Bug 1028855 - packstack fails to install on minimum Fedora 19 install with selinux enabled
packstack fails to install on minimum Fedora 19 install with selinux enabled
Status: CLOSED WONTFIX
Product: RDO
Classification: Community
Component: openstack-packstack (Show other bugs)
unspecified
Unspecified Unspecified
unspecified Severity unspecified
: ---
: Havana
Assigned To: Martin Magr
Ami Jeain
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-10 23:17 EST by Joe Julian
Modified: 2015-05-18 11:21 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-19 01:42:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Joe Julian 2013-11-10 23:17:06 EST
Description of problem:
I tried to install using the instructions at http://openstack.redhat.com/Quickstart on a freshly installed "minimum install" of Fedora 19. The installation failed twice.

I disabled selinux, "setenforce 0", and tried again with success.

Checking the audit log after the successful completion, I see that most of the denials claim that they're now allowed. This looks like it might be a puppet resource ordering problem.

Version-Release number of selected component (if applicable):
openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch

Actual results:
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
connect: No such file or directory
Please make sure that the zfs-fuse daemon is running.
internal error: failed to initialize ZFS library
Error: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:
Error: /Stage[main]/Vswitch::Ovs/Service[openvswitch]/ensure: change from stopped to running failed: Could not start Service[openvswitch]: Execution of '/sbin/service openvswitch start' returned 1:


# audit2allow < /var/log/audit/audit.log


#============= glance_api_t ==============

#!!!! This avc is allowed in the current policy
allow glance_api_t amqp_port_t:tcp_socket name_connect;

#============= nagios_t ==============

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:dir { read remove_name };

#!!!! This avc is allowed in the current policy
allow nagios_t nagios_log_t:file { read write rename unlink };

#============= nrpe_t ==============

#!!!! This avc is allowed in the current policy
allow nrpe_t proc_t:file { read getattr open };

#!!!! This avc is allowed in the current policy
allow nrpe_t var_t:dir read;

#============= swift_t ==============
allow swift_t file_t:dir { read getattr open };

#!!!! This avc is allowed in the current policy
allow swift_t self:tcp_socket accept;

#!!!! This avc is allowed in the current policy
allow swift_t var_t:dir { write remove_name add_name };
allow swift_t var_t:file { rename read lock create write getattr unlink open };
Comment 2 Alvaro Lopez Ortega 2013-11-15 08:21:08 EST
I'll have to check whether openstack-selinux is correctly installed. If it were, this wouldn't be a packstack bug.
Comment 3 Alvaro Lopez Ortega 2013-11-15 08:22:10 EST
Actually, this isn't a RHOS issue but RDO. Moving it to the right product.
Comment 4 Martin Magr 2014-01-22 07:12:02 EST
By any chance do you still have installation logs? Please check /var/tmp/packstack/<timestamp>-<hash>/manifests and attach any file named <IP>_<failed-manifest>.pp.log to this bug.
Comment 5 Gilles Dubreuil 2014-03-19 01:42:17 EDT
(In reply to Joe Julian from comment #0)
> Description of problem:
> I tried to install using the instructions at
> http://openstack.redhat.com/Quickstart on a freshly installed "minimum
> install" of Fedora 19. The installation failed twice.
> 
> I disabled selinux, "setenforce 0", and tried again with success.
> 
> Checking the audit log after the successful completion, I see that most of
> the denials claim that they're now allowed. This looks like it might be a
> puppet resource ordering problem.
> 
> Version-Release number of selected component (if applicable):
> openstack-packstack-2013.2.1-0.12.dev806.fc20.noarch
> 

Hi Julian, 

The package you're using is targeting Fedora 20.

This isn't an issue anymore with Fedora 20 which is the currently supported Fedora version for current RDO.

Besides workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1066112 - The issing log file issue for mariadb.

Regards,
Gilles

PS: Note workaround for mariabdb
Comment 6 Joe Julian 2015-05-18 11:20:45 EDT
I gave up and installed by hand.

Note You need to log in before you can comment on or make changes to this bug.