/usr/bin/systemctl start openstack-nova-api failed

Question

Getting error when installing packstack.

ERROR : Error appeared during Puppet run: x.x.x.x_api_nova.pp
Error: Could not start Service[nova-api]: Execution of '/usr/bin/systemctl start openstack-nova-api' returned 1: Job for openstack-nova-api.service failed because the control process exited with error code. See "systemctl status openstack-nova-api.service" and "journalctl -xe" for details.
You will find full trace in log /var/tmp/packstack/20160426-103906-Zre0yo/manifests/x.x.x.x_api_nova.pp.log'


Apr 26 10:50:13 localhost.localdomain systemd[1]: Unit openstack-nova-api.service entered failed state.
Apr 26 10:50:13 localhost.localdomain systemd[1]: openstack-nova-api.service failed.
Apr 26 10:50:13 localhost.localdomain setroubleshoot[6359]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/bin/rpm. For comple
Apr 26 10:50:13 localhost.localdomain python[6359]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/bin/rpm.

                                                    *****  Plugin catchall (100. confidence) suggests   **************************

                                                    If you believe that python2.7 should be allowed getattr access on the rpm file by default.
                                                    Then you should report this as a bug.
                                                    You can generate a local policy module to allow this access.
                                                    Do
                                                    allow this access for now by executing:
                                                    # grep nova-novncproxy /var/log/audit/audit.log | audit2allow -M mypol
                                                    # semodule -i mypol.pp

Apr 26 10:50:13 localhost.localdomain systemd[1]: openstack-nova-api.service holdoff time over, scheduling restart.
Apr 26 10:50:13 localhost.localdomain systemd[1]: Starting OpenStack Nova API Server...
-- Subject: Unit openstack-nova-api.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openstack-nova-api.service has begun starting up.
Apr 26 10:50:15 localhost.localdomain python2[9047]: detected unhandled Python exception in '/usr/bin/nova-api'
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: error: cannot open Packages database in /var/lib/rpm
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: Traceback (most recent call last):
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: File "/usr/bin/nova-api", line 10, in <module>
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: sys.exit(main())
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: File "/usr/lib/python2.7/site-packages/nova/cmd/api.py", line 41, in main
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: config.parse_args(sys.argv)
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: File "/usr/lib/python2.7/site-packages/nova/config.py", line 65, in parse_args
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: default_config_files=default_config_files)
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: File "/usr/lib/python2.7/site-packages/oslo_config/cfg.py", line 2171, in __call__
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: self._namespace._files_permission_denied)
Apr 26 10:50:15 localhost.localdomain nova-api[9047]: oslo_config.cfg.ConfigFilesPermissionDeniedError: Failed to open some config files: /etc/nova/nova.conf
Apr 26 10:50:15 localhost.localdomain setroubleshoot[6359]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/bin/rpm. For comple
Apr 26 10:50:15 localhost.localdomain python[6359]: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/bin/rpm.

                                                    *****  Plugin catchall (100. confidence) suggests   **************************

                                                    If you believe that python2.7 should be allowed getattr access on the rpm file by default.
                                                    Then you should report this as a bug.
                                                    You can generate a local policy module to allow this access.
                                                    Do
                                                    allow this access for now by executing:
                                                    # grep nova-novncproxy /var/log/audit/audit.log | audit2allow -M mypol
                                                    # semodule -i mypol.pp

Apr 26 10:50:15 localhost.localdomain systemd[1]: openstack-nova-api.service: main process exited, code=exited, status=1/FAILURE
Apr 26 10:50:15 localhost.localdomain systemd[1]: Failed to start OpenStack Nova API Server.
-- Subject: Unit openstack-nova-api.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openstack-nova-api.service has failed.
--
-- The result is failed.
Apr 26 10:50:15 localhost.localdomain systemd[1]: Unit openstack-nova-api.service entered failed state.
Apr 26 10:50:15 localhost.localdomain systemd[1]: openstack-nova-api.service failed.
'

Answer 1

From the logs it looks like an SELinux issue: SELinux is preventing /usr/bin/python2.7 from getattr access on the file /usr/bin/rpm

You can either disable selinux or use audit2allow to get the permissions it needs and add it with sedmodule. It says what to run in the logs:

# grep nova-novncproxy /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp