RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/
Bug 1028855 - packstack fails to install on minimum Fedora 19 install with selinux enabled
Summary: packstack fails to install on minimum Fedora 19 install with selinux enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: RDO
Classification: Community
Component: openstack-packstack
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: Havana
Assignee: Martin Magr
QA Contact: Ami Jeain
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-11 04:17 UTC by Joe Julian
Modified: 2015-05-18 15:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-19 05:42:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Joe Julian 2013-11-11 04:17:06 UTC
Description of problem:
I tried to install using the instructions at http://openstack.redhat.com/Quickstart on a freshly installed "minimum install" of Fedora 19. The installation failed twice.

I disabled selinux, "setenforce 0", and tried again with success.

Checking the audit log after the successful completion, I see that most of the denials claim that they're now allowed. This looks like it might be a puppet resource ordering problem.

Version-Release number of selected component (if applicable):
openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch

Actual results:
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
Error: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:
Error: /Stage[main]/Vswitch::Ovs/Service[openvswitch]/ensure: change from stopped to running failed: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:


# audit2allow < /var/log/audit/audit.log


#============= glance_api_t ==============

#!!!! This avc is allowed in the current policy
allow glance_api_t amqp_port_t:tcp_socket name_connect;

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:dir { read remove_name };

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:file { read write rename unlink };

#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t proc_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;

#============= swift_t ==============
allow swift_t file_t:dir { read getattr open };

#!!!! This avc is allowed in the current policy
allow swift_t self:tcp_socket accept;

#!!!! This avc is allowed in the current policy
allow swift_t var_t:dir { write remove_name add_name };
allow swift_t var_t:file { rename read lock create write getattr unlink open };

Comment 2 Alvaro Lopez Ortega 2013-11-15 13:21:08 UTC
I'll have to check whether openstack-selinux is correctly installed. If it were, this wouldn't be a packstack bug.

Comment 3 Alvaro Lopez Ortega 2013-11-15 13:22:10 UTC
Actually, this isn't a RHOS issue but RDO. Moving it to the right product.

Comment 4 Martin Magr 2014-01-22 12:12:02 UTC
By any chance do you still have installation logs? Please check /var/tmp/packstack/<timestamp>-<hash>/manifests and attach any file named <IP>_<failed-manifest>.pp.log to this bug.

Comment 5 Gilles Dubreuil 2014-03-19 05:42:17 UTC
(In reply to Joe Julian from comment #0)
> Description of problem:
> I tried to install using the instructions at
> http://openstack.redhat.com/Quickstart on a freshly installed "minimum
> install" of Fedora 19. The installation failed twice.
> 
> I disabled selinux, "setenforce 0", and tried again with success.
> 
> Checking the audit log after the successful completion, I see that most of
> the denials claim that they're now allowed. This looks like it might be a
> puppet resource ordering problem.
> 
> Version-Release number of selected component (if applicable):
> openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch
> 

Hi Julian, 

The package you're using is targeting Fedora 20.

This isn't an issue anymore with Fedora 20 which is the currently supported Fedora version for current RDO.

Besides workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1066112 - The issing log file issue for mariadb.

Regards,
Gilles

PS: Note workaround for mariabdb

Comment 6 Joe Julian 2015-05-18 15:20:45 UTC
I gave up and installed by hand.


Note You need to log in before you can comment on or make changes to this bug.