Running `packstack --allinone` on a Fedora 21 system with: - openstack-packstack-2014.2-0.16.dev1447.g6f4d34b.fc22.noarch - openstack-glance-2014.2.1-2.fc22.noarch Fails with: ERROR : Error appeared during Puppet run: 10.0.0.30_provision_glance Error: Could not prefetch glance_image provider 'glance': Execution of '/usr/bin/glance --os-tenant-name services --os-username glance --os-password 8b38738da85746d6 --os-region-name RegionOne --os-auth-url http://10.0.0.30:35357/v2.0/ image-list' returned 1: Invalid OpenStack Identity credentials. This is due to the following selinux AVC: type=AVC msg=audit(1426617374.452:16284): avc: denied { name_connect } for pid=19553 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0 Aka: #============= glance_api_t ============== #!!!! This avc can be allowed using the boolean 'glance_api_can_network' allow glance_api_t keystone_port_t:tcp_socket name_connect; Confirming that theory, running "setenforce 0" allows the `glance image-list` command to complete without error.
Moving under openstack-selinux, this rule should be added there
Seeing this on Fedora 22 Server with packstack installing Kilo: type=AVC msg=audit(1439342973.418:343334): avc: denied { name_connect } for pid=15393 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0 This fixes things without setenforce 0 # setsebool -P glance_api_can_network 1 # /usr/bin/glance --os-tenant-name services --os-username glance --os-password xxxxx --os-region-name soutside --os-auth-url http://xxx:35357/ image-list +----+------+-------------+------------------+------+--------+ | ID | Name | Disk Format | Container Format | Size | Status | +----+------+-------------+------------------+------+--------+ +----+------+-------------+------------------+------+--------+ and when rerunning packstack, the install finishes. xxx.xxx.x.xxx_provision_glance: [ DONE ] Finalizing [ DONE ] **** Installation completed successfully ******
This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.