Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1322407

Summary: nova reset-password command not able to reset password of instance having selinux in enforcing mode
Product: Red Hat OpenStack Reporter: VIKRANT <vaggarwa>
Component: openstack-novaAssignee: Diana Clarke <dclarke>
Status: CLOSED DUPLICATE QA Contact: nlevinki <nlevinki>
Severity: low Docs Contact:
Priority: low    
Version: 7.0 (Kilo)CC: berrange, dasmith, dclarke, eglynn, kchamart, ndipanov, sbauza, sferdjao, sgordon, tcarlin, vaggarwa, vromanso, yeylon
Target Milestone: ---   
Target Release: 8.0 (Liberty)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-03 14:13:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description VIKRANT 2016-03-30 12:42:09 UTC 
Description of problem:
nova reset-password command not able to reset password of instance having selinux in enforcing mode

Version-Release number of selected component (if applicable):
RHEL OSP 7

How reproducible:
Everytime.

Steps to Reproduce:
1. spawn an instance with qemu-guest-agent installed
2. Ensure that qemu-guest-agent is running and selinux in enforcing mode.
3. Tried to reset the password from controller node failed.
~~~
[root@allinone7 ~(keystone_admin)]# nova root-password web1
New password: 
Again: 
ERROR (ClientException): InstancePasswordSetFailed_Remote: Failed to set admin password on 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f because error setting admin password (HTTP 500) (Request-ID: req-ebf97491-648a-418c-b60c-df229a459feb)
~~~
Instance went into ERROR state.
4. Change the selinux to permissive mode, and you are able to reset the password without any issue.
~~~
Reset the state of instance to active.
[root@allinone7 ~(keystone_admin)]# nova reset-state 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f --active

Password is changed successfully.
[root@allinone7 ~(keystone_admin)]# nova root-password web1
New password: 
Again: 


Actual results:
It's not able to change password when instance is having selinux in enforcing mode.

Expected results:
It should be able to change password with selinux in enforcing mode.

Additional info:

Error seen in nova-compute.log file while trying to change the password with enforcing mode.

~~~
2016-03-30 08:32:33.909 3935 ERROR nova.compute.manager [req-ebf97491-648a-418c-b60c-df229a459feb None] [instance: 0e2ccf3e-540b-4dc4-95
d9-7c9698a6081f] set_admin_password failed: Error from libvirt while set password for username "root": [Error Code 1] internal error: un
able to execute QEMU agent command 'guest-set-user-password': child process has failed to set user password
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f] Traceback (most recent call las
t):
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f]   File "/usr/lib/python2.7/site
-packages/nova/compute/manager.py", line 3240, in set_admin_password
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f]     self.driver.set_admin_passw
ord(instance, new_pass)
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f]   File "/usr/lib/python2.7/site
-packages/nova/virt/libvirt/driver.py", line 1931, in set_admin_password
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f]     raise exception.NovaExcepti
on(msg)
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f] NovaException: Error from libvi
rt while set password for username "root": [Error Code 1] internal error: unable to execute QEMU agent command 'guest-set-user-password'
: child process has failed to set user password
2016-03-30 08:32:33.909 3935 TRACE nova.compute.manager [instance: 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f] 
2016-03-30 08:32:34.049 3935 DEBUG nova.openstack.common.lockutils [req-ebf97491-648a-418c-b60c-df229a459feb ] Created new semaphore "co
mpute_resources" internal_lock /usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py:206
2016-03-30 08:32:34.049 3935 DEBUG nova.openstack.common.lockutils [req-ebf97491-648a-418c-b60c-df229a459feb ] Acquired semaphore "compu
te_resources" lock /usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py:229
2016-03-30 08:32:34.049 3935 DEBUG nova.openstack.common.lockutils [req-ebf97491-648a-418c-b60c-df229a459feb ] Got semaphore / lock "upd
ate_usage" inner /usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py:271
2016-03-30 08:32:34.084 3935 INFO nova.scheduler.client.report [req-ebf97491-648a-418c-b60c-df229a459feb None] Compute_service record up
dated for ('allinone7', 'allinone7')
2016-03-30 08:32:34.085 3935 DEBUG nova.openstack.common.lockutils [req-ebf97491-648a-418c-b60c-df229a459feb ] Releasing semaphore "comp
ute_resources" lock /usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py:238
2016-03-30 08:32:34.085 3935 DEBUG nova.openstack.common.lockutils [req-ebf97491-648a-418c-b60c-df229a459feb ] Semaphore / lock released
 "update_usage" inner /usr/lib/python2.7/site-packages/nova/openstack/common/lockutils.py:275
2016-03-30 08:32:34.089 3935 ERROR oslo.messaging.rpc.dispatcher [req-ebf97491-648a-418c-b60c-df229a459feb ] Exception during message handling: Failed to set admin password on 0e2ccf3e-540b-4dc4-95d9-7c9698a6081f because error setting admin password
~~~
Comment 2 Diana Clarke 2016-03-31 17:14:42 UTC 
What version of RHEL are they running? It looks like this might have been fixed in:

    https://bugzilla.redhat.com/show_bug.cgi?id=1243458
    https://rhn.redhat.com/errata/RHBA-2015-2300.html
Comment 3 VIKRANT 2016-04-01 04:05:27 UTC 
I noticed this issue in test lab. I have tried a fedora 22 image with kernel 4.0.4-301.fc22
Comment 4 Diana Clarke 2016-04-01 04:58:29 UTC 
In that case, was it fixed in this errata?

    https://bugzilla.redhat.com/show_bug.cgi?id=1243459
Comment 5 Eoghan Glynn 2016-04-01 14:42:51 UTC 
Can you check the version of the selinux-policy RPM?

$ sudo rpm -qa | grep selinux-policy
Comment 6 VIKRANT 2016-04-03 12:39:30 UTC 
Yes, issue is fixed in newer version of selinux-policy.

Ealier version : 

[root@host-10-10-1-38 ~]# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.13.1-122.fc22.noarch
selinux-policy-3.13.1-122.fc22.noarch

Created image with newer version : 

[root@host-10-10-1-39 ~]# rpm -qa | grep -i selinux-policy
selinux-policy-targeted-3.13.1-128.21.fc22.noarch
selinux-policy-3.13.1-128.21.fc22.noarch

[root@host-10-10-1-39 ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      29


Able to change the password with selinux in enforcing mode.

[root@allinone7 ~(keystone_admin)]# nova root-password web1
New password: 
Again: 

[root@allinone7 ~(keystone_admin)]# ip netns exec qdhcp-9ec24eff-f470-4d4e-8c23-9eeb41dfe749 ssh root.1.39
root.1.39's password:
Comment 7 Diana Clarke 2016-04-03 14:13:10 UTC 
Glad to hear that!

Thanks for taking the time to document the before and after in such detail. I've removed the private flags, so that others can stumble upon these notes if they run into the same issue.

Cheers,

--diana

*** This bug has been marked as a duplicate of bug 1243459 ***