Bug 1512796 - On manual installation of Gnocchi packages with the WSGI app, app.log is unwriteable and prevents services from functioning
Summary: On manual installation of Gnocchi packages with the WSGI app, app.log is unwr...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 11.0 (Ocata)
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: RHOS Documentation Team
QA Contact: RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-14 06:38 UTC by John Apple II
Modified: 2019-04-08 16:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-08 16:35:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description John Apple II 2017-11-14 06:38:10 UTC 
Description of problem:

  Gnocchi's openstack packages do not provide an SELinux policy fix to allow httpd to write to /var/log/gnocchi/app.log, causing an independent installation of Gnocchi (like a composeable role) to fail for manual, RPM installations of OpenStack Platform.

Version-Release number of selected component (if applicable):

  OSP11 official repositories:
  - install gnocchi packages with version 3.1.10_2


How reproducible:

Install Gnocchi RPM's on a bare RHEL 7.4 host
Configure Gnocchi per your environment
Configure the WSGI app in Apache
Start the services
SElinux blocks access to /var/log/gnocchi/app.log from httpd


Steps to Reproduce:

1. Setup Repos and install packages
DB/NFS share boxes
yum install mariadb mariadb-server redis  python-redis.noarch nfs-utils nfs4-acl-tools MySql-python
Gnocchi boxes
yum install mariadb python-redis.noarch openstack-gnocchi\* mod_wsgi mod_ssl
2. Copy over Gnocchi configuration from controllers.
3. Reconfigure Gnocchi to use local redis and local mariadb server.

4. Pull Gnocchi configuration and redis configuration from Service Controllers: note we only require Gnocchi configurations, so only items out of /etc/gnocchi and /etc, respectively:
	* gnocchi.conf
			* [cors]
				* allowed_origin = *
				* allow_credentials = false
			* [indexer]
				* url = mysql+pymysql://gnocchi:password.3.4/gnocchi?bind_address=
			* [storage]
				* coordination_url = redis://:password.3.4:6379/
			* [statsd]
				* resource_id = <ID>
				* user_id = <ID>
				* project_id = <ID>
				* archive_policy_name = low
				* flush_delay = 10
			* [keystone_authroken] (oslo middleware - not gnocchi-specific, but still in this file)
				* auth_uri=http://192.0.2.2:35357/v2.0
				* auth_url=http://192.0.2.2:35357
				* username=gnocchi
				* password=gnocchipassword_devel
				* project_domain_name=Default
				* project_name=project
				* auth_type=password
				* user_domain_name=Default
				* service_token_roles_required=True
	* redis.conf
5. Setup the logins for mysql and redis (see gnocchi.conf for values above)
	a. Setup the gnocchi user for mysql
		1. create user gnocchi@'%' identified by password';
		2. grant all privileges on gnocchi.'*' to gnocchi@'%';
	b. Setup the redis master password
	c. Setup the uri/url's into the gnocchi.conf file.
7. Make sure requirepass and masterauth are both set for the same password in redis.conf
8. Copy the wsgi for this gnocchi version into cgi-bin/gnocchi
	a. cp /usr/lib/python2.7/site-packages/gnocchi/rest/app.wsgi /var/www/cgi-bin/gnocchi/app
	b. Setup the conf.d - make sure there's a listen on the external IP + port at the top of the file, and fix the IP and the hostname
9. Give httpd access to port 8041 to bind via selinux
	a. setsebool -P httpd_can_network_connect 1
	b. setsebool -P httpd_execmem 1
	c.setsebool -P httpd_use_openstack 1
	d. semanage port -a -t http_port_t --proto tcp 8041
	e. Give httpd permissions to write metrics to the NFS share:
		1. semanage fcontext -a -t httpd_sys_rw_content_t '/var/lib/gnocchi(/*)?'

10. Confirm that the NFS mount on /var/lib/gnocchi for the shared metrics is available, and then start httpd, openstack-gnocchi-statsd, and openstack-gnocchi-metricd

11. Make calls against the Gnocchi API's using the proper Keystone credentials.




Actual results:

/var/log/httpd/httpd_gnocchi_wsgi_error.log shows errors to the effect that /var/log/gnocchi/app.log cannot be accessed with "permission denied"

/var/log/gnocchi/app.log is empty.



Expected results:

/var/log/gnocchi/app.log should be accessible to the gnocchi-owned httpd processes 



Additional info:

This is being done as a manual extension of Gnocchi out of the Controller nodes using the RPM installations.

I installed setools-console and setroubleshoot, and checking logs using sealert -a /var/log/audit/audit.log showed that the reason permissions denied was happening is that httpd_t is denied access to the var_log_t.

In order to test, I disabled SELinux and restarted the processes, and then all tests succeeded.
I then renabled SELinux and using the 2 commands from sealert to update the policy, restarted again, and the tests succeeded.

So, it appears to specifically be SELinux policy that prevents the WSGI app for Gnocchi from reaching the log file for Gnocchi - and I believe that the solution is to update the SELinux policy so that SElinux can be used with the manual install of Gnocchi on an independent host.

Also, I note that there is an Openstack selinux rpm, but none of the Gnocchi RPM's are dependent on it, so it is not installed.
Comment 4 John Apple II 2017-12-21 22:03:19 UTC 
Sorry, forgot to tag that I had responded to the needinfo flag in Comment #2, relating to manual installations as supported in OSP 10 product documentation.
Note You need to log in before you can comment on or make changes to this bug.