1572143 – Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux contexts need correction

Bug 1572143 - Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux contexts need correction

Summary: Upgrading undercloud from OSP12 to OSP13 fails when SSH directory SELinux con...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	beta
Target Release:	13.0 (Queens)
Assignee:	Jose Luis Franco
QA Contact:	Yurii Prokulevych
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-26 09:30 UTC by Andrew Austin
Modified:	2018-06-27 13:55 UTC (History)
CC List:	10 users (show)
Fixed In Version:	instack-undercloud-8.4.1-4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-27 13:53:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1767405	None	None	None	2018-04-27 15:24:00 UTC
OpenStack gerrit	565679	None	stable/queens: MERGED	instack-undercloud: Add sudo into instack's semanage call. (I994917e491d6f8b4141a3c332c79ed8e8ce8e64c)	2018-05-04 18:26:02 UTC
Red Hat Product Errata	RHEA-2018:2086	None	None	None	2018-06-27 13:55:07 UTC

Description Andrew Austin 2018-04-26 09:30:32 UTC

Description of problem:
During an undercloud upgrade from OSP12 to OSP13, instack-undercloud attempts to ensure SELinux contexts are correct on the stack user's SSH directory. If corrections are required, it attempts to execute semanage as the user running the 'openstack undercloud upgrade' command and not root. This fails with a permisson error.

Version-Release number of selected component (if applicable):
instack-undercloud-8.4.0-4

How reproducible:
Create a file with incorrect SELinux context in /home/stack/.ssh and attempt to upgrade an undercloud from Pike to Queens

Actual results:

The upgrade fails with a permission issue running semanage.

Expected results:

The SELinux context should be corrected automatically and the upgrade should succeed.

Additional info:

2018-04-26 08:51:45,091 ERROR: semanage failed: ValueError: SELinux policy is not managed or store cannot be accessed.

2018-04-26 08:51:45,093 DEBUG: An exception occurred
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2336, in install
    _post_config(instack_env, upgrade)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 2006, in _post_config
    _ensure_ssh_selinux_permission()
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 1667, in _ensure_ssh_selinux_permission
    _run_command(cmd)
  File "/usr/lib/python2.7/site-packages/instack_undercloud/undercloud.py", line 642, in _run_command
    env=env).decode('utf-8')
  File "/usr/lib64/python2.7/subprocess.py", line 575, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
CalledProcessError: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1
2018-04-26 08:51:45,099 ERROR: 
#############################################################################
Undercloud upgrade failed.

Reason: Command '['semanage', 'fcontext', '-a', '-t', 'ssh_home_t', '/home/stack/.ssh(/.*)?']' returned non-zero exit status 1

See the previous output for details about what went wrong.  The full install
log can be found at /home/stack/.instack/install-undercloud.log.

#############################################################################

Comment 8 Yurii Prokulevych 2018-05-29 07:01:38 UTC

Verified with instack-undercloud-8.4.1-4.el7ost.noarch and next files:

[stack@undercloud-0 ~ (undercloud-13-TLV)]$ ls -lZ .ssh/
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 authorized_keys
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 config
-rw-------. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa
-rw-------. stack stack system_u:object_r:tmp_t:s0       id_rsa_overcloud
-rw-r--r--. stack stack unconfined_u:object_r:ssh_home_t:s0 id_rsa.pub


openstack undercloud upgrade
...

#######################################################
Undercloud upgrade complete.

The file containing this installation's passwords is at
/home/stack/undercloud-passwords.conf.

Comment 12 errata-xmlrpc 2018-06-27 13:53:50 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086

Note You need to log in before you can comment on or make changes to this bug.