According to comment #3 we have openstack-selinux issue : --------------------------------------------------------- It looks as though keepalived should transition to systemctl. However, I'd prefer if keepalived is calling a specific script prior to systemctl that it do that (and then that transition to systemctl) instead. +++ This bug was initially created as a clone of Bug #1242660 +++ Undercloud deployment with SSL fails over SELinux enforcing ( ssl cert needs to be readable by haproxy.) Environment: ------------- instack-undercloud-2.1.2-19.el7ost.noarch instack-0.0.7-1.el7ost.noarch selinux-policy-3.13.1-23.el7_1.7.noarch selinux-policy-targeted-3.13.1-23.el7_1.7.noarch libselinux-python-2.2.2-6.el7.x86_64 openstack-selinux-0.6.35-3.el7ost.noarch Description: ------------- When attempting to deploy undercloud with SSL and SELinux is enforcing - the unmdercloud deployment fails - it happens becuase ssl cert needs to be readable by haproxy - we should add explicit/specific role for that and not ask the user to switch SELinux to permissive. Steps: ------- Attempt to deploy udnercloud with SSL (with SELinux in enforcing) Results ( undercloud deployment fails ) : ---------- 2015-07-13 17:24:00 - requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 192.168.0.1 2015-07-13 17:24:00 - requests.packages.urllib3.connectionpool - INFO - Starting new HTTP connection (1): 192.168.0.1 The following cert files already exist, use --rebuild to remove the existing files before regenerating: /etc/keystone/ssl/certs/ca.pem already exists /etc/keystone/ssl/private/signing_key.pem already exists /etc/keystone/ssl/certs/signing_cert.pem already exists Connection to 192.168.0.1 closed. PKI initialization in init-keystone is deprecated and will be removed. + openstack role show ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Unable to establish connection to https://192.168.0.1:13000/v2.0/tokens + openstack role create ResellerAdmin WARNING: keystoneclient.auth.identity.generic.base Discovering versions from the identity service failed when creating the password plugin. Attempting to determine version from URL. ERROR: openstack Unable to establish connection to https://192.168.0.1:13000/v2.0/tokens [2015-07-13 17:24:03,732] (os-refresh-config) [ERROR] during post-configure phase. [Command '['dib-run-parts', '/usr/libexec/os-refresh-config/post-configure.d']' returned non-zero exit status 1] [2015-07-13 17:24:03,733] (os-refresh-config) [ERROR] Aborting... Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 526, in install _run_orc(instack_env) File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 461, in _run_orc _run_live_command(args, instack_env, 'os-refresh-config') File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 297, in _run_live_command raise RuntimeError('%s failed. See log for details.', name) RuntimeError: ('%s failed. See log for details.', 'os-refresh-config') ERROR: openstack Command 'instack-install-undercloud' returned non-zero exit status 1 [stack@rhos-compute-node-18 ~]$ sudo cd /var/log/audit/ Audit.log ---------- type=AVC msg=audit(1436822812.309:2362): avc: denied { getattr } for pid=12084 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system _u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1436822812.309:2362): arch=c000003e syscall=4 success=no exit=-13 a0=d82ae0 a1=7fffb7123a10 a2=7fffb7123a10 a3=8 items=0 ppid=12083 pid =12084 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r: keepalived_t:s0 key=(null) type=AVC msg=audit(1436822814.310:2363): avc: denied { getattr } for pid=12087 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system _u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1436822814.310:2363): arch=c000003e syscall=4 success=no exit=-13 a0=17d8ae0 a1=7fff988dca80 a2=7fff988dca80 a3=8 items=0 ppid=12086 pi d=12087 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r :keepalived_t:s0 key=(null) type=AVC msg=audit(1436822816.311:2364): avc: denied { getattr } for pid=12093 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system _u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1436822816.311:2364): arch=c000003e syscall=4 success=no exit=-13 a0=abdae0 a1=7fffc9833b60 a2=7fffc9833b60 a3=8 items=0 ppid=12092 pid =12093 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r: keepalived_t:s0 key=(null) type=AVC msg=audit(1436822818.312:2365): avc: denied { getattr } for pid=12096 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system _u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1436822818.312:2365): arch=c000003e syscall=4 success=no exit=-13 a0=215eae0 a1=7fff133a97f0 a2=7fff133a97f0 a3=8 items=0 ppid=12095 pi d=12096 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r :keepalived_t:s0 key=(null) type=AVC msg=audit(1436822820.313:2366): avc: denied { getattr } for pid=12104 comm="sh" path="/usr/bin/systemctl" dev="dm-1" ino=134473690 scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:systemd_systemctl_exec_t:s0 tclass=file type=SYSCALL msg=audit(1436822820.313:2366): arch=c000003e syscall=4 success=no exit=-13 a0=1830ae0 a1=7fff90eb2f10 a2=7fff90eb2f10 a3=8 items=0 ppid=12103 pid=12104 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:keepalived_t:s0 key=(null) --- Additional comment from Omri Hochman on 2015-07-13 17:45:13 EDT --- --- Additional comment from Lon Hohberger on 2015-07-14 09:08:56 EDT --- Hi, We need to understand how keepalived is calling systemctl. Is this intentional? --- Additional comment from Lon Hohberger on 2015-07-14 09:15:40 EDT --- It looks as though keepalived should transition to systemctl. However, I'd prefer if keepalived is calling a specific script prior to systemctl that it do that (and then that transition to systemctl) instead.
Created attachment 1052381 [details] audit.log from permissive run
#============= keepalived_t ============== allow keepalived_t cgroup_t:dir { read search open }; allow keepalived_t cgroup_t:file { read getattr open }; allow keepalived_t init_t:unix_stream_socket connectto; allow keepalived_t syslogd_var_run_t:dir read; allow keepalived_t syslogd_var_run_t:file { read getattr open }; allow keepalived_t systemd_systemctl_exec_t:file { read getattr open execute execute_no_trans }; allow keepalived_t tmpfs_t:filesystem getattr;
What Services is keepalived trying to restart? Any reason that systemd does not do this itself?
Created attachment 1052789 [details] Patch
Created attachment 1052792 [details] Patch w/ unit test
Verified: FailedQA Environment: openstack-selinux-0.6.36-1.el7ost.noarch The following is shown in the audit.log when running "openstack undercloud install" with selinux is enforced: type=USER_AVC msg=audit(1437078679.793:1574): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1437078681.794:1580): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/haproxy.service" scontext=system_u:system_r:keepalived_t:s0 tcontext=system_u:object_r:haproxy_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Patch should be simply allowing this for keepalived: systemd_status_all_unit_files
Respinned with a simpler policy that transitions to a keepalived-specific, unconfined domain when executing systemctl from keepalived. This prevents (presumably) systemd from throwing a USER_AVC when keepalived_t requests status for a service, and is not haproxy-specific.
Dan, the configuration is effectively a 1-node load balancer that uses keepalived to monitor haproxy. When haproxy is active, keepalived starts to VIPs that then are used by haproxy so haproxy can perform HTTPS termination or plain-hane HTTP forwarding to local openstack services. I'm not sure why this configuration was chosen over a simpler configuration where systemd monitors/restarts haproxy itself and have the system start the VIPs on startup (obviating the need for keepalived).
Verified: Environment: instack-undercloud-2.1.2-21.el7ost.noarch 1. Enabled SSL on the undercloud 2. Copied the cert file test.pem to /etc/haproxy dir 3. Edited the undercloud.conf file with "undercloud_service_certificate = /etc/haproxy/test.pem" 4. Ran "openstack undercloud install" The undercloud deployment completed with no errors.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1548