Description of problem: When updating the undercloud from 7.0 to 7.1, apparently the selinux policy changes and you get this error when trying to work with glance: Invalid OpenStack Identity credentials. No problem to work with the other services. To work around the problem, set selinux to permissive and then back to enforcing - and then it works. Version-Release number of selected component (if applicable): openstack-selinux-0.6.37-1.el7ost.noarch python-glanceclient-0.17.0-2.el7ost.noarch python-glance-2015.1.0-6.el7ost.noarch python-glance-store-0.4.0-1.el7ost.noarch openstack-glance-2015.1.0-6.el7ost.noarch How reproducible: 100% Steps to Reproduce: 1. Install 7.0 GA 2. Update the repos to 7.1 and do yum update 3. Try "glance image-list" Actual results: Invalid OpenStack Identity credentials. Expected results: Shouldn't be a problem. Additional info: Setting selinux to "permissive" solves the problem. After setting it back to "enforcing" the problem doesn't return!
Please give us a clean reproduction audit.log: 1) cp /dev/null /var/log/audit/audit.log 2) setenforce 0 3) perform test 4) attach /var/log/audit/audit.log to this bugzilla
For step 3, you don't have to redo the upgrade - just the things that are otherwise failing with selinux in enforcing.
Created attachment 1090102 [details] audit.log from the instack machine I am attaching the audit.log file, but it's not a clean file from right after the bug occurs. You will have to scroll up the file to look for it, sorry.
allow keepalived_t systemd_systemctl_exec_t:file getattr; This is what I see. Can you test again in permissive mode? setenforce 0.
I don't have a y2 puddle to test this yet, but I can see that in the 8.0 final beta the bug is not fixed. Should I be seeing a cron job or is the token flushing done by some other mechanism? Should this bug be duplicated for 8.0?
(In reply to Udi from comment #7) > I don't have a y2 puddle to test this yet, but I can see that in the 8.0 > final beta the bug is not fixed. Should I be seeing a cron job or is the > token flushing done by some other mechanism? Should this bug be duplicated > for 8.0? I'm not sure what token flushing has to do with this bug. This is related to an issue with applying updates from 7.0 to 7.1 or 7.2.
Comment #7 is related to another bug and accidentally was posted here by mistake. Sorry.
Updated from 7.0 to 7.2, and this issue is resolved.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:2651