Bug 2217952

Summary: "unable to send audit message" messages are logged during undercloud deployment for aodh_db_sync and neutron_db_sync
Product: Red Hat OpenStack Reporter: Cédric Jeanneret <cjeanner>
Component: openstack-tripleo-heat-templatesAssignee: Takashi Kajinami <tkajinam>
Status: MODIFIED --- QA Contact: Joe H. Rahme <jhakimra>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.1 (Wallaby)CC: astupnik, mburns, tkajinam
Target Milestone: z2Keywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-17.1.20230706103744.3aca659.el8osttrunk Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cédric Jeanneret 2023-06-27 15:30:20 UTC 
This bug was initially created as a copy of Bug #2217889

I am copying this bug because: 
We need to get proper backport of the audit write capability patch.


Description of problem:

It looks like symptoms similar to upstream bugs https://bugs.launchpad.net/tripleo/+bug/1989247 and https://bugs.launchpad.net/tripleo/+bug/1942076 are reproduced in RHOSP 17.0:

Jun 19 20:03:24 director ansible-tripleo_container_manage[23525]: [WARNING] ERROR: Can't run container aodh_db_sync#012stderr: + sudo -E kolla_set_configs#012sudo: unable to send audit message: Operation not permitted
Jun 19 20:05:33 director ansible-tripleo_container_manage[23525]: [WARNING] ERROR: Can't run container neutron_db_sync#012stderr: + sudo -E kolla_set_configs#012sudo: unable to send audit message: Operation not permitted

From upstream's bug description it looks like it was a blocker for upstream. For customer's RHOSP 17.0 deployment it was cosmetic problem which didn't break anything. But it is misleading.


Version-Release number of selected component (if applicable):
python3-tripleoclient-16.5.1-0.20221207110335.23dbe54.el9ost.noarch


How reproducible:
Run undercloud deployment command for RHOSP 17.0


Actual results:
"sudo: unable to send audit message: Operation not permitted" errors are logged

Expected results:
"sudo: unable to send audit message: Operation not permitted" errors are not logged
Comment 1 Takashi Kajinami 2023-07-03 09:19:18 UTC 
We later noticed podman 3.0 in CentOS8/RHEL8 does not contain https://github.com/containers/podman/pull/13744/commits/1cd529b22d40205c1f3246ed49f07e3615cf8292
thus does not allow using both privileged and cap add at the same time.

Because of this nova_migration_target container is not able to start in CentOS 8.
As a quick fix we decided to exclude this specific container.

If anyone find actual problems caused by the warning coming from nova_migration_target,
that needs further investigation mainly from nova's perspective. (We probably need to
check whether the container requires requires priviledge or not, first)