Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1692462

Summary: [OSP15][SELinux issue] overcloud deploy fails connecting to localhost (undercloud) during inital setup
Product: Red Hat OpenStack Reporter: Alistair Tonner <atonner>
Component: openstack-tripleo-commonAssignee: Emilien Macchi <emacchi>
Status: CLOSED ERRATA QA Contact: Sasha Smolyak <ssmolyak>
Severity: high Docs Contact:
Priority: high    
Version: 15.0 (Stein)CC: emacchi, jcoufal, jpichon, mburns, ohochman, sasha, sclewis, slinaber
Target Milestone: betaKeywords: Triaged
Target Release: 15.0 (Stein)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-tripleo-common-10.7.1-0.20190509140420.e46da94.el8ost Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-21 11:20:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
shell script to deploy openstack nodes in virt env. none

Description Alistair Tonner 2019-03-25 16:28:43 UTC 
Description of problem:
  
   Overcloud deploy fails to connect to locahost (undercloud) 


Version-Release number of selected component (if applicable):

RHEL8
RHOS_TRUNK-15.0-RHEL-8-20190320.n.1

ansible-role-tripleo-modify-image.noarch      1.0.1-0.20190226075404.9014df9.el8ost                @rhelosp-15.0-trunk
ansible-tripleo-ipsec.noarch                  9.0.1-0.20190220162047.f60ad6c.el8ost                @rhelosp-15.0-trunk
openstack-tripleo-common.noarch               10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-common-containers.noarch    10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-heat-templates.noarch       10.3.1-0.20190318140159.cbe8724.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-image-elements.noarch       10.3.1-0.20190319120806.1bde610.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-puppet-elements.noarch      10.2.1-0.20190319120806.7903181.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-validations.noarch          10.2.1-0.20190218150113.e6490b3.el8ost               @rhelosp-15.0-trunk
puppet-tripleo.noarch                         10.3.1-0.20190320122508.c9d107c.el8ost               @rhelosp-15.0-trunk
python3-tripleo-common.noarch                 10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
python3-tripleoclient.noarch                  11.3.1-0.20190319125100.23e610c.el8ost               @rhelosp-15.0-trunk
python3-tripleoclient-heat-installer.noarch   11.3.1-0.20190319125100.23e610c.el8ost               @rhelosp-15.0-trunk

How reproducible:

Deploy openstack with attached script:


Steps to Reproduce:
1.
2.
3.

Actual results:

Using /var/lib/mistral/overcloud/ansible.cfg as config file
/var/lib/mistral/overcloud/tripleo-ansible-inventory.yaml did not meet host_list requirements, check plugin documentation if this is unexpected
/var/lib/mistral/overcloud/tripleo-ansible-inventory.yaml did not meet script requirements, check plugin documentation if this is unexpected

PLAY [Gather facts from undercloud] ********************************************

TASK [Gathering Facts] *********************************************************
Monday 25 March 2019  15:14:50 +0000 (0:00:00.038)       0:00:00.039 **********
fatal: [undercloud]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"localhost\". Make sure this host can be reached over ssh", "unreachable": true}


PLAY RECAP *********************************************************************
undercloud                 : ok=0    changed=0    unreachable=1    failed=0



Expected results:

  Overcloud deploys successfully


Additional info:


   Reviewed ansible config: -> a) only overcloud nodes had id created and public key laid down, undercloud-0 (localhost) has an account for tripleo-admin but DOES NOT have ~/tripleo-admin/.ssh/authorized_keys with appropriate public key entry.
Comment 1 Alistair Tonner 2019-03-25 16:30:33 UTC 
Created attachment 1547761 [details]
shell script to deploy openstack nodes in virt env.
Comment 2 Alistair Tonner 2019-03-25 17:54:38 UTC 
Mar 25 15:14:51 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:51 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012
Mar 25 15:14:51 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:51 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012
Mar 25 15:14:52 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:52 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012


This appears to be a selinux issue
Comment 3 Marius Cornea 2019-03-25 19:21:10 UTC 
I've hit this while trying to deploy Openshift as well - https://bugzilla.redhat.com/show_bug.cgi?id=1691565#c2 There's an ongoing patch that should address this issue.
Comment 4 Alistair Tonner 2019-03-27 12:57:41 UTC 
Marius: 
   Thanks, I patched deployment from the https://review.openstack.org/#/c/638323/ and this appears to solve this issue - I note that tripleo-common/tests/test-inventory.py does not exist in my deployment.
Comment 5 Alistair Tonner 2019-04-05 13:46:49 UTC 
I can confirm that I no longer hit this issue after https://review.openstack.org/#/c/638323/  was merged.
Comment 13 errata-xmlrpc 2019-09-21 11:20:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2811