Description of problem: ======================= When using Packstack to install RHOS6 AIO over RHEL7 with SSL enabled Horizon and AMQP and HTTPD to run Keystone, keystone failed to give token. PuppetError: Error appeared during Puppet run: 10.35.160.117_keystone.pp Error: /Stage[main]/Neutron::Keystone::Auth/Keystone_service[neutron]: Could not evaluate: Execution of '/usr/bin/openstack service list --quiet --format csv --long --os-token 43fab2a4be3443cd876aa79ae56c7760 --os-url http://127.0.0.1:35357/v2.0/' returned 1: ERROR: openstack Internal Server Error (HTTP 500) Version-Release number of selected component (if applicable): ============================================================= openstack-packstack-puppet-2014.2-0.17.dev1462.gbb05296.el7ost.noarch openstack-packstack-2014.2-0.17.dev1462.gbb05296.el7ost.noarch python-keystone-2014.2.2-1.el7ost.noarch python-keystoneclient-0.11.1-1.el7ost.noarch python-keystonemiddleware-1.2.0-2.el7ost.noarch openstack-keystone-2014.2.2-1.el7ost.noarch How reproducible: ================= 100% Steps to Reproduce: =================== 1. Generate answer file, other than usual setting (attached answer file) set these three: CONFIG_AMQP_ENABLE_SSL=y CONFIG_HORIZON_SSL=y CONFIG_KEYSTONE_SERVICE_NAME=httpd 2. Run packstack with answer file Actual results: =============== Installation failed and keystone doesn't gives token Expected results: ================= Installation pass successfully and keystone gives token Additional info: =============== PuppetError: Error appeared during Puppet run: 10.35.160.117_keystone.pp Error: /Stage[main]/Neutron::Keystone::Auth/Keystone_service[neutron]: Could not evaluate: Execution of '/usr/bin/openstack service list --quiet --format csv --long --os-token 43fab2a4be3443cd876aa79ae56c7760 --os-url http://127.0.0.1:35357/v2.0/' returned 1: ERROR: openstack Internal Server Error (HTTP 500)=
Do you still have this system that I can log into? Can you attach the packstack keystone logs from /var/tmp/packstack? Can you attach the /var/log/keystone/keystone.log and the /var/log/httpd/*keystone* files?
Reproduce again, and now without enabling SSL for AMQP =============================================================== Version-Release number of selected component ============================================ openstack-packstack-puppet-2014.2-0.18.dev1462.gbb05296.el7ost.noarch openstack-packstack-2014.2-0.18.dev1462.gbb05296.el7ost.noarch python-keystonemiddleware-1.2.0-2.el7ost.noarch openstack-keystone-2014.2.2-1.el7ost.noarch python-keystone-2014.2.2-1.el7ost.noarch python-keystoneclient-0.11.1-1.el7ost.noarch Steps to Reproduce: =================== 1. Generate answer file, other than usual setting (attached answer file) set these two: CONFIG_HORIZON_SSL=y CONFIG_KEYSTONE_SERVICE_NAME=httpd -----> default 2. Run packstack with answer file Result ====== Same fail Additional info: =============== logs are enclosed
Created attachment 1005063 [details] keystone.log
Created attachment 1005064 [details] keystone_wsgi_admin_access.log
Created attachment 1005065 [details] keystone_wsgi_admin_error.log
Created attachment 1005066 [details] keystone_wsgi_main_access.log
Created attachment 1005067 [details] keystone_wsgi_main_error.log
Created attachment 1005068 [details] openstack-setup.log
I reproduced it. It appears the issue is a selinux one, when i setenforce 0 i get passed this. I say appears because now i get the error: Error: Package: 10:qemu-kvm-rhev-2.1.2-23.el7.x86_64 (RH7-RHOS-6.0) Requires: glusterfs-api >= 3.6.0 Installed: glusterfs-api-3.4.0.59rhs-1.el7.centos.x86_64 (@base) glusterfs-api = 3.4.0.59rhs-1.el7.centos Error: Package: 10:qemu-kvm-rhev-2.1.2-23.el7.x86_64 (RH7-RHOS-6.0) Requires: seabios-bin >= 1.7.5-1 Available: seabios-bin-1.7.2.2-12.el7.x86_64 (base) seabios-bin = 1.7.2.2-12.el7 Available: seabios-bin-1.7.2.2-12.el7_0.1.x86_64 (updates) seabios-bin = 1.7.2.2-12.el7_0.1 When installing openstack-nova-compute
So, I did: setenforce 1 keystone token-get and then: /usr/bin/openstack service list --quiet --format csv --long --os-token [token id] --os-url http://127.0.0.1:35357/v2.0/ There were no AVCs, but I installed in permissive mode. I will retry with a boot from enforcing, and following that, an install in enforcing.
Reboot and could still get a token and run the service list command. Will try clean reinstall in enforcing mode.
Created attachment 1005444 [details] Lon's answer file
(In reply to Ido Ovadia from comment #5) > Reproduce again, and now without enabling SSL for AMQP > =============================================================== > > Version-Release number of selected component > ============================================ > openstack-packstack-puppet-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > openstack-packstack-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > python-keystonemiddleware-1.2.0-2.el7ost.noarch > openstack-keystone-2014.2.2-1.el7ost.noarch > python-keystone-2014.2.2-1.el7ost.noarch > python-keystoneclient-0.11.1-1.el7ost.noarch > > Steps to Reproduce: > =================== > 1. Generate answer file, other than usual setting (attached answer file) set > these two: > CONFIG_HORIZON_SSL=y > CONFIG_KEYSTONE_SERVICE_NAME=httpd -----> default > 2. Run packstack with answer file > > Result > ====== > Same fail > > Additional info: > =============== > logs are enclosed This is almost certainly selinux. Can you provide # rpm -qa|grep selinux # audit2allow -w -e -a
Clean reinstall in enforcing mode passed, as did a repeat of comment 18. I can't cause this to occur using packstack in an all-in-one installation as per the answer file provided. Are there perhaps other options I am missing in the answer file?
In my tests: selinux-policy-3.13.1-23.el7.noarch selinux-policy-targeted-3.13.1-23.el7.noarch openstack-selinux-0.6.25-1.el7ost.noarch
(In reply to Rich Megginson from comment #21) > (In reply to Ido Ovadia from comment #5) > > Reproduce again, and now without enabling SSL for AMQP > > =============================================================== > > > > Version-Release number of selected component > > ============================================ > > openstack-packstack-puppet-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > > openstack-packstack-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > > python-keystonemiddleware-1.2.0-2.el7ost.noarch > > openstack-keystone-2014.2.2-1.el7ost.noarch > > python-keystone-2014.2.2-1.el7ost.noarch > > python-keystoneclient-0.11.1-1.el7ost.noarch > > > > Steps to Reproduce: > > =================== > > 1. Generate answer file, other than usual setting (attached answer file) set > > these two: > > CONFIG_HORIZON_SSL=y > > CONFIG_KEYSTONE_SERVICE_NAME=httpd -----> default > > 2. Run packstack with answer file > > > > Result > > ====== > > Same fail > > > > Additional info: > > =============== > > logs are enclosed > > This is almost certainly selinux. Can you provide > > # rpm -qa|grep selinux > > # audit2allow -w -e -a selinux-policy-targeted-3.12.1-153.el7_0.13.noarch selinux-policy-3.12.1-153.el7_0.13.noarch openstack-selinux-0.6.25-1.el7ost.noarch
(In reply to Ido Ovadia from comment #24) > (In reply to Rich Megginson from comment #21) > > (In reply to Ido Ovadia from comment #5) > > > Reproduce again, and now without enabling SSL for AMQP > > > =============================================================== > > > > > > Version-Release number of selected component > > > ============================================ > > > openstack-packstack-puppet-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > > > openstack-packstack-2014.2-0.18.dev1462.gbb05296.el7ost.noarch > > > python-keystonemiddleware-1.2.0-2.el7ost.noarch > > > openstack-keystone-2014.2.2-1.el7ost.noarch > > > python-keystone-2014.2.2-1.el7ost.noarch > > > python-keystoneclient-0.11.1-1.el7ost.noarch > > > > > > Steps to Reproduce: > > > =================== > > > 1. Generate answer file, other than usual setting (attached answer file) set > > > these two: > > > CONFIG_HORIZON_SSL=y > > > CONFIG_KEYSTONE_SERVICE_NAME=httpd -----> default > > > 2. Run packstack with answer file > > > > > > Result > > > ====== > > > Same fail > > > > > > Additional info: > > > =============== > > > logs are enclosed > > > > This is almost certainly selinux. Can you provide > > > > # rpm -qa|grep selinux > > > > # audit2allow -w -e -a > > selinux-policy-targeted-3.12.1-153.el7_0.13.noarch > selinux-policy-3.12.1-153.el7_0.13.noarch > openstack-selinux-0.6.25-1.el7ost.noarch That's not the latest policy, and is not the same as what Lon has. Can you provide the audit2allow messages so we can determine if the selinux issue you are seeing has been fixed in a later policy?
RHEL 7.0 doesn't have an EUS stream, so one would need to update to at least the 7.1 selinux policies to make this work.
Created attachment 1005797 [details] audit2allow output
(In reply to Rich Megginson from comment #25) > That's not the latest policy, and is not the same as what Lon has. Can you > provide the audit2allow messages so we can determine if the selinux issue > you are seeing has been fixed in a later policy? ==================================================== New file was enclosed (audit2allow.txt)
(In reply to Ido Ovadia from comment #30) > (In reply to Rich Megginson from comment #25) > > > That's not the latest policy, and is not the same as what Lon has. Can you > > provide the audit2allow messages so we can determine if the selinux issue > > you are seeing has been fixed in a later policy? > ==================================================== > New file was enclosed (audit2allow.txt) Can you try this with RHEL 7.1?
(In reply to Rich Megginson from comment #31) > Can you try this with RHEL 7.1? Have tried, didn't reproduced
*** Bug 1204460 has been marked as a duplicate of this bug. ***
This requires the selinux-policy package from RHEL 7.1, as it contained numerous fixes for running keystone in httpd. Closing this as WONTFIX, since it works with the latest selinux-policy (which is what we recommend customers to run).