Description of problem: Fresh install of CentOS 7 box updated with CR repo (to bring it up to 7.1). Short version of problem: Apache can't bind to port 5000 unless SELinux is in permissive mode Long version of problem: Running packstack --allinone fails with: 172.16.225.133_keystone.pp: [ ERROR ] Applying Puppet manifests [ ERROR ] ERROR : Error appeared during Puppet run: 172.16.225.133_keystone.pp Error: /Stage[main]/Apache::Service/Service[httpd]: Failed to call refresh: Could not restart Service[httpd]: Execution of '/usr/bin/systemctl restart httpd' returned 1: Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. # journalctl -xn -- Logs begin at Fri 2015-03-27 09:17:32 MDT, end at Fri 2015-03-27 16:44:20 MDT. -- Mar 27 16:44:20 allinone.local systemd[1]: Starting The Apache HTTP Server... -- Subject: Unit httpd.service has begun with start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has begun starting up. Mar 27 16:44:20 allinone.local httpd[62622]: (13)Permission denied: AH00072: make_sock: could not bind to address [::]:5000 Mar 27 16:44:20 allinone.local httpd[62622]: (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:5000 Mar 27 16:44:20 allinone.local httpd[62622]: no listening sockets available, shutting down Mar 27 16:44:20 allinone.local httpd[62622]: AH00015: Unable to open logs Mar 27 16:44:20 allinone.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE Mar 27 16:44:20 allinone.local kill[62624]: kill: cannot find process "" Mar 27 16:44:20 allinone.local systemd[1]: httpd.service: control process exited, code=exited status=1 Mar 27 16:44:20 allinone.local systemd[1]: Failed to start The Apache HTTP Server. -- Subject: Unit httpd.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit httpd.service has failed. -- -- The result is failed. Mar 27 16:44:20 allinone.local systemd[1]: Unit httpd.service entered failed state. # semanage port -a -t http_port_t -p tcp 5000 ValueError: Port tcp/5000 already defined # semanage port -l | grep 5000 cluster_port_t tcp 5149, 40040, 50006-50008 cluster_port_t udp 5149, 50006-50008 commplex_main_port_t tcp 5000 commplex_main_port_t udp 5000 hplip_port_t tcp 1782, 2207, 2208, 8290, 50000, 50002, 8292, 9100, 9101, 9102, 9220, 9221, 9222, 9280, 9281, 9282, 9290, 9291
# semanage port -l | grep ^http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
Running semanage port -m -t http_port_t -p tcp 5000 does get me past this error. Meta-question: I'm on F21, and encountered this after switching from the default repositories (which offer openstack-*-2014.1.*) to https://repos.fedorapeople.org/repos/openstack/openstack-juno/ (where everything seems to be at *-2014.2.*). Neither set of packages seems to really allow "packstack --allinone" install, but it sure would be nice if there were "One True Package Group" to file bugs against :)
When reporting selinux bugs, it is tremendously helpful if you can attach the audit.log containing the selinux AVC messages to the bug report. Thanks!
type=AVC msg=audit(1427732394.576:20642): avc: denied { name_bind } for pid=20847 comm="httpd" src=5000 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:commplex_main_port_t:s0 tclass=tcp_socket permissive=0
This AVC was fixed in openstack-selinux-0.6.9-1.el7ost. https://bugzilla.redhat.com/show_bug.cgi?id=1180230. Are you sure you have the openstack-selinux package installed?
I'm on fedora 21, and apparently there's no dedicated openstack-selinux package there. The problem is identical, though, and there was nothing RHEL specific in the metadata, so I figured this is the perfect spot to add my +1. If I'm wrong about that, please advise. Thanks !
(In reply to Ryan Hallisey from comment #5) > This AVC was fixed in openstack-selinux-0.6.9-1.el7ost. > https://bugzilla.redhat.com/show_bug.cgi?id=1180230. > > Are you sure you have the openstack-selinux package installed? # rpm -q openstack-selinux openstack-selinux-0.5.19-2.el7ost.noarch Which is the newest one available in: https://repos.fedorapeople.org/repos/openstack/openstack-juno/epel-7/ Perhaps openstack-selinux-0.6.9-1.el7ost or newer should get pushed into that repo?
Correct. We'll update the repo.
This bug is against a Version which has reached End of Life. If it's still present in supported release (http://releases.openstack.org), please update Version and reopen.