1400061 – After packages update on overcloud gnocchi's api not accessibe

Bug 1400061 - After packages update on overcloud gnocchi's api not accessibe

Summary: After packages update on overcloud gnocchi's api not accessibe

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	9.0 (Mitaka)
Assignee:	Lon Hohberger
QA Contact:	Yurii Prokulevych
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-30 11:47 UTC by Yurii Prokulevych
Modified:	2017-07-24 17:10 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-selinux-0.7.13-1.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-02-01 14:16:13 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0231	0	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 9 Bug Fix and Enhancement Advisory	2017-02-01 19:14:38 UTC

Description Yurii Prokulevych 2016-11-30 11:47:34 UTC

Description of problem:
-----------------------
After updating packages on overcloud nodes before doing upgrade, Gnocchi's api is not accessible:

gnocchi  status
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 [no address given] to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>
 (HTTP 500)

Excerpt from /var/log/httpd/gnocchi_wsgi_error.log:
---------------------------------------------------

Traceback (most recent call last):
  File "/var/www/cgi-bin/gnocchi/app", line 26, in <module>
    conf = service.prepare_service()
  File "/usr/lib/python2.7/site-packages/gnocchi/service.py", line 77, in prepare_service
    log.setup(conf, 'gnocchi')
  File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 243, in setup
    _setup_logging_from_conf(conf, product_name, version)
  File "/usr/lib/python2.7/site-packages/oslo_log/log.py", line 319, in _setup_logging_from_conf
    filelog = file_handler(logpath)
  File "/usr/lib64/python2.7/logging/handlers.py", line 392, in __init__
    logging.FileHandler.__init__(self, filename, mode, encoding, delay)
  File "/usr/lib64/python2.7/logging/__init__.py", line 902, in __init__
    StreamHandler.__init__(self, self._open())
  File "/usr/lib64/python2.7/logging/__init__.py", line 925, in _open
    stream = open(self.baseFilename, self.mode)
IOError: [Errno 13] Permission denied: '/var/log/gnocchi/app.log'

ls -lZ /var/log/gnocchi/
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   app.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   gnocchi-upgrade.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   metricd.log
-rw-r--r--. gnocchi gnocchi system_u:object_r:var_log_t:s0   statsd.log



Version-Release number of selected component (if applicable):
-------------------------------------------------------------
libselinux-ruby-2.5-6.el7.x86_64
libselinux-utils-2.5-6.el7.x86_64
libselinux-python-2.5-6.el7.x86_64
libselinux-2.5-6.el7.x86_64
selinux-policy-3.13.1-102.el7_3.4.noarch
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
openstack-selinux-0.7.11-1.el7ost.noarch

Steps to Reproduce:
1. Updated packaged on overcloud nodes, e.g:
openstack overcloud update stack \
--templates \
-e /usr/share/openstack-tripleo-heat-templates/environments/storage-environment.yaml \
-e /home/stack/virt/ceph.yaml \
-e /home/stack/virt/network/network-environment-v6.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation-v6.yaml \
-e /home/stack/virt/enable-tls.yaml \
-e /home/stack/virt/inject-trust-anchor.yaml \
-e /home/stack/virt/hostnames.yml \
-e /home/stack/virt/debug.yaml \
-e /home/stack/virt/gnocchi-swift.yaml -i overcloud

2. After updated check Gnocchi's status:

    gnocchi status

Additional info:
----------------
For reference see - rhbz 1387347

Comment 1 Yurii Prokulevych 2016-11-30 11:49:22 UTC

Updating context eliminates the issue:

chcon -t httpd_log_t /var/log/gnocchi/app.log

Comment 2 Lon Hohberger 2016-12-21 16:56:35 UTC

This is similar to bug 1387347 and will be fixed by the same packages.

Comment 4 Yurii Prokulevych 2017-01-10 09:54:21 UTC

Verified with openstack-selinux-0.7.13-1.el7ost.noarch

semanage fcontext -l | grep -E 'aodh|ceilometer|gnocchi'
/var/log/gnocchi/app.log                           all files          system_u:object_r:httpd_log_t:s0 
/var/log/aodh/app.log                              all files          system_u:object_r:httpd_log_t:s0 
/var/log/ceilometer/app.log                        all files          system_u:object_r:httpd_log_t:s0

ls -lZ /var/log/ceilometer/api.log 
-rw-r--r--. ceilometer ceilometer system_u:object_r:var_log_t:s0   /var/log/ceilometer/api.log

ls -lZ /var/log/gnocchi/app.log 
-rw-r--r--. gnocchi gnocchi system_u:object_r:httpd_log_t:s0 /var/log/gnocchi/app.log

ls -lZ /var/log/aodh/app.log 
-rw-r--r--. aodh aodh system_u:object_r:httpd_log_t:s0 /var/log/aodh/app.log

Comment 7 errata-xmlrpc 2017-02-01 14:16:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0231.html

Note You need to log in before you can comment on or make changes to this bug.