Created attachment 1022735 [details] Audit log with the AVC Description of problem: Selinux prevents keystone to connect to memcached port Version-Release number of selected component (if applicable): openstack-selinux-0.6.31-1.el7.noarch How reproducible: Always Steps to Reproduce: I'm following the guide from http://docs.openstack.org/kilo/install-guide/install/yum/content/keystone-verify.html 1. # openstack --os-auth-url http://controller1:35357 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue Actual results: ERROR: openstack An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-8e476c47-94f9-435e-8079-535039cbd686) [/var/log/keystone/keystone.log] 2015-05-06 17:01:32.889 3349 INFO keystone.common.wsgi [-] GET /? 2015-05-06 17:01:32.892 3349 INFO eventlet.wsgi.server [-] 172.24.4.51 - - [06/May/2015 17:01:32] "GET / HTTP/1.1" 300 760 0.007787 2015-05-06 17:01:32.984 3349 INFO keystone.common.wsgi [-] POST /auth/tokens? 2015-05-06 17:01:33.124 3349 INFO passlib.registry [-] registered crypt handler 'sha512_crypt': <class 'passlib.handlers.sha2_crypt.sha512_crypt'> 2015-05-06 17:01:33.259 3349 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler 2015-05-06 17:01:41.190 3349 WARNING keystone.common.wsgi [-] An unexpected error prevented the server from fulfilling your request. 2015-05-06 17:01:41.193 3349 INFO eventlet.wsgi.server [-] 172.24.4.51 - - [06/May/2015 17:01:41] "POST /v3/auth/tokens HTTP/1.1" 500 381 8.297532 Expected results: the token +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-05-06T17:02:18.603641Z | | id | 34cd8f860e1a4227831f51c1034e2393 | | project_id | 057163547a42406fae6a32aaae5cdc4b | | user_id | 2d2b9e46db2547f2a3653870af19a4d7 | +------------+----------------------------------+ Additional info:
I hit similar issue trying to bring up Kilo. Even configuring SELINUX to permissive more does not help. 2015-05-13 10:00:12.489 3184 INFO keystone.common.wsgi [-] GET /? 2015-05-13 10:00:12.490 3184 INFO eventlet.wsgi.server [-] 172.29.123.120 - - [13/May/2015 10:00:12] "GET / HTTP/1.1" 300 766 0.002776 2015-05-13 10:00:12.492 3184 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229 2015-05-13 10:00:12.513 3184 INFO keystone.common.wsgi [-] POST /tokens? 2015-05-13 10:00:12.595 3184 DEBUG oslo_db.sqlalchemy.session [-] MySQL server mode set to STRICT_TRANS_TABLES,STRICT_ALL_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,TRADITIONAL,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION _check_effective_sql_mode /usr/lib/python2.7/site-packages/oslo_db/sqlalchemy/session.py:513 2015-05-13 10:00:12.660 3184 INFO passlib.registry [-] registered crypt handler 'sha512_crypt': <class 'passlib.handlers.sha2_crypt.sha512_crypt'> 2015-05-13 10:00:12.948 3184 DEBUG keystone.common.kvs.core [-] KVS region configuration for token-driver: {'keystone.kvs.backend': 'openstack.kvs.Memcached', 'keystone.kvs.arguments.distributed_lock': True, 'keystone.kvs.arguments.no_expiry_keys': ['revocation-list'], 'keystone.kvs.arguments.url': ['localhost:11211'], 'keystone.kvs.arguments.memcached_expire_time': 3600, 'keystone.kvs.arguments.memcached_backend': 'memcached', 'keystone.kvs.arguments.lock_timeout': 6} _configure_region /usr/lib/python2.7/site-packages/keystone/common/kvs/core.py:240 2015-05-13 10:00:12.964 3184 INFO keystone.common.kvs.core [-] Using default dogpile sha1_mangle_key as KVS region token-driver key_mangler 2015-05-13 10:00:18.873 3184 WARNING keystone.common.wsgi [-] Maximum lock attempts on _lockusertokens-8f889be78fc34874ad92324fb0db922f occurred. (Disable debug mode to suppress these details.) 2015-05-13 10:00:18.874 3184 INFO eventlet.wsgi.server [-] 172.29.123.120 - - [13/May/2015 10:00:18] "POST /v2.0/tokens HTTP/1.1" 500 442 6.381942 2015-05-13 10:00:18.879 3184 INFO keystone.common.wsgi [-] GET /? 2015-05-13 10:00:18.879 3184 INFO eventlet.wsgi.server [-] 172.29.123.120 - - [13/May/2015 10:00:18] "GET / HTTP/1.1" 300 766 0.001803 2015-05-13 10:00:18.880 3184 DEBUG keystone.middleware.core [-] Auth token not in the request header. Will not build auth context. process_request /usr/lib/python2.7/site-packages/keystone/middleware/core.py:229 2015-05-13 10:00:18.881 3184 INFO keystone.common.wsgi [-] POST /tokens? 2015-05-13 10:00:27.619 3184 WARNING keystone.common.wsgi [-] Maximum lock attempts on _lockusertokens-8f889be78fc34874ad92324fb0db922f occurred. (Disable debug mode to suppress these details.) 2015-05-13 10:00:27.620 3184 INFO eventlet.wsgi.server [-] 172.29.123.120 - - [13/May/2015 10:00:27] "POST /v2.0/tokens HTTP/1.1" 500 442 8.739343
https://cbs.centos.org/koji/buildinfo?buildID=1426