Bug 1388644 - rhel-osp-director: 10.0 on rhel7.3: undercloud deployment fails: make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1
Summary: rhel-osp-director: 10.0 on rhel7.3: undercloud deployment fails: make: *** ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-image-elements
Version: 9.0 (Mitaka)
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: 10.0 (Newton)
Assignee: James Slagle
QA Contact: Marius Cornea
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-25 19:53 UTC by Lon Hohberger
Modified: 2016-12-14 16:25 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1387935
Environment:
Last Closed: 2016-12-14 16:25:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2948 normal SHIPPED_LIVE Red Hat OpenStack Platform 10 enhancement update 2016-12-14 19:55:27 UTC
OpenStack gerrit 390632 None None None 2016-10-25 19:53:55 UTC
Launchpad 1636613 None None None 2016-10-25 20:10:28 UTC

Comment 1 Lon Hohberger 2016-10-25 19:55:52 UTC
https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

... breaks OpenStack tripleo-image-elements selinux policy module handling.

This commit is present in RHEL 7.3 (beta and later), and is 

This affects OSP 7-10.

Comment 2 James Slagle 2016-10-26 04:57:18 UTC
(In reply to Lon Hohberger from comment #1)
> https://github.com/SELinuxProject/selinux/commit/
> c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef
> 
> ... breaks OpenStack tripleo-image-elements selinux policy module handling.
> 
> This commit is present in RHEL 7.3 (beta and later), and is 
> 
> This affects OSP 7-10.

It's still something we can fix, but I do not think these affected elements are actually used any longer for the undercloud or overcloud in OSP 10.

Was the issue reproduced on OSP 10?

Comment 3 Lon Hohberger 2016-10-28 14:47:38 UTC
No.  If they're no longer used, go ahead and close this.

Comment 4 Lon Hohberger 2016-10-28 14:49:19 UTC
That is, it wasn't reproduced to my knowledge.

Comment 5 James Slagle 2016-11-01 15:16:08 UTC
we don't use these elements on newton/10, but the patch has still merged to master so we can backport to mitaka/9 and liberty/8.

moving this to ON_QA and TestOnly as we only need to confirm that this does not reproduce for OSP 10

Comment 6 James Slagle 2016-11-01 18:04:52 UTC
all we need to have done is install an undercloud on RHEL 7.3 successfully, and verify selinux is enforcing to call this VERIFIED.

Comment 7 Alexander Chuzhoy 2016-11-02 02:19:31 UTC
Verified:


[stack@instack ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


[stack@instack ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)


[stack@instack ~]$ . stackrc


[stack@instack ~]$ nova service-list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary         | Host                | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| 1  | nova-cert      | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:20.000000 | -               |
| 4  | nova-scheduler | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:19.000000 | -               |
| 5  | nova-conductor | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:17.000000 | -               |
| 7  | nova-compute   | instack.localdomain | nova     | enabled | up    | 2016-11-02T03:18:16.000000 | -               |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+

Comment 10 errata-xmlrpc 2016-12-14 16:25:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html


Note You need to log in before you can comment on or make changes to this bug.