1202944 – "glance image-list" fails on F21, causing packstack install to fail

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1202944 - "glance image-list" fails on F21, causing packstack install to fail

Summary: "glance image-list" fails on F21, causing packstack install to fail

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-selinux
Sub Component:
Version:	Juno
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	Kilo
Assignee:	Lon Hohberger
QA Contact:	Ofer Blaut
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-03-17 18:41 UTC by Lars Kellogg-Stedman
Modified:	2016-05-19 15:54 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-19 15:54:47 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lars Kellogg-Stedman 2015-03-17 18:41:39 UTC

Running `packstack --allinone` on a Fedora 21 system with:

- openstack-packstack-2014.2-0.16.dev1447.g6f4d34b.fc22.noarch
- openstack-glance-2014.2.1-2.fc22.noarch

Fails with:

ERROR : Error appeared during Puppet run: 10.0.0.30_provision_glance
Error: Could not prefetch glance_image provider 'glance': Execution of '/usr/bin/glance --os-tenant-name services --os-username glance --os-password 8b38738da85746d6 --os-region-name RegionOne --os-auth-url http://10.0.0.30:35357/v2.0/ image-list' returned 1: Invalid OpenStack Identity credentials.

This is due to the following selinux AVC:

type=AVC msg=audit(1426617374.452:16284): avc:  denied  { name_connect } for  pid=19553 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0

Aka:

#============= glance_api_t ==============

#!!!! This avc can be allowed using the boolean 'glance_api_can_network'
allow glance_api_t keystone_port_t:tcp_socket name_connect;

Confirming that theory, running "setenforce 0" allows the `glance image-list` command to complete without error.

Comment 1 Flavio Percoco 2015-03-18 09:21:59 UTC

Moving under openstack-selinux, this rule should be added there

Comment 2 Joe Doss 2015-08-12 02:07:22 UTC

Seeing this on Fedora 22 Server with packstack installing Kilo:

type=AVC msg=audit(1439342973.418:343334): avc:  denied  { name_connect } for  pid=15393 comm="glance-api" dest=35357 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:keystone_port_t:s0 tclass=tcp_socket permissive=0

This fixes things without setenforce 0

# setsebool -P  glance_api_can_network 1

# /usr/bin/glance --os-tenant-name services --os-username glance --os-password xxxxx --os-region-name soutside --os-auth-url http://xxx:35357/ image-list
+----+------+-------------+------------------+------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+----+------+-------------+------------------+------+--------+
+----+------+-------------+------------------+------+--------+

and when rerunning packstack, the install finishes.

xxx.xxx.x.xxx_provision_glance:                      [ DONE ]              
Finalizing                                           [ DONE ]

 **** Installation completed successfully ******

Comment 3 Chandan Kumar 2016-05-19 15:54:47 UTC

This bug is against a Version which has reached End of Life.
If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.

Note You need to log in before you can comment on or make changes to this bug.