Bug 1769737
| Summary: | openstack overcloud node import fails when undercloud.conf is a symlink | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | David Juran <djuran> |
| Component: | openstack-tripleo-heat-templates | Assignee: | Cédric Jeanneret <cjeanner> |
| Status: | CLOSED ERRATA | QA Contact: | Sasha Smolyak <ssmolyak> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 15.0 (Stein) | CC: | cjeanner, mburns |
| Target Milestone: | --- | Keywords: | Triaged, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-10.6.2-0.20191025110436.3d1afba.el8ost | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-05 12:00:28 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks wrong: [root@undercloud openstack-tripleo-heat-templates]# ls -lZ /var/lib/mistral/undercloud.conf -rw-r--r--. 1 42430 42430 unconfined_u:object_r:user_home_t:s0 15543 Nov 6 08:16 /var/lib/mistral/undercloud.conf Just missing a backport. This was verified on site. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0643 |
Description of problem: In order to version-control my undercloud.conf, I moved in into a git repository: ls -l undercloud.conf -> osp15-hackfest-emea/multiceph/undercloud/undercloud.conf With this setting and selinux in enforcing mode, the "openstack overcloud node import" hangs indefinitely without any error messages. [root@undercloud stdouts]# grep -i denied /var/log/audit/audit.log | grep -vi dbus type=AVC msg=audit(1573121971.310:118287): avc: denied { read } for pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=184616051 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573121971.310:118287): avc: denied { open } for pid=952615 comm="python" path="/var/lib/undercloud.conf" dev="vda1" ino=184616051 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573121971.310:118288): avc: denied { ioctl } for pid=952615 comm="python" path="/var/lib/undercloud.conf" dev="vda1" ino=184616051 ioctlcmd=0x5401 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573121971.311:118289): avc: denied { relabelto } for pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=205697520 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 type=AVC msg=audit(1573121971.311:118290): avc: denied { setattr } for pid=952615 comm="python" name="undercloud.conf" dev="vda1" ino=205697520 scontext=system_u:system_r:container_t:s0:c782,c866 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 Changing the selinux context of the link target worked around the issue: [root@undercloud stdouts]# chcon -t container_file_t /home/stack/osp15-hackfest-emea/multiceph/undercloud/undercloud.conf version: openstack-tripleo-heat-templates-10.6.2-0.20191102040438.83bd596.el8ost.noarch