1388644 – rhel-osp-director: 10.0 on rhel7.3: undercloud deployment fails: make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1

Bug 1388644 - rhel-osp-director: 10.0 on rhel7.3: undercloud deployment fails: make: *** [tmp/tripleo-selinux-mariadb.mod] Error 1

Summary: rhel-osp-director: 10.0 on rhel7.3: undercloud deployment fails: make: *** ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-image-elements
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	10.0 (Newton)
Assignee:	James Slagle
QA Contact:	Marius Cornea
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-10-25 19:53 UTC by Lon Hohberger
Modified:	2016-12-14 16:25 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1387935
Environment:
Last Closed:	2016-12-14 16:25:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1636613	None	None	None	2016-10-25 20:10:28 UTC
OpenStack gerrit	390632	None	None	None	2016-10-25 19:53:55 UTC
Red Hat Product Errata	RHEA-2016:2948	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 enhancement update	2016-12-14 19:55:27 UTC

Comment 1 Lon Hohberger 2016-10-25 19:55:52 UTC

https://github.com/SELinuxProject/selinux/commit/c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef

... breaks OpenStack tripleo-image-elements selinux policy module handling.

This commit is present in RHEL 7.3 (beta and later), and is 

This affects OSP 7-10.

Comment 2 James Slagle 2016-10-26 04:57:18 UTC

(In reply to Lon Hohberger from comment #1)
> https://github.com/SELinuxProject/selinux/commit/
> c6acfae4bc22586ad1dc259b0aad57fa6c5b43ef
> 
> ... breaks OpenStack tripleo-image-elements selinux policy module handling.
> 
> This commit is present in RHEL 7.3 (beta and later), and is 
> 
> This affects OSP 7-10.

It's still something we can fix, but I do not think these affected elements are actually used any longer for the undercloud or overcloud in OSP 10.

Was the issue reproduced on OSP 10?

Comment 3 Lon Hohberger 2016-10-28 14:47:38 UTC

No.  If they're no longer used, go ahead and close this.

Comment 4 Lon Hohberger 2016-10-28 14:49:19 UTC

That is, it wasn't reproduced to my knowledge.

Comment 5 James Slagle 2016-11-01 15:16:08 UTC

we don't use these elements on newton/10, but the patch has still merged to master so we can backport to mitaka/9 and liberty/8.

moving this to ON_QA and TestOnly as we only need to confirm that this does not reproduce for OSP 10

Comment 6 James Slagle 2016-11-01 18:04:52 UTC

all we need to have done is install an undercloud on RHEL 7.3 successfully, and verify selinux is enforcing to call this VERIFIED.

Comment 7 Alexander Chuzhoy 2016-11-02 02:19:31 UTC

Verified:


[stack@instack ~]$ sudo sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28


[stack@instack ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)


[stack@instack ~]$ . stackrc


[stack@instack ~]$ nova service-list
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:303: SubjectAltNameWarning: Certificate for 192.0.2.2 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SubjectAltNameWarning
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| Id | Binary         | Host                | Zone     | Status  | State | Updated_at                 | Disabled Reason |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+
| 1  | nova-cert      | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:20.000000 | -               |
| 4  | nova-scheduler | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:19.000000 | -               |
| 5  | nova-conductor | instack.localdomain | internal | enabled | up    | 2016-11-02T03:18:17.000000 | -               |
| 7  | nova-compute   | instack.localdomain | nova     | enabled | up    | 2016-11-02T03:18:16.000000 | -               |
+----+----------------+---------------------+----------+---------+-------+----------------------------+-----------------+

Comment 10 errata-xmlrpc 2016-12-14 16:25:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html

Note You need to log in before you can comment on or make changes to this bug.