Bug 1278430 - Glance returns "Invalid OpenStack Identity credentials" after updating the undercloud (7.0 -> 7.1), might be due to selinux
Glance returns "Invalid OpenStack Identity credentials" after updating the un...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
high Severity high
: y2
: 7.0 (Kilo)
Assigned To: James Slagle
Udi
: TestOnly, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-05 08:06 EST by Udi
Modified: 2015-12-21 11:57 EST (History)
11 users (show)

See Also:
Fixed In Version: openstack-selinux-0.6.46-1.el7ost
Doc Type: Bug Fix
Doc Text:
A missing SELinux rule caused Glance to return an "Invalid OpenStack Identity credentials" error. This fix adds the SELinux rule. Now Glance authenticates successfully.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-21 11:57:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log from the instack machine (216.33 KB, application/x-gzip)
2015-11-05 09:26 EST, Udi
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2651 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2015-12-21 16:50:26 EST

  None (edit)
Description Udi 2015-11-05 08:06:08 EST
Description of problem:
When updating the undercloud from 7.0 to 7.1, apparently the selinux policy changes and you get this error when trying to work with glance:

Invalid OpenStack Identity credentials.

No problem to work with the other services. To work around the problem, set selinux to permissive and then back to enforcing - and then it works.


Version-Release number of selected component (if applicable):
openstack-selinux-0.6.37-1.el7ost.noarch
python-glanceclient-0.17.0-2.el7ost.noarch
python-glance-2015.1.0-6.el7ost.noarch
python-glance-store-0.4.0-1.el7ost.noarch
openstack-glance-2015.1.0-6.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Install 7.0 GA
2. Update the repos to 7.1 and do yum update
3. Try "glance image-list"


Actual results:
Invalid OpenStack Identity credentials.


Expected results:
Shouldn't be a problem.


Additional info:
Setting selinux to "permissive" solves the problem. After setting it back to "enforcing" the problem doesn't return!
Comment 2 Lon Hohberger 2015-11-05 09:04:14 EST
Please give us a clean reproduction audit.log:
 1) cp /dev/null /var/log/audit/audit.log
 2) setenforce 0
 3) perform test
 4) attach /var/log/audit/audit.log to this bugzilla
Comment 3 Lon Hohberger 2015-11-05 09:06:55 EST
For step 3, you don't have to redo the upgrade - just the things that are otherwise failing with selinux in enforcing.
Comment 4 Udi 2015-11-05 09:26 EST
Created attachment 1090102 [details]
audit.log from the instack machine

I am attaching the audit.log file, but it's not a clean file from right after the bug occurs. You will have to scroll up the file to look for it, sorry.
Comment 5 Ryan Hallisey 2015-11-13 12:57:17 EST
allow keepalived_t systemd_systemctl_exec_t:file getattr;

This is what I see. Can you test again in permissive mode?  setenforce 0.
Comment 7 Udi 2015-11-22 08:27:08 EST
I don't have a y2 puddle to test this yet, but I can see that in the 8.0 final beta the bug is not fixed. Should I be seeing a cron job or is the token flushing done by some other mechanism? Should this bug be duplicated for 8.0?
Comment 8 Mike Burns 2015-11-23 07:46:18 EST
(In reply to Udi from comment #7)
> I don't have a y2 puddle to test this yet, but I can see that in the 8.0
> final beta the bug is not fixed. Should I be seeing a cron job or is the
> token flushing done by some other mechanism? Should this bug be duplicated
> for 8.0?

I'm not sure what token flushing has to do with this bug.  This is related to an issue with applying updates from 7.0 to 7.1 or 7.2.
Comment 9 Udi 2015-11-29 03:17:18 EST
Comment #7 is related to another bug and accidentally was posted here by mistake. Sorry.
Comment 10 Udi 2015-12-10 10:37:31 EST
Updated from 7.0 to 7.2, and this issue is resolved.
Comment 12 errata-xmlrpc 2015-12-21 11:57:53 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:2651

Note You need to log in before you can comment on or make changes to this bug.