Bug 826674 - [abrt] openstack-glance-2012.1-4.fc17: client.py:549:_do_request:ServerError: The request returned 500 Internal Server Error
Summary: [abrt] openstack-glance-2012.1-4.fc17: client.py:549:_do_request:ServerError:...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard: abrt_hash:34cb03fcfec31b3543efbc5ea91...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-30 18:16 UTC by David Busby
Modified: 2012-06-17 00:05 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-06-17 00:05:02 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: backtrace (8.99 KB, text/plain)
2012-05-30 18:16 UTC, David Busby 		no flags Details
View All

Description David Busby 2012-05-30 18:16:36 UTC 
libreport version: 2.0.10
abrt_version:   2.0.10
cmdline:        /usr/bin/python /usr/bin/glance --debug index
executable:     /usr/bin/glance
kernel:         3.3.7-1.fc16.x86_64
time:           Wed 30 May 2012 07:09:12 PM BST
uid:            1000
username:       david

backtrace:      Text file, 9207 bytes

comment:
:working through the http://fedoraproject.org/wiki/Getting_started_with_OpenStack_on_Fedora_17 page, glance seems to have issues communicating back with keystone
:
:glance/registry.log
:---
:2012-05-30 19:09:11 11131    ERROR [keystone.middleware.auth_token] HTTP connection exception: [Errno 13] EACCES
:2012-05-30 19:09:11 11131 CRITICAL [keystone.middleware.auth_token] Unable to obtain admin token: Unable to communicate with keystone
:---
Comment 1 David Busby 2012-05-30 18:16:43 UTC 
Created attachment 587796 [details]
File: backtrace
Comment 2 David Busby 2012-05-30 18:50:06 UTC 
I've been doing some futher investgaiton and I can say this is due to selinux,

$> sudo setenforce 0
$> glance index
$>

---
    type=AVC msg=audit(1338399689.454:257): avc: denied { read } for pid=7917 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338399689.461:258): avc: denied { read } for pid=7920 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338399689.493:259): avc: denied { execute } for pid=7926 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.494:260): avc: denied { execute } for pid=7928 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.496:261): avc: denied { execute } for pid=7929 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338399689.498:262): avc: denied { execute } for pid=7930 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400844.863:552): avc: denied { read } for pid=10772 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400844.869:553): avc: denied { read } for pid=10774 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400844.996:554): avc: denied { execute } for pid=10784 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400844.998:555): avc: denied { execute } for pid=10785 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400845.001:556): avc: denied { execute } for pid=10786 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400845.005:557): avc: denied { execute } for pid=10788 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400852.211:558): avc: denied { name_connect } for pid=10771 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338400946.881:610): avc: denied { read } for pid=11132 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400946.887:611): avc: denied { read } for pid=11135 comm="sh" name="passwd" dev="dm-2" ino=163629 scontext=system_u:system_r:glance_api_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file
    type=AVC msg=audit(1338400947.013:612): avc: denied { execute } for pid=11145 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.020:613): avc: denied { execute } for pid=11146 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.022:614): avc: denied { execute } for pid=11149 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400947.024:615): avc: denied { execute } for pid=11150 comm="glance-registry" name="bash" dev="dm-2" ino=268049 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
    type=AVC msg=audit(1338400963.049:616): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338401351.939:625): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402425.722:633): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402829.487:634): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338402880.130:635): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403413.798:647): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403483.311:664): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403496.166:670): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
    type=AVC msg=audit(1338403565.434:676): avc: denied { name_connect } for pid=11131 comm="glance-registry" dest=35357 scontext=system_u:system_r:glance_registry_t:s0 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
---

will run it through audit2allow to generate polcies and update this ticket with the result shortly
Comment 3 David Busby 2012-05-30 19:12:19 UTC 
---
grep glance /var/log/audit/audit.log | grep denied | audit2allow 
WARNING: Policy would be downgraded from version 27 to 26.


#============= glance_api_t ==============
allow glance_api_t passwd_file_t:file read;

#============= glance_registry_t ==============
allow glance_registry_t ephemeral_port_t:tcp_socket name_connect;
allow glance_registry_t shell_exec_t:file execute;


 grep glance /var/log/audit/audit.log | grep denied | audit2allow -M openstack-glance
WARNING: Policy would be downgraded from version 27 to 26.
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i openstack-glance.pp


semodule -i openstack-glance.pp
---

This resolves the immediate issue, however I do not know enough about SELinux at this time to interpret the Warning message about the downgrade, I can however confirm going through this process allows glance index to function.
Comment 4 Daniel Walsh 2012-06-04 15:44:09 UTC 
Fixed in selinux-policy-3.10.0-129.fc17
Comment 5 Fedora Update System 2012-06-11 21:03:13 UTC 
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Comment 6 Fedora Update System 2012-06-16 00:00:07 UTC 
Package selinux-policy-3.10.0-130.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-06-17 00:05:02 UTC 
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.