Bug 1626070 - [Ceph-Ansible] Ansible Playbook fails during Ceph NFS installation
Summary: [Ceph-Ansible] Ansible Playbook fails during Ceph NFS installation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Ceph-Ansible
Version: 3.1
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: z1
: 3.1
Assignee: Guillaume Abrioux
QA Contact: Persona non grata
URL:
Whiteboard:
Depends On:
Blocks: 1578730
TreeView+ depends on / blocked
 
Reported: 2018-09-06 14:06 UTC by Sidhant Agrawal
Modified: 2018-11-09 01:00 UTC (History)
14 users (show)

Fixed In Version: RHEL: ceph-ansible-3.1.7-1.rc3.el7cp Ubuntu: ceph-ansible_3.1.7-2redhat1xenial
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-09 00:59:32 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github ceph ceph-ansible pull 3114 0 None closed nfs: ignore error on semanage command for ganesha_t 2020-04-29 02:38:31 UTC
Github ceph ceph-ansible pull 3121 0 None closed Automatic backport of pull request #3114 2020-04-29 02:38:31 UTC
Red Hat Product Errata RHBA-2018:3530 0 None None None 2018-11-09 01:00:29 UTC

Description Sidhant Agrawal 2018-09-06 14:06:22 UTC
Description of problem:
The ansible playbook fails during the Ceph NFS installation in the following task :
TASK [ceph-nfs : run semanage permissive -a ganesha_t]

Version-Release number of selected component (if applicable):
ceph-ansible-3.1.2-1.el7cp.noarch
ansible-2.4.6.0-1.el7ae.noarch


How reproducible:


Steps to Reproduce:
1. Install Ceph NFS with ansible
2. Run the ansible-playbook


Actual results:
Ansible Playbook fails during Ceph NFS installation

Expected results:
Ansible Playbook should succeed and Ceph NFS should be installed.

Additional info:
TASK [ceph-nfs : run semanage permissive -a ganesha_t] ********************************************************************************************************
Thursday 06 September 2018  13:37:08 +0000 (0:00:05.039)       0:08:29.869 **** 
fatal: [magna060]: FAILED! => {"changed": false, "cmd": ["semanage", "permissive", "-a", "ganesha_t"], "delta": "0:00:00.229039", "end": "2018-09-06 13:37:07.733426", "failed": true, "msg": "non-zero return code", "rc": 1, "start": "2018-09-06 13:37:07.504387", "stderr": "ValueError: ganesha_t is not a domain type", "stderr_lines": ["ValueError: ganesha_t is not a domain type"], "stdout": "", "stdout_lines": []}
PLAY RECAP ****************************************************************************************************************************************************
magna060                   : ok=217  changed=12   unreachable=0    failed=1   


INSTALLER STATUS **********************************************************************************************************************************************
Install Ceph OSD            : Complete (0:02:41)
Install Ceph RGW            : Complete (0:02:18)
Install Ceph NFS            : In Progress (0:03:23)
        This phase can be restarted by running: roles/ceph-nfs/tasks/main.yml

Comment 3 Sidhant Agrawal 2018-09-06 14:12:42 UTC
How reproducible:
2 out of 4 test setup encountered this issue

Comment 6 Christina Meno 2018-09-06 18:38:03 UTC
This is not a bug.

[ubuntu@magna060 ~]$ yum info selinux-policy
Loaded plugins: fastestmirror, langpacks, priorities, product-id, search-disabled-repos, subscription-manager

Installed Packages
Name        : selinux-policy
Arch        : noarch
Version     : 3.13.1
Release     : 222.el7
Size        : 6.3 k
Repo        : installed
From repo   : rhel-7-server-htb-rpms
Summary     : SELinux policy configuration
URL         : http://oss.tresys.com/repos/refpolicy/
License     : GPLv2+
Description : SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117

The currently installed selinux-policy package is a beta from RHEL 7.6. We will need to correct it but this invalidates the test against the currently supported platform RHEL-7.5

We checked the package and have observed changes to the ganesha domain. I will file a BZ to address that with selinux-policy 

for reference the correct package to test with is selinux-policy-3.13.1-192.el7

Comment 7 Boris Ranto 2018-09-11 19:59:14 UTC
We need to update our ansible scripts to support the policy changes made in RHEL 7.6. As of RHEL 7.6, the ganesha_t is no longer a domain type and so running the command that sets the domain as permissive fails there. The nfs.ganesha daemon will run unconfined in RHEL 7.6 instead -- this should be pretty much the same as making its domain permissive. We should be safe simply ignoring this failure in the ansible scripts (i.e. adding failed_when: false).

Comment 8 Ken Dreyer (Red Hat) 2018-09-18 17:49:08 UTC
this fix will be in the next upstream stable-3.1 release (v3.1.5)

Comment 12 errata-xmlrpc 2018-11-09 00:59:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3530


Note You need to log in before you can comment on or make changes to this bug.