Bug 1652035 - deployment with undercloud_ssl fails on : sudo: PAM account management error: Authentication service cannot retrieve authentication info
Summary: deployment with undercloud_ssl fails on : sudo: PAM account management error:...
Keywords:
Status: CLOSED DUPLICATE of bug 1640528
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhosp-director
Version: 8.0 (Liberty)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Gurenko Alex
URL:
Whiteboard:
Depends On:
Blocks: 1651357
TreeView+ depends on / blocked
 
Reported: 2018-11-21 13:09 UTC by pkomarov
Modified: 2019-09-09 15:28 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-23 16:14:33 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description pkomarov 2018-11-21 13:09:07 UTC
Description of problem:

Deployment with undercloud_ssl failes on : nova-api service failure : PAM account management error: Authentication service cannot retrieve authentication info

Version-Release number of selected component (if applicable):
2018-09-28.1

How reproducible:
always



Steps to Reproduce:
Deployment with undercloud_ssl

Actual results:
undercloud deployment failes

Expected results:
undercloud deployment succeeds 

Additional info:
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.636 29039 DEBUG oslo_concurrency.processutils [-] CMD "sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c" returned: 1 in 0.028s execute /usr/lib/python2.7/site-packages/oslo_concurrency
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.processutils [-] u'sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c' failed. Not Retrying. execute /usr/lib/python2.7/site-packages/oslo_concurrency/pr
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.lockutils [-] Lock "iptables" released by "nova.network.linux_net._apply" :: held 4.331s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:265
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command.
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Exit code: 1
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stdout: u''
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n'
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova Traceback (most recent call last):
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova   File "/usr/bin/nova-api", line 10, in <module>
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova     sys.exit(main())
Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova   File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 55, in main
[root@undercloud-0 ~]# rpm -qf /usr/lib/python2.7/site-packages/nova/cmd/api.py

Comment 1 pkomarov 2018-11-21 14:46:08 UTC
sos reports are at : 

http://rhos-release.virt.bos.redhat.com/log/pkomarov_sosreports/BZ1652035/

Comment 2 Ollie Walsh 2018-11-22 17:32:51 UTC
sudo (and PAM) is clearly broken

Comment 3 Ollie Walsh 2018-11-23 12:44:19 UTC
Looks like an selinux denial:
type=AVC msg=audit(1542809260.000:1407): avc:  denied  { execute } for  pid=25419 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4535567 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0

However sudo appears to be working for ironic-condutor.

Comment 4 Ollie Walsh 2018-11-23 13:04:30 UTC
The description implies that this issue only occurs when undercloud_ssl is enabled. Is that correct?

Comment 5 Ollie Walsh 2018-11-23 16:14:33 UTC

*** This bug has been marked as a duplicate of bug 1640528 ***


Note You need to log in before you can comment on or make changes to this bug.