Project

General

Profile

Actions

Bug #16393

closed

Technique are lost when a new one is created because of selinux (centos 7 and 8)

Added by Félix DALLIDET about 5 years ago. Updated about 5 years ago.

Status:
Released
Priority:
N/A
Category:
Web - Technique editor
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
First impressions of Rudder
Effort required:
Priority:
124
Name check:
To do
Fix check:
Error - Fixed
Regression:

Description

In a 6.0 if I create a technique via the technique editor, save it, when quitting and then reload the technique editor, all my techniques will be gone.
And I will not be able to modify them except the latest created one.

This prevents Rudder to be used for almost anything

Also, starting from 6.0 I can not found any files from techniques generated by the technique editor under /var/rudder/configuration-repository/ncf/50_techniques but only in /var/rudder/configuration-repository/techniques/ncf_techniques is this normal?


Subtasks 1 (0 open1 closed)

Bug #16435: Technique are lost during migration or when a new one is created in centos7ReleasedNicolas CHARLESActions

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #16445: Technique are lost during migration on centos 7ResolvedActions
Actions #1

Updated by Nicolas CHARLES about 5 years ago

I lost my techniques while upgrading from 5.0.15 to 6.0 nightly
I have a commit

commit 086b16824f12e41943aee0c874a7309562635c2f
Author: root user (CLI) <root@localhost>
Date:   Thu Dec 12 10:22:18 2019 +0000

    Commit ncf Technique "technique" in Rudder

at upgrade time, which created /var/rudder/configuration-repository/ncf/50_techniques/technique/technique.cf (no version)

Actions #2

Updated by Nicolas CHARLES about 5 years ago

when creating a new technique, and comming back, I get the error

An Error occured! Could not parse Technique 'technique'
Details:

 caused by : An error occured while parsing technique '/var/rudder/configuration-repository/techniques/ncf_techniques/sdfsqdf/1.0/technique.cf'
 caused by : No JSON object could be decoded

file contains

# @name sdfsqdf
# @description sqfsf
# @version 1.0

bundle agent sdfsqdf
{
  vars:
    "resources_dir" string => "${this.promise_dirname}/resources";
  methods:
    "Command execution_${report_data.directive_id}_0" usebundle => _method_reporting_context("Command execution", "/bin/true"),
                                                             if => concat("any");
    "Command execution_${report_data.directive_id}_0" usebundle => command_execution("/bin/true"),
                                                             if => concat("any");

Actions #3

Updated by Nicolas CHARLES about 5 years ago

I have the following error in log, preventing cf-promises from running

Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common)  Unable to set ownership on '/var/lib/ncf-api-venv/.cfagent' to '995.48'. (chown: Permission denied)
Dec 12 13:42:39 server cf-promises[1408]: CFEngine(common)  Unable to open database lock file '/var/lib/ncf-api-venv/.cfagent/state/cf_state.lmdb.lock'. (flock: Permission denied)

but perms look correct

# ls -alh /var/lib/ncf-api-venv
total 4.0K
drwxr-xr-x.  3 ncf-api-venv ncf-api-venv   22 Dec 12 00:38 .
drwxr-xr-x. 33 root         root         4.0K Dec 12 10:23 ..
drwxr-xr-x. 11 ncf-api-venv ncf-api-venv  146 Dec 12 10:22 .cfagent

Actions #4

Updated by Nicolas CHARLES about 5 years ago

setenforce 0 solves the issue

audit log says

type=AVC msg=audit(1576155634.673:2108): avc:  denied  { setattr } for  pid=25236 comm="cf-promises" name=".cfagent" dev="dm-0" ino=101464345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_
lib_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1576155634.673:2108): arch=c000003e syscall=92 success=no exit=-13 a0=5641a81f0ec0 a1=3e3 a2=30 a3=5641a914254c items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid=99
5 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2108): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366
type=AVC msg=audit(1576155634.673:2109): avc:  denied  { write } for  pid=25236 comm="cf-promises" name="cf_state.lmdb.lock" dev="dm-0" ino=68446766 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object
_r:var_lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576155634.673:2109): arch=c000003e syscall=2 success=no exit=-13 a0=5641a9169370 a1=42 a2=1b6 a3=732f746e65676166 items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 suid
=995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2109): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366
type=AVC msg=audit(1576155634.673:2110): avc:  denied  { setattr } for  pid=25236 comm="cf-promises" name="randseed" dev="dm-0" ino=101464370 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_
lib_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1576155634.673:2110): arch=c000003e syscall=90 success=no exit=-13 a0=7ffc69b0a450 a1=180 a2=7ffc69b0a477 a3=ffffffff items=0 ppid=20677 pid=25236 auid=4294967295 uid=995 gid=48 euid=995 s
uid=995 fsuid=995 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cf-promises" exe="/opt/rudder/bin/cf-promises" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1576155634.673:2110): proctitle=2F6F70742F7275646465722F62696E2F63662D70726F6D69736573002D706A736F6E002D66002F7661722F7275646465722F636F6E66696775726174696F6E2D7265706F7369746F72792F7465
63686E69717565732F6E63665F746563686E69717565732F736466737164662F312E302F746563686E697175652E6366

Actions #5

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from New to In progress
  • Assignee set to Vincent MEMBRÉ
Actions #6

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to Alexis Mousset
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/2167
Actions #7

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending technical review to Pending release
Actions #8

Updated by François ARMAND about 5 years ago

  • Subject changed from Techniques via technique editor are then lost to Technique are lost during migration or when a new one is created
Actions #9

Updated by François ARMAND about 5 years ago

  • Fix check changed from To do to Error - Blocking
Actions #10

Updated by François ARMAND about 5 years ago

  • Subject changed from Technique are lost during migration or when a new one is created to Technique are lost when a new one is created because of selinux (centos 7 and 8)
  • Fix check changed from Error - Blocking to Error - Fixed

Actually, I thing there is a problem on migration different from SELinux. Given the big number of problem with migration, I will open an other ticket for that part. The selinux for centos7 is corrected.

Actions #11

Updated by Vincent MEMBRÉ about 5 years ago

This bug has been fixed in Rudder 6.0.1 which was released today.

Actions #12

Updated by Vincent MEMBRÉ about 5 years ago

  • Related to Bug #16445: Technique are lost during migration on centos 7 added
Actions #13

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending release to Released
Actions

Also available in: Atom PDF