Bug #16393
closedTechnique are lost when a new one is created because of selinux (centos 7 and 8)
Description
In a 6.0 if I create a technique via the technique editor, save it, when quitting and then reload the technique editor, all my techniques will be gone.
And I will not be able to modify them except the latest created one.
This prevents Rudder to be used for almost anything
Also, starting from 6.0 I can not found any files from techniques generated by the technique editor under /var/rudder/configuration-repository/ncf/50_techniques but only in /var/rudder/configuration-repository/techniques/ncf_techniques is this normal?
Updated by Nicolas CHARLES about 5 years ago
I lost my techniques while upgrading from 5.0.15 to 6.0 nightly
I have a commit
commit 086b16824f12e41943aee0c874a7309562635c2f Author: root user (CLI) <root@localhost> Date: Thu Dec 12 10:22:18 2019 +0000 Commit ncf Technique "technique" in Rudder
at upgrade time, which created /var/rudder/configuration-repository/ncf/50_techniques/technique/technique.cf (no version)
Updated by Nicolas CHARLES about 5 years ago
when creating a new technique, and comming back, I get the error
An Error occured! Could not parse Technique 'technique' Details: caused by : An error occured while parsing technique '/var/rudder/configuration-repository/techniques/ncf_techniques/sdfsqdf/1.0/technique.cf' caused by : No JSON object could be decoded
file contains
# @name sdfsqdf # @description sqfsf # @version 1.0 bundle agent sdfsqdf { vars: "resources_dir" string => "${this.promise_dirname}/resources"; methods: "Command execution_${report_data.directive_id}_0" usebundle => _method_reporting_context("Command execution", "/bin/true"), if => concat("any"); "Command execution_${report_data.directive_id}_0" usebundle => command_execution("/bin/true"), if => concat("any");
Updated by Nicolas CHARLES about 5 years ago
I have the following error in log, preventing cf-promises from running
Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common) Unable to set ownership on '/var/lib/ncf-api-venv/.cfagent' to '995.48'. (chown: Permission denied) Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common) Unable to open database lock file '/var/lib/ncf-api-venv/.cfagent/state/cf_state.lmdb.lock'. (flock: Permission denied)
but perms look correct
# ls -alh /var/lib/ncf-api-venv total 4.0K drwxr-xr-x. 3 ncf-api-venv ncf-api-venv 22 Dec 12 00:38 . drwxr-xr-x. 33 root root 4.0K Dec 12 10:23 .. drwxr-xr-x. 11 ncf-api-venv ncf-api-venv 146 Dec 12 10:22 .cfagent
Updated by Nicolas CHARLES about 5 years ago
setenforce 0 solves the issue
audit log says
type=AVC msg=audit(1576155634.673:2108): avc: denied { setattr } for pid=25236 comm="cf-promises" name=".cfagent" dev="dm-0" ino=101464345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_ lib_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1576155634.673:2108): arch=c000003e syscall=92 success=no exit=-13 a0=5641a81f0ec0 a1=3e3 a2=30 a3=5641a914254c items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid=99 5 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1576155634.673:2108): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465 63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366 type=AVC msg=audit(1576155634.673:2109): avc: denied { write } for pid=25236 comm="cf-promises" name="cf_state.lmdb.lock" dev="dm-0" ino=68446766 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object _r:var_lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1576155634.673:2109): arch=c000003e syscall=2 success=no exit=-13 a0=5641a9169370 a1=42 a2=1b6 a3=732f746e65676166 items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid =995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1576155634.673:2109): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465 63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366 type=AVC msg=audit(1576155634.673:2110): avc: denied { setattr } for pid=25236 comm="cf-promises" name="randseed" dev="dm-0" ino=101464370 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_ lib_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1576155634.673:2110): arch=c000003e syscall=90 success=no exit=-13 a0=7ffc69b0a450 a1=180 a2=7ffc69b0a477 a3=ffffffff items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 s uid=995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1576155634.673:2110): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465 63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366
Updated by Vincent MEMBRÉ about 5 years ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
Updated by Vincent MEMBRÉ about 5 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder-packages/pull/2167
Updated by Vincent MEMBRÉ about 5 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder-packages|2f974351e01355b818aa549794f0da874956469b.
Updated by François ARMAND about 5 years ago
- Subject changed from Techniques via technique editor are then lost to Technique are lost during migration or when a new one is created
Updated by François ARMAND about 5 years ago
- Fix check changed from To do to Error - Blocking
Updated by François ARMAND about 5 years ago
- Subject changed from Technique are lost during migration or when a new one is created to Technique are lost when a new one is created because of selinux (centos 7 and 8)
- Fix check changed from Error - Blocking to Error - Fixed
Actually, I thing there is a problem on migration different from SELinux. Given the big number of problem with migration, I will open an other ticket for that part. The selinux for centos7 is corrected.
Updated by Vincent MEMBRÉ about 5 years ago
This bug has been fixed in Rudder 6.0.1 which was released today.
Updated by Vincent MEMBRÉ about 5 years ago
- Related to Bug #16445: Technique are lost during migration on centos 7 added
Updated by Vincent MEMBRÉ about 5 years ago
- Status changed from Pending release to Released