Bug 1278430 - Glance returns "Invalid OpenStack Identity credentials" after updating the undercloud (7.0 -> 7.1), might be due to selinux
Summary: Glance returns "Invalid OpenStack Identity credentials" after updating the un...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: y2
: 7.0 (Kilo)
Assignee: James Slagle
QA Contact: Udi Kalifon
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-05 13:06 UTC by Udi Kalifon
Modified: 2015-12-21 16:57 UTC (History)
11 users (show)

Fixed In Version: openstack-selinux-0.6.46-1.el7ost
Doc Type: Bug Fix
Doc Text:
A missing SELinux rule caused Glance to return an "Invalid OpenStack Identity credentials" error. This fix adds the SELinux rule. Now Glance authenticates successfully.
Clone Of:
Environment:
Last Closed: 2015-12-21 16:57:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
audit.log from the instack machine (216.33 KB, application/x-gzip)
2015-11-05 14:26 UTC, Udi Kalifon
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2651 0 normal SHIPPED_LIVE Red Hat Enterprise Linux OSP 7 director Bug Fix Advisory 2015-12-21 21:50:26 UTC

Description Udi Kalifon 2015-11-05 13:06:08 UTC
Description of problem:
When updating the undercloud from 7.0 to 7.1, apparently the selinux policy changes and you get this error when trying to work with glance:

Invalid OpenStack Identity credentials.

No problem to work with the other services. To work around the problem, set selinux to permissive and then back to enforcing - and then it works.


Version-Release number of selected component (if applicable):
openstack-selinux-0.6.37-1.el7ost.noarch
python-glanceclient-0.17.0-2.el7ost.noarch
python-glance-2015.1.0-6.el7ost.noarch
python-glance-store-0.4.0-1.el7ost.noarch
openstack-glance-2015.1.0-6.el7ost.noarch


How reproducible:
100%


Steps to Reproduce:
1. Install 7.0 GA
2. Update the repos to 7.1 and do yum update
3. Try "glance image-list"


Actual results:
Invalid OpenStack Identity credentials.


Expected results:
Shouldn't be a problem.


Additional info:
Setting selinux to "permissive" solves the problem. After setting it back to "enforcing" the problem doesn't return!

Comment 2 Lon Hohberger 2015-11-05 14:04:14 UTC
Please give us a clean reproduction audit.log:
 1) cp /dev/null /var/log/audit/audit.log
 2) setenforce 0
 3) perform test
 4) attach /var/log/audit/audit.log to this bugzilla

Comment 3 Lon Hohberger 2015-11-05 14:06:55 UTC
For step 3, you don't have to redo the upgrade - just the things that are otherwise failing with selinux in enforcing.

Comment 4 Udi Kalifon 2015-11-05 14:26:17 UTC
Created attachment 1090102 [details]
audit.log from the instack machine

I am attaching the audit.log file, but it's not a clean file from right after the bug occurs. You will have to scroll up the file to look for it, sorry.

Comment 5 Ryan Hallisey 2015-11-13 17:57:17 UTC
allow keepalived_t systemd_systemctl_exec_t:file getattr;

This is what I see. Can you test again in permissive mode?  setenforce 0.

Comment 7 Udi Kalifon 2015-11-22 13:27:08 UTC
I don't have a y2 puddle to test this yet, but I can see that in the 8.0 final beta the bug is not fixed. Should I be seeing a cron job or is the token flushing done by some other mechanism? Should this bug be duplicated for 8.0?

Comment 8 Mike Burns 2015-11-23 12:46:18 UTC
(In reply to Udi from comment #7)
> I don't have a y2 puddle to test this yet, but I can see that in the 8.0
> final beta the bug is not fixed. Should I be seeing a cron job or is the
> token flushing done by some other mechanism? Should this bug be duplicated
> for 8.0?

I'm not sure what token flushing has to do with this bug.  This is related to an issue with applying updates from 7.0 to 7.1 or 7.2.

Comment 9 Udi Kalifon 2015-11-29 08:17:18 UTC
Comment #7 is related to another bug and accidentally was posted here by mistake. Sorry.

Comment 10 Udi Kalifon 2015-12-10 15:37:31 UTC
Updated from 7.0 to 7.2, and this issue is resolved.

Comment 12 errata-xmlrpc 2015-12-21 16:57:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:2651


Note You need to log in before you can comment on or make changes to this bug.