Bug 1769737 - openstack overcloud node import fails when undercloud.conf is a symlink
Summary: openstack overcloud node import fails when undercloud.conf is a symlink
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: ---
Assignee: Cédric Jeanneret
QA Contact: Sasha Smolyak
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-11-07 10:37 UTC by David Juran
Modified: 2020-03-05 12:00 UTC (History)
2 users (show)

Fixed In Version: openstack-tripleo-heat-templates-10.6.2-0.20191025110436.3d1afba.el8ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-05 12:00:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 693334 0 'None' 'MERGED' 'Simplify and correct how we provide the undercloud.conf to mistral' 2019-12-06 08:14:11 UTC
Red Hat Product Errata RHBA-2020:0643 0 None None None 2020-03-05 12:00:59 UTC

Description David Juran 2019-11-07 10:37:20 UTC 
Description of problem:
In order to version-control my undercloud.conf, I moved in into a git repository:

ls -l 
undercloud.conf -> osp15-hackfest-emea/multiceph/undercloud/undercloud.conf

With this setting and selinux in enforcing mode, the "openstack overcloud node import" hangs indefinitely without any error messages.

[root@undercloud stdouts]# grep -i denied /var/log/audit/audit.log | grep -vi dbus
type=AVC msg=audit(1573121971.310:118287): avc:  denied  { read } for  pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=184616051 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573121971.310:118287): avc:  denied  { open } for  pid=952615 comm="python" path="/var/lib/undercloud.conf" dev="vda1" ino=184616051 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573121971.310:118288): avc:  denied  { ioctl } for  pid=952615 comm="python" path="/var/lib/undercloud.conf" dev="vda1" ino=184616051 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573121971.311:118289): avc:  denied  { relabelto } for  pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=205697520 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
type=AVC msg=audit(1573121971.311:118290): avc:  denied  { setattr } for  pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=205697520 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1

Changing the selinux context of the link target worked around the issue:


[root@undercloud stdouts]# chcon -t container_file_t /home/stack/osp15-hackfest-emea/multiceph/undercloud/undercloud.conf

version:
openstack-tripleo-heat-templates-10.6.2-0.20191102040438.83bd596.el8ost.noarch
Comment 1 David Juran 2019-11-07 10:45:25 UTC 
This looks wrong:

[root@undercloud openstack-tripleo-heat-templates]# ls -lZ /var/lib/mistral/undercloud.conf 
-rw-r--r--. 1 42430 42430 unconfined_u:object_r:user_home_t:s0 15543 Nov  6 08:16 /var/lib/mistral/undercloud.conf
Comment 2 Cédric Jeanneret 2019-11-07 10:50:29 UTC 
Just missing a backport.
Comment 4 Cédric Jeanneret 2020-01-06 15:30:29 UTC 
This was verified on site.
Comment 6 errata-xmlrpc 2020-03-05 12:00:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0643
Note You need to log in before you can comment on or make changes to this bug.