Project

General

Profile

Actions

Bug #16653

closed

HTTPS Reporting is not working

Added by Marius Rieck almost 5 years ago. Updated over 4 years ago.

Status:
Rejected
Priority:
N/A
Assignee:
-
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
To do
Regression:

Description

Hello There,
as soon as I activate HTTPS reporting on the Rudder Server the Nodes are not reporting back anymore.
They list as No Report and the Last Seen is also on the Timestamp of the change to HTTPS.
When I switch back to SYSLOG it's fine.

I see that the nodes are sending Packets to Rudder to Port 443 and those are arriving on the server.
The Agents on the Nodes have no errors (rudder agent run works perfectly fine on the nodes).

There's also nothing logged at the Technical Logs tab from the Nodes.

Rudder Server is 6.0.2 (all the nodes too) and running on CentOS 8.0.1905.
Nodes are:
RedHat 8
CentOS 8
CentOS 7

Greetings,
Marius Rieck

Actions #1

Updated by Alexis Mousset almost 5 years ago

Could be a problem with the relayd service, what do these commands give on the Rudder server:

systemctl status rudder-relayd
journalctl -n20 -u rudder-relayd
Actions #2

Updated by Marius Rieck almost 5 years ago

This is the output:

● rudder-relayd.service - Rudder Relay Daemon
   Loaded: loaded (/usr/lib/systemd/system/rudder-relayd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-01-15 11:49:48 CET; 2 weeks 1 days ago
 Main PID: 1561 (rudder-relayd)
    Tasks: 11 (limit: 24022)
   Memory: 13.0M
   CGroup: /system.slice/rudder-relayd.service
           └─1561 /opt/rudder/bin/rudder-relayd

Jan 31 09:01:34 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=4A5BB40165982F3716BE4649E6B435D4}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:02:26 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=2DC9B52F6E8AAF1C6F779E2D0D786471}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:05:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=17D3D924BD11ED2B9BCDA42C4BA25108}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:06:57 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=1F8A7F9923F2C45ECC8A70243CF9F2D5}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:07:41 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=E498C0EA0532B9B37A5F951C225D96C2}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:10:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=E4CD3CB64804A893C1DD5EFFA469846D}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:12:20 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=7AE52BC0765BEC3D1A988153873B451F}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:12:54 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=0BDE5EEC175288FE9E950BA6356C7695}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:15:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=D15F48E0030C85B61A89B911EECA8AB7}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:16:43 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=C64B0418794D833F958080A2588CA505}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
-- Logs begin at Tue 2020-01-28 05:40:50 CET, end at Fri 2020-01-31 09:17:20 CET. --
Jan 31 08:45:30 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=6099B983180E2E9A6A1EFB05E9FFEBBC}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 08:46:25 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=65B217BED0BA7B8E50F75F8D22C8D987}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 08:47:44 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=BE799BA5EEDAD7F537D92561DBA3D62F}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 08:50:30 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=E83070CCDE28C3F500A38D9C851AAAD9}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 08:51:48 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=DD9FD893C36E38B3EDC10C8D4EA9FD42}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 08:52:59 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=A5939919CA3F3C60EBEFD030A73A676A}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 08:55:30 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=EC3696D93682E3430E7483AED1C48AE4}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 08:57:11 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=2F82BED76D7AE48FBB5C8E7143845F53}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 08:58:13 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=4EF351A79C396314F61E7F1F8D238F47}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:00:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=6DB32B6017B04645F69F67DE10860E5D}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:01:34 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=4A5BB40165982F3716BE4649E6B435D4}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:02:26 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=2DC9B52F6E8AAF1C6F779E2D0D786471}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:05:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=17D3D924BD11ED2B9BCDA42C4BA25108}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:06:57 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=1F8A7F9923F2C45ECC8A70243CF9F2D5}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:07:41 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=E498C0EA0532B9B37A5F951C225D96C2}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:10:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=E4CD3CB64804A893C1DD5EFFA469846D}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:12:20 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=7AE52BC0765BEC3D1A988153873B451F}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id
Jan 31 09:12:54 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=0BDE5EEC175288FE9E950BA6356C7695}:node{node_id=5b601d52-fc8a-4fe5-8426-60178b0c4f70}: relayd::processing::reporting: refused: report from "5b601d52-fc8a-4fe5-8426-60178b0c4f70", unknown id
Jan 31 09:15:31 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=D15F48E0030C85B61A89B911EECA8AB7}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 09:16:43 svtc-app-03 rudder-relayd[1561]:  ERROR report{queue_id=C64B0418794D833F958080A2588CA505}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id

Actions #3

Updated by Alexis Mousset almost 5 years ago

What do you have in /var/rudder/lib/relay/nodeslist.json? Apparently some info may be missing there.

Actions #4

Updated by Marius Rieck almost 5 years ago

The information seems to be okay:
I replaced the server fqdns in this snippet, they were correct.

# cat /var/rudder/lib/relay/nodeslist.json
{
      "52d90d89-8df6-4e15-a513-45c6869ee235": {
        "hostname": "server1.local.domain",
        "key-hash": "sha256:8c72bc79b6950397414a75414a55a1ac48a9d521380f64bd1b3aaf94171c682f",
        "policy-server": "root" 
      }
    ,
      "5b601d52-fc8a-4fe5-8426-60178b0c4f70": {
        "hostname": "server2.local.domain",
        "key-hash": "sha256:6f40e36d521c38cbecbe643365c63d1687daf2560496bbb35e316edb2e25b2a2",
        "policy-server": "root" 
      }
    ,
      "root": {
        "hostname": "rudderroot.local.domain",
        "key-hash": "sha256:7d18001341700e11997babfc5fe5eda98759bffddcf21583f35d6ace723ace33",
        "policy-server": "root" 
      }

}

Actions #5

Updated by Alexis Mousset almost 5 years ago

Can you try a rudder relay reload an send what it gives? (it should be responsible for nodeslist.json reloading, is triggered by the webapp after each policy generation).

Then you can systemctl restart rudder-relayd and see if it improves the situation.

Actions #6

Updated by Marius Rieck almost 5 years ago

The reload didn't help.

# rudder relay reload
ok: reload relayd configuration.

Service restart didn't help either, the problem persists.
I printed the logs after the restart:

Jan 31 13:24:08 svtc-app-03 systemd[1]: Stopping Rudder Relay Daemon...
Jan 31 13:24:08 svtc-app-03 rudder-relayd[1561]:  INFO relayd: Signal received: shutdown requested
Jan 31 13:24:08 svtc-app-03 systemd[1]: Stopped Rudder Relay Daemon.
Jan 31 13:24:08 svtc-app-03 systemd[1]: Started Rudder Relay Daemon.
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd: Starting rudder-relayd 6.0.2
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd: Read configuration from "/opt/rudder/etc/relayd/" 
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd::data::node: Parsing nodes list from "/var/rudder/lib/relay/nodeslist.json" 
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd::data::node: Nodes list file does not exist, considering it as empty
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd::data::node: Certificates file does not exist, skipping
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd::api: Starting API on 127.0.0.1:3030
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd::input::watch: Starting file watcher on "/var/rudder/reports/incoming" 
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd: Skipping inventory as it is disabled
Jan 31 13:24:08 svtc-app-03 rudder-relayd[23481]:  INFO relayd: Server started
Jan 31 13:25:35 svtc-app-03 rudder-relayd[23481]:  ERROR report{queue_id=82D7218E851FF0743EC3D78CDFBEB0CB}:node{node_id=root}: relayd::processing::reporting: refused: report from "root", unknown id
Jan 31 13:26:56 svtc-app-03 rudder-relayd[23481]:  ERROR report{queue_id=8E151B238FE8FB88B462329DF2BD5FE8}:node{node_id=52d90d89-8df6-4e15-a513-45c6869ee235}: relayd::processing::reporting: refused: report from "52d90d89-8df6-4e15-a513-45c6869ee235", unknown id

Actions #7

Updated by Alexis Mousset almost 5 years ago

What does ls -ahl /var/rudder/lib/relay/ give?

Could you try setenforce 0 in case it is an SELinux problem? It is strange it fails to read /var/rudder/lib/relay/nodeslist.json which exists and looks correct.

Actions #8

Updated by Marius Rieck almost 5 years ago

Alexis MOUSSET wrote:

What does ls -ahl /var/rudder/lib/relay/ give?

Could you try setenforce 0 in case it is an SELinux problem? It is strange it fails to read /var/rudder/lib/relay/nodeslist.json which exists and looks correct.

# ls -ahlZ /var/rudder/lib/relay/
total 8.0K
drwxr-xr-x. 2 root          root system_u:object_r:var_t:s0   50 Jan  8 20:55 .
drwxr-xr-x. 4 root          root system_u:object_r:var_t:s0   30 Dec 23 10:38 ..
-rw-------. 1 root          root system_u:object_r:var_t:s0 1.4K Dec 23 10:45 nodescerts.pem
-rw-r-----. 1 rudder-relayd root system_u:object_r:var_t:s0  675 Jan 31 04:22 nodeslist.json

The set enforce 0 did the trick, so somethings up with the labels, complete sealert output:


# sealert -a /var/log/audit/audit.log
  1% done'generator' object is not subscriptable
100% done
found 2 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /opt/rudder/bin/rudder-relayd from getattr access on the file /var/rudder/lib/relay/nodeslist.json.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/var/rudder/lib/relay/nodeslist.json default label should be rudder_relayd_var_lib_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/rudder/lib/relay/nodeslist.json

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that rudder-relayd should be allowed getattr access on the nodeslist.json file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tokio-runtime-w' --raw | audit2allow -M my-tokioruntimew
# semodule -X 300 -i my-tokioruntimew.pp

Additional Information:
Source Context                system_u:system_r:rudder_relayd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/rudder/lib/relay/nodeslist.json [ file ]
Source                        tokio-runtime-w
Source Path                   /opt/rudder/bin/rudder-relayd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           rudder-server-relay-6.0.2.release-1.EL.8.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.14.1-61.el8_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     rudderroot
Platform                      Linux rudderroot 4.18.0-80.11.2.el8_0.x86_64 #1
                              SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64
Alert Count                   33
First Seen                    2020-01-27 01:20:57 CET
Last Seen                     2020-01-31 14:57:29 CET
Local ID                      c0dddcdc-378d-49e7-b005-78e368d62377

Raw Audit Messages
type=AVC msg=audit(1580479049.987:68257): avc:  denied  { getattr } for  pid=25145 comm="rudder-relayd" path="/var/rudder/lib/relay/nodeslist.json" dev="dm-0" ino=33856593 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1580479049.987:68257): arch=x86_64 syscall=stat success=yes exit=0 a0=559e27ed0fe0 a1=7ffd6cfbb9d0 a2=7ffd6cfbb9d0 a3=559e27d77010 items=0 ppid=1 pid=25145 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=rudder-relayd exe=/opt/rudder/bin/rudder-relayd subj=system_u:system_r:rudder_relayd_t:s0 key=(null)ARCH=x86_64 SYSCALL=stat AUID=unset UID=rudder-relayd GID=rudder EUID=rudder-relayd SUID=rudder-relayd FSUID=rudder-relayd EGID=rudder SGID=rudder FSGID=rudder

Hash: tokio-runtime-w,rudder_relayd_t,var_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /opt/rudder/bin/rudder-relayd from read access on the file nodeslist.json.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that rudder-relayd should be allowed read access on the nodeslist.json file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rudder-relayd' --raw | audit2allow -M my-rudderrelayd
# semodule -X 300 -i my-rudderrelayd.pp

Additional Information:
Source Context                system_u:system_r:rudder_relayd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                nodeslist.json [ file ]
Source                        rudder-relayd
Source Path                   /opt/rudder/bin/rudder-relayd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           rudder-server-relay-6.0.2.release-1.EL.8.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.14.1-61.el8_0.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     rudderroot
Platform                      Linux rudderroot 4.18.0-80.11.2.el8_0.x86_64 #1
                              SMP Tue Sep 24 11:32:19 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-01-31 14:57:29 CET
Last Seen                     2020-01-31 14:57:29 CET
Local ID                      91f5579e-4574-48d7-ad29-6f9a2d8202fa

Raw Audit Messages
type=AVC msg=audit(1580479049.987:68258): avc:  denied  { read } for  pid=25145 comm="rudder-relayd" name="nodeslist.json" dev="dm-0" ino=33856593 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

type=AVC msg=audit(1580479049.987:68258): avc:  denied  { open } for  pid=25145 comm="rudder-relayd" path="/var/rudder/lib/relay/nodeslist.json" dev="dm-0" ino=33856593 scontext=system_u:system_r:rudder_relayd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1580479049.987:68258): arch=x86_64 syscall=openat success=yes exit=EFAULT a0=ffffff9c a1=559e27ed0fe0 a2=80000 a3=0 items=0 ppid=1 pid=25145 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 tty=(none) ses=4294967295 comm=rudder-relayd exe=/opt/rudder/bin/rudder-relayd subj=system_u:system_r:rudder_relayd_t:s0 key=(null)ARCH=x86_64 SYSCALL=openat AUID=unset UID=rudder-relayd GID=rudder EUID=rudder-relayd SUID=rudder-relayd FSUID=rudder-relayd EGID=rudder SGID=rudder FSGID=rudder

Hash: rudder-relayd,rudder_relayd_t,var_t,file,read

Interesting thing that SYSLOG works then.

Actions #9

Updated by Marius Rieck almost 5 years ago

After those errors fixed, there was the same for the /var/rudder/lib/ssl/allnodescerts.pem so i used:

/sbin/restorecon -v /var/rudder/lib/ssl/*

restored the right contexts it is now working again, so the nodes are reporting.

Actions #10

Updated by Alexis Mousset almost 5 years ago

  • Category set to Packaging
  • Target version set to 6.0.3

Thanks for the detailed analysis!

It may be an ordering problem in the way we apply the SELinux policy, I'll check the postinst script.

Actions #11

Updated by Vincent MEMBRÉ almost 5 years ago

  • Target version changed from 6.0.3 to 6.0.4
Actions #12

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.4 to 6.0.5
Actions #13

Updated by Nicolas CHARLES over 4 years ago

I'm having exaclty the same error on Centos 7, with SELinux deactivated

Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd: Starting rudder-relayd 6.0.3
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd: Read configuration from "/opt/rudder/etc/relayd/" 
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd::data::node: Parsing nodes list from "/var/rudder/lib/relay/nodeslist.json" 
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd::data::node: Nodes list file does not exist, considering it as empty
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd::data::node: Certificates file does not exist, skipping
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd::api: Starting API on 127.0.0.1:3030
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd::input::watch: Starting file watcher on "/var/rudder/reports/incoming" 
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd: Skipping inventory as it is disabled
Mar 12 21:31:22 server rudder-relayd[22067]: INFO relayd: Server started

I tried to 777 the files, without success

[root@server /]# ls -alh /var/rudder/lib/relay/nodeslist.json
-rwxrwxrwx. 1 rudder-relayd root 1017K Mar 12 21:31 /var/rudder/lib/relay/nodeslist.json
[root@server /]# ls -alh /var/rudder/lib/ssl/allnodescerts.pem
-rwxrwxrwx. 1 root rudder 8.8M Mar 12 21:27 /var/rudder/lib/ssl/allnodescerts.pem

Actions #14

Updated by Nicolas CHARLES over 4 years ago

ok, doing

chmod o+x /var/rudder/lib

solved the issue
Somehow /var/rudder/lib was 770 root:root

Actions #15

Updated by Vincent MEMBRÉ over 4 years ago

  • Target version changed from 6.0.5 to 6.0.6
Actions #16

Updated by Alexis Mousset over 4 years ago

  • Status changed from New to Rejected

SELinux config is now correct and latest tests on CentOS8 showed no permission problems. Please reopen if it happens again.

Actions

Also available in: Atom PDF