Bug 1572143 - Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux contexts need correction
Summary: Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux con...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: instack-undercloud
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: beta
: 13.0 (Queens)
Assignee: Jose Luis Franco
QA Contact: Yurii Prokulevych
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-26 09:30 UTC by Andrew Austin
Modified: 2018-06-27 13:55 UTC (History)
10 users (show)

Fixed In Version: instack-undercloud-8.4.1-4.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:53:50 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Launchpad 1767405 None None None 2018-04-27 15:24:00 UTC
OpenStack gerrit 565679 None stable/queens: MERGED instack-undercloud: Add sudo into instack's semanage call. (I994917e491d6f8b4141a3c332c79ed8e8ce8e64c) 2018-05-04 18:26:02 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:55:07 UTC

Description Andrew Austin 2018-04-26 09:30:32 UTC
Description of problem:
During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error.

Version-Release number of selected component (if applicable):
instack-undercloud-8.4.0-4

How reproducible:
Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens

Actual results:

The upgrade fails with a permission issue running semanage.

Expected results:

The SELinux context should be corrected automatically and the upgrade should succeed.

Additional info:

2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed.

2018-04-26 08:51:45,093 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install
    _post_config(instack_env, upgrade)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config
    _ensure_ssh_selinux_permission()
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission
    _run_command(cmd)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command
    env=env).decode('utf-8')
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
2018-04-26 08:51:45,099 ERROR: 
#############################################################################
Undercloud upgrade failed.

Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################

Comment 8 Yurii Prokulevych 2018-05-29 07:01:38 UTC
Verified with instack-undercloud-8.4.1-4.el7ost.noarch and next files:

[stack@undercloud-0 ~ (undercloud-13-TLV)]$ ls -lZ .ssh/
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. stack stack system_u:object_r:tmp_t:s0       id_rsa_overcloud
-rw-r--r--. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub


openstack undercloud upgrade
...

#######################################################
Undercloud upgrade complete.

The file containing this installation's passwords is at
/home/stack/undercloud-passwords.conf.

Comment 12 errata-xmlrpc 2018-06-27 13:53:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.