Red Hat OpenStack 16.1 to 16.2 upgrade fails due to SELinux policies.

Solution Verified - Updated -

Issue

  • Selinux prevents the Red Hat OpenStack 16.1 to 16.2 Controller upgrade and has to be set to "permissive" for upgrade to finish.
  • Symptoms are the same as described in this bug report.
  • Executing "openstack overcloud update run -y --limit Controller --playbook all" causes the upgrade to fail at "paunch step 2" timing out (running out of retries).
  • Setting selinux to "permissive" gets rid of these issues and results in successful upgrade.
  • This are some examples of the errors shown in the logs:
  • /var/log/audit/audit.log gets filled with denial messages:
type=AVC msg=audit(1646596532.857:160660): avc:  denied  { read write } for  pid=246393 comm="swift-container" name="container.recon" dev="vda2" ino=100836549 scontext=system_u:system_r:container_t:s0:c21,c724 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
  • From different services:
2022-03-06 22:55:09.592 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [7b774c38-5993-4a43-be9a-1a6baa78eecc] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.130 29 ERROR oslo.messaging._drivers.impl_rabbit [-] [435ebaa9-4052-4830-9111-5c1846d2fe41] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.589 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [f81f910e-a5f9-424c-8bce-4f0a395411b4] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.605 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [e66ca7e9-9477-4b7d-80be-9c4a61eebc02] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.609 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [16576bfc-7c39-4c0a-a708-d09102a438b2] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:11.160 26 INFO neutron.wsgi [-] 172.17.0.108 "OPTIONS / HTTP/1.0" status: 200  len: 249 time: 0.0090587
2022-03-06 22:55:11.581 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [372b9c10-e685-4892-b8e7-3f6a43ba1494] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:11.583 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [4fbcc5e0-174c-4ccd-82b6-fe7b42c0461e] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED

2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db oslo_db.exception.DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on '172.17.0.74' ([Errno 113] EHOSTUNREACH)")
2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db (Background on this error at: http://sqlalche.me/e/e3q8)
2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db
2022-03-06 22:53:43.124 23 ERROR oslo.messaging._drivers.impl_rabbit [-] Connection failed: [Errno 111] ECONNREFUSED (retrying in 32.0 seconds): ConnectionRefusedError: [Errno 111] ECONNREFUSED

Mar 01 22:25:33 overcloud-controller-0 container-server[115580]: Exception dumping recon cache: 
[Errno 13] Permission denied: '/var/cache/swift/container.recon': 
#012Traceback (most recent call last):
#012  File "/usr/lib/python3.6/site-packages/swift/common/utils.py", line 3659, in dump_recon_cache#012
    with lock_file(cache_file, lock_timeout, unlink=False) as cf:
#012  File "/usr/lib64/python3.6/contextlib.py", line 81, in __enter__#012    return next(self.gen)#012  
File "/usr/lib/python3.6/site-packages/swift/common/utils.py", line 2834, in lock_file#012
    fd = os.open(filename, flags)#012PermissionError: [Errno 13] Permission denied: '/var/cache/swift/container.recon'

Environment

Red Hat OpenStack Platform 16.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content