Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1400061

Summary: After packages update on overcloud gnocchi's api not accessibe
Product: Red Hat OpenStack Reporter: Yurii Prokulevych <yprokule>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Yurii Prokulevych <yprokule>
Severity: high Docs Contact:
Priority: high    
Version: 9.0 (Mitaka)CC: jcoufal, lhh, mandreou, mburns, mgrepl, mlopes, oblaut, srevivo
Target Milestone: ---Keywords: Rebase, Triaged, ZStream
Target Release: 9.0 (Mitaka)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.7.13-1.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-01 14:16:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yurii Prokulevych 2016-11-30 11:47:34 UTC 
Description of problem:
-----------------------
After updating packages on overcloud nodes before doing upgrade, Gnocchi's api is not accessible:

gnocchi  status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 [no address given] to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
 (HTTP 500)

Excerpt from /var/log/httpd/gnocchi_wsgi_error.log:
---------------------------------------------------

Traceback (most recent call last):
  File "/var/www/cgi-bin/gnocchi/app", line 26, in <module>
    conf = service.prepare_service()
  File "/usr/lib/python2.7/site-packages/gnocchi/service.py", line 77, in prepare_service
    log.setup(conf, 'gnocchi')
  File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 243, in setup
    _setup_logging_from_conf(conf, product_name, version)
  File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 319, in _setup_logging_from_conf
    filelog = file_handler(logpath)
  File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
    logging.FileHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/var/log/gnocchi/app.log'

ls -lZ /var/log/gnocchi/
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   app.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   gnocchi-upgrade.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   metricd.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   statsd.log



Version-Release number of selected component (if applicable):
-------------------------------------------------------------
libselinux-ruby-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
openstack-selinux-0.7.11-1.el7ost.noarch

Steps to Reproduce:
1. Updated packaged on overcloud nodes, e.g:
openstack overcloud update stack \
--templates \
-e /usr/share/openstack-tripleo-heat-templates/environments/storage-environment.yaml \
-e /home/stack/virt/ceph.yaml \
-e /home/stack/virt/network/network-environment-v6.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation-v6.yaml \
-e /home/stack/virt/enable-tls.yaml \
-e /home/stack/virt/inject-trust-anchor.yaml \
-e /home/stack/virt/hostnames.yml \
-e /home/stack/virt/debug.yaml \
-e /home/stack/virt/gnocchi-swift.yaml -i overcloud

2. After updated check Gnocchi's status:

    gnocchi status

Additional info:
----------------
For reference see - rhbz 1387347
Comment 1 Yurii Prokulevych 2016-11-30 11:49:22 UTC 
Updating context eliminates the issue:

chcon -t httpd_log_t /var/log/gnocchi/app.log
Comment 2 Lon Hohberger 2016-12-21 16:56:35 UTC 
This is similar to bug 1387347 and will be fixed by the same packages.
Comment 4 Yurii Prokulevych 2017-01-10 09:54:21 UTC 
Verified with openstack-selinux-0.7.13-1.el7ost.noarch

semanage fcontext -l | grep -E 'aodh|ceilometer|gnocchi'
/var/log/gnocchi/app.log                           all files          system_u:object_r:httpd_log_t:s0 
/var/log/aodh/app.log                              all files          system_u:object_r:httpd_log_t:s0 
/var/log/ceilometer/app.log                        all files          system_u:object_r:httpd_log_t:s0

ls -lZ /var/log/ceilometer/api.log 
-rw-r--r--. ceilometer ceilometer system_u:object_r:var_log_t:s0   /var/log/ceilometer/api.log

ls -lZ /var/log/gnocchi/app.log 
-rw-r--r--. gnocchi gnocchi system_u:object_r:httpd_log_t:s0 /var/log/gnocchi/app.log

ls -lZ /var/log/aodh/app.log 
-rw-r--r--. aodh aodh system_u:object_r:httpd_log_t:s0 /var/log/aodh/app.log
Comment 7 errata-xmlrpc 2017-02-01 14:16:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0231.html