Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1692462 - [OSP15][SELinux issue] overcloud deploy fails connecting to localhost (undercloud) during inital setup
Summary: [OSP15][SELinux issue] overcloud deploy fails connecting to localhost (underc...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 15.0 (Stein)
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Emilien Macchi
QA Contact: Sasha Smolyak
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-25 16:28 UTC by Alistair Tonner
Modified: 2019-04-05 13:47 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
shell script to deploy openstack nodes in virt env. (deleted)
2019-03-25 16:30 UTC, Alistair Tonner
no flags Details


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 638323 None None None 2019-03-25 20:23:20 UTC

Description Alistair Tonner 2019-03-25 16:28:43 UTC
Description of problem:
  
   Overcloud deploy fails to connect to locahost (undercloud) 


Version-Release number of selected component (if applicable):

RHEL8
RHOS_TRUNK-15.0-RHEL-8-20190320.n.1

ansible-role-tripleo-modify-image.noarch      1.0.1-0.20190226075404.9014df9.el8ost                @rhelosp-15.0-trunk
ansible-tripleo-ipsec.noarch                  9.0.1-0.20190220162047.f60ad6c.el8ost                @rhelosp-15.0-trunk
openstack-tripleo-common.noarch               10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-common-containers.noarch    10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-heat-templates.noarch       10.3.1-0.20190318140159.cbe8724.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-image-elements.noarch       10.3.1-0.20190319120806.1bde610.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-puppet-elements.noarch      10.2.1-0.20190319120806.7903181.el8ost               @rhelosp-15.0-trunk
openstack-tripleo-validations.noarch          10.2.1-0.20190218150113.e6490b3.el8ost               @rhelosp-15.0-trunk
puppet-tripleo.noarch                         10.3.1-0.20190320122508.c9d107c.el8ost               @rhelosp-15.0-trunk
python3-tripleo-common.noarch                 10.6.1-0.20190320113112.01b56d0.el8ost               @rhelosp-15.0-trunk
python3-tripleoclient.noarch                  11.3.1-0.20190319125100.23e610c.el8ost               @rhelosp-15.0-trunk
python3-tripleoclient-heat-installer.noarch   11.3.1-0.20190319125100.23e610c.el8ost               @rhelosp-15.0-trunk

How reproducible:

Deploy openstack with attached script:


Steps to Reproduce:
1.
2.
3.

Actual results:

Using /var/lib/mistral/overcloud/ansible.cfg as config file
/var/lib/mistral/overcloud/tripleo-ansible-inventory.yaml did not meet host_list requirements, check plugin documentation if this is unexpected
/var/lib/mistral/overcloud/tripleo-ansible-inventory.yaml did not meet script requirements, check plugin documentation if this is unexpected

PLAY [Gather facts from undercloud] ********************************************

TASK [Gathering Facts] *********************************************************
Monday 25 March 2019  15:14:50 +0000 (0:00:00.038)       0:00:00.039 **********
fatal: [undercloud]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"localhost\". Make sure this host can be reached over ssh", "unreachable": true}


PLAY RECAP *********************************************************************
undercloud                 : ok=0    changed=0    unreachable=1    failed=0



Expected results:

  Overcloud deploys successfully


Additional info:


   Reviewed ansible config: -> a) only overcloud nodes had id created and public key laid down, undercloud-0 (localhost) has an account for tripleo-admin but DOES NOT have ~/tripleo-admin/.ssh/authorized_keys with appropriate public key entry.

Comment 1 Alistair Tonner 2019-03-25 16:30:33 UTC
Created attachment 1547761 [details]
shell script to deploy openstack nodes in virt env.

Comment 2 Alistair Tonner 2019-03-25 17:54:38 UTC
Mar 25 15:14:51 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:51 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012
Mar 25 15:14:51 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:51 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012
Mar 25 15:14:52 undercloud-0 setroubleshoot[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys. For complete SELinux messages run: sealert -l 6136b2de-f3d8-429a-80d2-1f5d7dc83a35
Mar 25 15:14:52 undercloud-0 platform-python[189769]: SELinux is preventing /usr/sbin/sshd from read access on the file authorized_keys.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that sshd should be allowed read access on the authorized_keys file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd' --raw | audit2allow -M my-sshd#012# semodule -X 300 -i my-sshd.pp#012


This appears to be a selinux issue

Comment 3 Marius Cornea 2019-03-25 19:21:10 UTC
I've hit this while trying to deploy Openshift as well - https://bugzilla.redhat.com/show_bug.cgi?id=1691565#c2 There's an ongoing patch that should address this issue.

Comment 4 Alistair Tonner 2019-03-27 12:57:41 UTC
Marius: 
   Thanks, I patched deployment from the https://review.openstack.org/#/c/638323/ and this appears to solve this issue - I note that tripleo-common/tests/test-inventory.py does not exist in my deployment.

Comment 5 Alistair Tonner 2019-04-05 13:46:49 UTC
I can confirm that I no longer hit this issue after https://review.openstack.org/#/c/638323/  was merged.


Note You need to log in before you can comment on or make changes to this bug.