contact:
Priority: medium    
Version: 16.0 (Train)CC: cjeanner, jhajyahy, jpichon, kecarter, mburns, owalsh, slinaber
Target Milestone: betaKeywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-0.20200403183437.7648856.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-29 07:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Attila Fazekas 2020-04-02 10:07:30 UTC 
Description of problem:
16.1 undercloud deployment failed.

$ podman ps -a |grep Exited | grep -v '(0)'
ac2d7c87dc72  undercloud-0.ctlplane.redhat.local:8787/rh-osbs/rhosp16-openstack-nova-compute-ironic:16.1_20200401.1  /container-config...  About an hour ago  Exited (1) About an hour ago         nova_statedir_owner

Probably relevant output line:
"ERROR:nova_statedir:Could not set selinux context of /var/lib/nova to system_u:object_r:container_file_t:s0:"

Version-Release number of selected component (if applicable):
 rpm -qa |grep triple
openstack-tripleo-puppet-elements-11.2.2-0.20200311084936.a6fef08.el8ost.noarch
python3-tripleoclient-12.3.2-0.20200331233427.9a5892e.el8ost.noarch
python3-tripleo-common-11.3.3-0.20200331083848.ace00a3.el8ost.noarch
openstack-tripleo-common-11.3.3-0.20200331083848.ace00a3.el8ost.noarch
openstack-tripleo-image-elements-10.6.2-0.20200313223428.8c91b46.el8ost.noarch
openstack-tripleo-validations-11.3.2-0.20200318113434.3fd14c9.el8ost.noarch
tripleo-ansible-0.4.2-0.20200330173442.a55eb2a.el8ost.noarch
python3-tripleoclient-heat-installer-12.3.2-0.20200331233427.9a5892e.el8ost.noarch
openstack-tripleo-common-containers-11.3.3-0.20200331083848.ace00a3.el8ost.noarch
puppet-tripleo-11.4.1-0.20200401053434.33288b0.el8ost.noarch
ansible-tripleo-ipsec-9.2.1-0.20200311073016.0c8693c.el8ost.noarch
openstack-tripleo-heat-templates-11.3.2-0.20200401083149.cd5c992.el8ost.noarch
ansible-role-tripleo-modify-image-1.1.1-0.20200311081746.bb6f78d.el8ost.noarch


How reproducible:
always
Comment 2 Attila Fazekas 2020-04-02 13:01:14 UTC 
audit2why -ve < /var/log/audit/audit.log 
type=AVC msg=audit(1585817973.732:1973): avc:  denied  { relabelfrom } for  pid=38851 comm="python3" name="nova" dev="vda1" ino=33580128 scontext=system_u:system_r:container_t:s0:c738,c1014 tcontext=unconfined_u:object_r:container_file_t:s0 tclass=dir permissive=0

	Was caused by:

#Constraint rule:

#	constrain dir { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#	Possible cause is the source user (system_u) and target user (unconfined_u) are different.

#	Possible cause is the source level (s0:c738,c1014) and target level (s0) are different.
Comment 3 Ollie Walsh 2020-04-02 13:17:41 UTC 
Similar to https://github.com/containers/libpod/issues/3683. Running this container with --security-opt label=disable resolves the issue
Comment 10 Jad Haj Yahya 2020-07-23 12:46:50 UTC 
Undercloud stage is passing:

https://rhos-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/job/phase1-16.1_director-rhel-8.2-virthost-1cont_1comp_1ceph-ipv4-geneve-ceph/
Comment 12 errata-xmlrpc 2020-07-29 07:51:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3148