Red Hat OpenStack 16.1 to 16.2 upgrade fails due to SELinux policies.
Issue
- Selinux prevents the Red Hat OpenStack 16.1 to 16.2 Controller upgrade and has to be set to "permissive" for upgrade to finish.
- Symptoms are the same as described in this bug report.
- Executing "openstack overcloud update run -y --limit Controller --playbook all" causes the upgrade to fail at "paunch step 2" timing out (running out of retries).
- Setting selinux to "permissive" gets rid of these issues and results in successful upgrade.
- This are some examples of the errors shown in the logs:
- /var/log/audit/audit.log gets filled with denial messages:
type=AVC msg=audit(1646596532.857:160660): avc: denied { read write } for pid=246393 comm="swift-container" name="container.recon" dev="vda2" ino=100836549 scontext=system_u:system_r:container_t:s0:c21,c724 tcontext=system_u:object_r:swift_var_cache_t:s0 tclass=file permissive=0
- From different services:
2022-03-06 22:55:09.592 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [7b774c38-5993-4a43-be9a-1a6baa78eecc] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.130 29 ERROR oslo.messaging._drivers.impl_rabbit [-] [435ebaa9-4052-4830-9111-5c1846d2fe41] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.589 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [f81f910e-a5f9-424c-8bce-4f0a395411b4] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.605 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [e66ca7e9-9477-4b7d-80be-9c4a61eebc02] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:10.609 28 ERROR oslo.messaging._drivers.impl_rabbit [-] [16576bfc-7c39-4c0a-a708-d09102a438b2] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:11.160 26 INFO neutron.wsgi [-] 172.17.0.108 "OPTIONS / HTTP/1.0" status: 200 len: 249 time: 0.0090587
2022-03-06 22:55:11.581 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [372b9c10-e685-4892-b8e7-3f6a43ba1494] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:55:11.583 27 ERROR oslo.messaging._drivers.impl_rabbit [-] [4fbcc5e0-174c-4ccd-82b6-fe7b42c0461e] AMQP server on overcloud-controller-0.internalapi.localdomain:5672 is unreachable: [Errno 111] ECONNREFUSED. Trying again in 32 seconds.: ConnectionRefusedError: [Errno 111] ECONNREFUSED
2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db oslo_db.exception.DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on '172.17.0.74' ([Errno 113] EHOSTUNREACH)")
2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db (Background on this error at: http://sqlalche.me/e/e3q8)
2022-03-06 22:53:42.986 23 ERROR nova.servicegroup.drivers.db
2022-03-06 22:53:43.124 23 ERROR oslo.messaging._drivers.impl_rabbit [-] Connection failed: [Errno 111] ECONNREFUSED (retrying in 32.0 seconds): ConnectionRefusedError: [Errno 111] ECONNREFUSED
Mar 01 22:25:33 overcloud-controller-0 container-server[115580]: Exception dumping recon cache:
[Errno 13] Permission denied: '/var/cache/swift/container.recon':
#012Traceback (most recent call last):
#012 File "/usr/lib/python3.6/site-packages/swift/common/utils.py", line 3659, in dump_recon_cache#012
with lock_file(cache_file, lock_timeout, unlink=False) as cf:
#012 File "/usr/lib64/python3.6/contextlib.py", line 81, in __enter__#012 return next(self.gen)#012
File "/usr/lib/python3.6/site-packages/swift/common/utils.py", line 2834, in lock_file#012
fd = os.open(filename, flags)#012PermissionError: [Errno 13] Permission denied: '/var/cache/swift/container.recon'
Environment
Red Hat OpenStack Platform 16.2
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.