Description of problem: Deployment with undercloud_ssl failes on : nova-api service failure : PAM account management error: Authentication service cannot retrieve authentication info Version-Release number of selected component (if applicable): 2018-09-28.1 How reproducible: always Steps to Reproduce: Deployment with undercloud_ssl Actual results: undercloud deployment failes Expected results: undercloud deployment succeeds Additional info: Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.636 29039 DEBUG oslo_concurrency.processutils [-] CMD "sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c" returned: 1 in 0.028s execute /usr/lib/python2.7/site-packages/oslo_concurrency Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.processutils [-] u'sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c' failed. Not Retrying. execute /usr/lib/python2.7/site-packages/oslo_concurrency/pr Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.637 29039 DEBUG oslo_concurrency.lockutils [-] Lock "iptables" released by "nova.network.linux_net._apply" :: held 4.331s inner /usr/lib/python2.7/site-packages/oslo_concurrency/lockutils.py:265 Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 CRITICAL nova [-] ProcessExecutionError: Unexpected error while running command. Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Command: sudo nova-rootwrap /etc/nova/rootwrap.conf iptables-save -c Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Exit code: 1 Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stdout: u'' Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: Stderr: u'sudo: PAM account management error: Authentication service cannot retrieve authentication info\n' Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova Traceback (most recent call last): Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova File "/usr/bin/nova-api", line 10, in <module> Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova sys.exit(main()) Nov 21 08:01:43 undercloud-0.redhat.local nova-api[29039]: 2018-11-21 08:01:43.639 29039 ERROR nova File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 55, in main [root@undercloud-0 ~]# rpm -qf /usr/lib/python2.7/site-packages/nova/cmd/api.py
sos reports are at : http://rhos-release.virt.bos.redhat.com/log/pkomarov_sosreports/BZ1652035/
sudo (and PAM) is clearly broken
Looks like an selinux denial: type=AVC msg=audit(1542809260.000:1407): avc: denied { execute } for pid=25419 comm="sudo" name="unix_chkpwd" dev="vda1" ino=4535567 scontext=system_u:system_r:nova_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0 tclass=file permissive=0 However sudo appears to be working for ironic-condutor.
The description implies that this issue only occurs when undercloud_ssl is enabled. Is that correct?
*** This bug has been marked as a duplicate of bug 1640528 ***