Bug 1493561 - [osp12]httpd service is dead on oc nodes due, cannot bind port due to selinux issues
Summary: [osp12]httpd service is dead on oc nodes due, cannot bind port due to selinux...
Keywords:
Status: CLOSED DUPLICATE of bug 1489863
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-selinux
Version: 12.0 (Pike)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ga
: 12.0 (Pike)
Assignee: Lon Hohberger
QA Contact: Udi Shkalim
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-20 13:43 UTC by Artem Hrechanychenko
Modified: 2017-09-21 15:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-21 12:53:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
audit.log (3.81 MB, text/plain)
2017-09-21 15:23 UTC, Artem Hrechanychenko 		no flags Details
audit.log (1.21 MB, text/plain)
2017-09-21 15:31 UTC, Artem Hrechanychenko 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1718328 0 None None None 2017-09-21 12:01:01 UTC

Description Artem Hrechanychenko 2017-09-20 13:43:12 UTC 
Description of problem:
[heat-admin@overcloud-controller-0 ~]$ sudo systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─openstack-dashboard.conf
   Active: failed (Result: exit-code) since Wed 2017-09-20 13:39:49 UTC; 6s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 718315 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 718276 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
  Process: 717778 ExecStartPre=/usr/bin/python /usr/share/openstack-dashboard/manage.py compress --force -v0 (code=exited, status=0/SUCCESS)
  Process: 717543 ExecStartPre=/usr/bin/python /usr/share/openstack-dashboard/manage.py collectstatic --noinput --clear -v0 (code=exited, status=0/SUCCESS)
 Main PID: 718276 (code=exited, status=1/FAILURE)

Sep 20 13:39:49 overcloud-controller-0.redhat.local python[717778]: Compressed 5 block(s) from 3 template(s) for 1 context(s).
Sep 20 13:39:49 overcloud-controller-0.redhat.local httpd[718276]: (13)Permission denied: AH00072: make_sock: could not bind to address 172.17.1.11:8003
Sep 20 13:39:49 overcloud-controller-0.redhat.local httpd[718276]: no listening sockets available, shutting down
Sep 20 13:39:49 overcloud-controller-0.redhat.local httpd[718276]: AH00015: Unable to open logs
Sep 20 13:39:49 overcloud-controller-0.redhat.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 20 13:39:49 overcloud-controller-0.redhat.local kill[718315]: kill: cannot find process ""
Sep 20 13:39:49 overcloud-controller-0.redhat.local systemd[1]: httpd.service: control process exited, code=exited status=1
Sep 20 13:39:49 overcloud-controller-0.redhat.local systemd[1]: Failed to start The Apache HTTP Server.
Sep 20 13:39:49 overcloud-controller-0.redhat.local systemd[1]: Unit httpd.service entered failed state.
Sep 20 13:39:49 overcloud-controller-0.redhat.local systemd[1]: httpd.service failed.


w/a - setenforce 0 and restart httpd

[heat-admin@overcloud-controller-0 ~]$ sudo setenforce 0
[heat-admin@overcloud-controller-0 ~]$ sudo systemctl restart httpd

[heat-admin@overcloud-controller-0 ~]$ sudo cat  /var/log/audit/audit.log |grep 8003
type=AVC msg=audit(1505898966.039:1223): avc:  denied  { name_bind } for  pid=73766 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1505899261.551:1726): avc:  denied  { name_bind } for  pid=102144 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1505899398.608:2339): avc:  denied  { name_bind } for  pid=122272 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=USER_CMD msg=audit(1505903509.201:8003): pid=573184 uid=165 auid=4294967295 ses=4294967295 subj=system_u:system_r:cinder_volume_t:s0 msg='cwd="/" cmd=63696E6465722D726F6F7477726170202F6574632F63696E6465722F726F6F74777261702E636F6E6620656E76204C435F414C4C3D43206C7673202D2D6E6F68656164696E6773202D2D756E69743D67202D6F2076675F6E616D652C6E616D652C73697A65202D2D6E6F7375666669782063696E6465722D766F6C756D6573 terminal=? res=success'
type=AVC msg=audit(1505908946.001:15512): avc:  denied  { name_bind } for  pid=99065 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1505909103.418:15749): avc:  denied  { name_bind } for  pid=116667 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=CRED_DISP msg=audit(1505910752.225:18003): pid=290655 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:spc_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="rabbitmq" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1505914789.662:26901): avc:  denied  { name_bind } for  pid=718276 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1505914822.804:26961): avc:  denied  { name_bind } for  pid=722385 comm="httpd" src=8003 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Version-Release number of selected component (if applicable):
docker images from 2017-09-15.1

How reproducible:
Always

Steps to Reproduce:
1.Deploy TLS everywhere OC http://etherpad.corp.redhat.com/osp12-internal-SSL-using-freeIPA

Actual results:
httpd daemon is dead on oc nodes

Expected results:
httpd service is alive

Additional info:
Comment 2 Alexander Chuzhoy 2017-09-20 16:30:03 UTC 
Checked a setup deployed without tls_everywhere.

Environment:
libselinux-python-2.5-11.el7.x86_64
selinux-policy-3.13.1-166.el7_4.4.noarch
libselinux-2.5-11.el7.x86_64
libselinux-utils-2.5-11.el7.x86_64
httpd-2.4.6-67.el7_4.2.x86_64
selinux-policy-targeted-3.13.1-166.el7_4.4.noarch
openstack-selinux-0.8.9-0.1.el7ost.noarch
libselinux-ruby-2.5-11.el7.x86_64
httpd-tools-2.4.6-67.el7_4.2.x86_64
container-selinux-2.21-2.gitba103ac.el7.noarch
ceph-selinux-10.2.7-32.el7cp.x86_64
openstack-tripleo-heat-templates-7.0.0-0.20170913050524.0rc2.el7ost.noarch
openstack-puppet-modules-11.0.0-0.20170828113154.el7ost.noarch
instack-undercloud-7.4.1-0.20170912115418.el7ost.noarch



Deployment command:
openstack overcloud deploy --templates \
--libvirt-type kvm \
-e /home/stack/templates/nodes_data.yaml \
-e  /usr/share/openstack-tripleo-heat-templates/environments/ceph-ansible/ceph-ansible.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/network-isolation-v6.yaml \
-e /home/stack/virt/network/network-environment-v6.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/ssl/enable-tls.yaml \
-e /home/stack/virt/public_vip.yaml \
-e /usr/share/openstack-tripleo-heat-templates/environments/ssl/tls-endpoints-public-ip.yaml \
-e /home/stack/inject-trust-anchor-hiera.yaml \
-e /home/stack/rhos12.yaml


The issue didn't reproduce:

[heat-admin@overcloud-controller-0 ~]$  sudo systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           └─openstack-dashboard.conf
   Active: active (running) since Wed 2017-09-20 15:38:01 UTC; 49min ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 94660 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   Memory: 707.9M
   CGroup: /system.slice/httpd.service
           ├─94660 /usr/sbin/httpd -DFOREGROUND
           ├─94662 cinder_wsgi     -DFOREGROUND
           ├─94663 cinder_wsgi     -DFOREGROUND
           ├─94664 cinder_wsgi     -DFOREGROUND
           ├─94665 cinder_wsgi     -DFOREGROUND
           ├─94666 heat_api_cloudw -DFOREGROUND
           ├─94667 /usr/sbin/httpd -DFOREGROUND
           ├─94668 /usr/sbin/httpd -DFOREGROUND
           ├─94669 /usr/sbin/httpd -DFOREGROUND
           ├─94670 /usr/sbin/httpd -DFOREGROUND
           ├─94671 /usr/sbin/httpd -DFOREGROUND
           ├─94672 /usr/sbin/httpd -DFOREGROUND
           ├─94673 /usr/sbin/httpd -DFOREGROUND
           ├─94674 /usr/sbin/httpd -DFOREGROUND
           └─94986 /usr/sbin/httpd -DFOREGROUND

Sep 20 15:37:52 overcloud-controller-0 systemd[1]: Starting The Apache HTTP Server...
Sep 20 15:38:01 overcloud-controller-0 python[94380]: Compressing... done
Sep 20 15:38:01 overcloud-controller-0 python[94380]: Compressed 5 block(s) from 3 template(s) for 1 context(s).
Sep 20 15:38:01 overcloud-controller-0 systemd[1]: Started The Apache HTTP Server.
[heat-admin@overcloud-controller-0 ~]$ sudo getenforce
Enforcing
Comment 3 Alan Pevec 2017-09-21 12:53:07 UTC 
I guess "without tls_everywhere" services are not running in httpd?
Comment 4 Lon Hohberger 2017-09-21 12:53:23 UTC 

*** This bug has been marked as a duplicate of bug 1489863 ***
Comment 5 Artem Hrechanychenko 2017-09-21 15:23:48 UTC 
Created attachment 1329048 [details]
audit.log
Comment 6 Artem Hrechanychenko 2017-09-21 15:31:18 UTC 
[stack@undercloud-0 ~]$ ssh heat-admin.24.8 "rpm -q openstack-selinux"
openstack-selinux-0.8.9-0.1.el7ost.noarch
Comment 7 Artem Hrechanychenko 2017-09-21 15:31:47 UTC 
Created attachment 1329051 [details]
audit.log
Comment 8 Lon Hohberger 2017-09-21 15:38:09 UTC 
This is the old package - I'll have to build a new one so that we can deploy properly without manual workarounds.
Note You need to log in before you can comment on or make changes to this bug.