Description of problem: In the case of non-default (0022), system-wide umask variable, /var/www/cgi-bin/keystone directory can be created with permissions preventing it from being accessible by httpd user, making keystone unusable. For an instance: drwx------. 2 keystone 51 Nov 28 05:44 /var/www/cgi-bin/keystone during the deployment with RH OSP director: Notice: /Stage[main]/Keystone::Service/Service[keystone]: Triggered 'refresh' from 1 events Notice: /Stage[main]/Apache::Service/Service[httpd]/ensure: ensure changed 'stopped' to 'running' Notice: /Stage[main]/Keystone::Deps/Anchor[keystone::service::end]: Triggered 'refresh' from 26 events Error: Could not prefetch keystone_service provider 'openstack': Could not authenticate Error: Not managing Keystone_service[Image Service] due to earlier Keystone API failures. Error: /Stage[main]/Glance::Keystone::Auth/Keystone::Resource::Service_identity[glance]/Keystone_service[Image Service::image]/ensure: change from absent to present failed: Not managing Keys tone_service[Image Service] due to earlier Keystone API failures. in /var/log/httpd/keystone_wsgi_main_error.log: [Mon Nov 28 05:46:05.899651 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46948] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst one/keystone-public') because search permissions are missing on a component of the path [Mon Nov 28 05:46:20.907486 2016] [core:error] [pid 23264] (13)Permission denied: [client 192.168.111.1:46982] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key stone-public') because search permissions are missing on a component of the path [Mon Nov 28 05:46:20.911575 2016] [core:error] [pid 23269] (13)Permission denied: [client 192.168.111.1:46984] AH00035: access to /v2.0/tokens denied (filesystem path '/var/www/cgi-bin/keyst one/keystone-public') because search permissions are missing on a component of the path [Mon Nov 28 05:46:35.907123 2016] [core:error] [pid 23270] (13)Permission denied: [client 192.168.111.1:46988] AH00035: access to /v2.0 denied (filesystem path '/var/www/cgi-bin/keystone/key stone-public') because search permissions are missing on a component of the path Version-Release number of selected component (if applicable): openstack-puppet-modules-8.1.8-3.el7ost.noarch How reproducible: Always. Steps to Reproduce: 1. Change system-wide umask to more restrictive, 077 for an instance. 2. Follow RH OSP installation guide. 3. Fail during openstack undercloud install Actual results: Undercloud installation fails. Expected results: Undercloud installation successful. Additional info:
Fixed in OSP11, do we want to fix it in OSP10 and 9?
Hi, If that wouldn't be a big problem then yes please. I know at least one customer who was affected by this using OSP10. Thanks in advance, Rafal
[stack@undercloud-0 ~]$ cat /etc/yum.repos.d/latest-installed 9 -p 2017-03-17.1 [stack@undercloud-0 ~]$ rpm -q openstack-puppet-modules openstack-puppet-modules-8.1.13-1.el7ost.noarch [stack@undercloud-0 ~]$ ll /var/www/cgi-bin/keystone/ total 8 -rw-r--r--. 1 keystone keystone 1162 Mar 28 07:37 keystone-admin -rw-r--r--. 1 keystone keystone 1167 Mar 28 07:37 keystone-public [stack@undercloud-0 ~]$ ll /var/www/cgi-bin/ total 0 drwxr-xr-x. 2 aodh aodh 17 Mar 28 07:37 aodh drwxr-xr-x. 2 keystone keystone 51 Mar 28 07:37 keystone
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1501