Packstack

[Train][CentOS7] Packstack deployment fails while starting httpd with SELINUX enabled

Bug #1923005 reported by yatin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Packstack
Triaged
High
Unassigned

Bug Description

Packstack Deployment on CentOS7 with selinux enabled fails with:-
PuppetError: Error appeared during Puppet run: 192.168.100.178_controller.pp
Error: Systemd start for httpd failed!

httpd service logs stats:-
 (13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:8774
  httpd[1569]: no listening sockets available, shutting down

AVC denied audit log:-
type=AVC msg=audit(1617806051.956:10123): avc: denied { name_bind } for pid=1569 comm="httpd" src=8774 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:osapi_compute_port_t:s0 tclass=tcp_socket permissive=0

httpd is allowed to bind to any port in openstack-selinux https://github.com/redhat-openstack/openstack-selinux/blob/master/os-httpd.te#L48, but it still fails due to recent commit in openstack-selinux:- https://github.com/redhat-openstack/openstack-selinux/commit/1f3ab78f0d9b5e1d76ca420873889e9c6f54faf0

Applying recent os-podman.te in C7 fails with:-
# semodule -i /usr/share/selinux/packages/os-podman.pp.bz2
Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/os-podman/cil:3
semodule: Failed!

This is likely caused by old container-selinux package in CentOS7 and unavailable commit https://github.com/containers/container-selinux/commit/e544d77116b6182cbfa42fd2168e1f602e86b06d

# rpm -q container-selinux
container-selinux-2.119.2-1.911c772.el7_8.noarch

Example log:-
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/latest/manifests/192.168.1.103_controller.pp.log.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/diag/journalctl_--no-pager.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/weirdo-project/logs/audit/audit.log.txt.gz
https://logserver.rdoproject.org/ci.centos.org/weirdo-train-promote-packstack-scenario001/274/rpm_packages.txt.gz

Will check with authors on how to clear this issue.

See original description
yatin (yatinkarel)
Changed in packstack:
status: New → Triaged
importance: Undecided → High
yatin (yatinkarel)
description: updated
Revision history for this message
yatin (yatinkarel) wrote :

Proposed https://review.rdoproject.org/r/c/rdo-infra/weirdo/+/33168 to switch selinux to permissive, it's already in permissive for centos7 job, all upstream jobs(except packstack on C7) were running with selinux permissive, with this patch that too does the same, maintaining selinux just for this case is not much worth.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to packstack (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/x/packstack/+/790908

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to packstack (stable/train)

Reviewed: https://review.opendev.org/c/x/packstack/+/790908
Committed: https://opendev.org/x/packstack/commit/f8016293a3abdaa908d490027ec2442a4b9b7f2e
Submitter: "Zuul (22348)"
Branch: stable/train

commit f8016293a3abdaa908d490027ec2442a4b9b7f2e
Author: yatinkarel <email address hidden>
Date: Wed May 12 12:54:39 2021 +0530

    [Train Only] Switch selinux to permissive in C7 jobs too

    It was already permissive in C8 jobs, so let's do the
    same in C7 jobs, For C7 jobs it's needed due to old
    container-selinux rpm which is not compatible with
    openstack-selinux in train.

    Train Only as Train is the last release running C7 jobs.

    Related-Bug: lp#1923005
    Change-Id: I24a85f7ac3e9373a821d4ec91a7eee9c5a7e6608

tags: added: in-stable-train
Revision history for this message
Qin Zhao (zhaoqin) wrote :

Is there a way to workaround?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.