Bug 1183127

Summary: Allow connections to Docker
Product: Red Hat Satellite Reporter: Og Maciel <omaciel>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED ERRATA QA Contact: Elyézer Rezende <erezende>
Severity: high Docs Contact:
Priority: unspecified    
Version: NightlyCC: bbuckingham, erezende
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/8989
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 05:22:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
foreman-debug none

Description Og Maciel 2015-01-16 18:32:25 UTC 
Created attachment 980894 [details]
foreman-debug

Description of problem:

Configured my nightly installation to use an 'external' Docker server for its Compute Resource and spun up a new container, which came up. Then, using the web UI I tried to stop the container, which failed with the error:

  Getting "Error - undefined method `delete' for nil:NilClass" while trying to stop a container

I also happened to see the following SELinux error, which I wonder if it is related at all:

type=AVC msg=audit(1421352630.245:15331): avc:  denied  { name_connect } for  pid=4803 comm="ruby" 
dest=2375 scontext=unconfined_u:system_r:passenger_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
type=SYSCALL msg=audit(1421352630.245:15331): arch=c000003e syscall=42 success=no exit=-115 a0=11
a1=e912a28 a2=10 a3=58a8 items=0 ppid=1 pid=4803 auid=0 uid=496 gid=495 euid=496 suid=496 fsuid=496
egid=495 sgid=495 fsgid=495 tty=(none) ses=6 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" 
subj=unconfined_u:system_r:passenger_t:s0 key=(null)

Version-Release number of selected component (if applicable):

* candlepin-0.9.38-1.el7.noarch
* candlepin-common-1.0.18-1.el7.noarch
* candlepin-selinux-0.9.38-1.el7.noarch
* candlepin-tomcat-0.9.38-1.el7.noarch
* elasticsearch-0.90.10-7.el7.noarch
* foreman-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-compute-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-gce-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-libvirt-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-ovirt-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-postgresql-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-proxy-1.8.0-0.develop.201501141626gite3020e6.el7.noarch
* foreman-release-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* foreman-selinux-1.8.0-0.develop.201412151103gite2863e4.el7.noarch
* foreman-vmware-1.8.0-0.develop.201501151532git282d4ee.el7.noarch
* katello-2.1.0-1.201411061509gitb0b8f43.el7.noarch
* katello-certs-tools-2.0.1-1.el7.noarch
* katello-default-ca-1.0-1.noarch
* katello-installer-2.2.0-1.201501141215git94da56c.el7.noarch
* katello-installer-base-2.2.0-1.201501141215git94da56c.el7.noarch
* katello-repos-2.1.1-1.el7.noarch
* katello-server-ca-1.0-1.noarch
* openldap-2.4.39-3.el7.x86_64
* pulp-docker-plugins-0.2.1-0.2.beta.el7.noarch
* pulp-katello-0.3-3.el7.noarch
* pulp-nodes-common-2.5.1-1.el7.noarch
* pulp-nodes-parent-2.5.1-1.el7.noarch
* pulp-puppet-plugins-2.5.1-1.el7.noarch
* pulp-puppet-tools-2.5.1-1.el7.noarch
* pulp-rpm-plugins-2.5.1-1.el7.noarch
* pulp-selinux-2.5.1-1.el7.noarch
* pulp-server-2.5.1-1.el7.noarch
* python-ldap-2.4.6-6.el7.x86_64
* ruby193-rubygem-ldap_fluff-0.3.3-1.el7.noarch
* ruby193-rubygem-net-ldap-0.10.0-1.el7.noarch
* ruby193-rubygem-runcible-1.3.0-1.el7.noarch
* rubygem-hammer_cli-0.1.4-1.el7.noarch
* rubygem-hammer_cli_foreman-0.1.4-1.201501140850git12cf44d.el7.noarch
* rubygem-hammer_cli_foreman_bootdisk-0.1.2-1.el7.noarch
* rubygem-hammer_cli_foreman_tasks-0.0.3-2.201409091410git163c264.git.0.988ca80.el7.noarch
* rubygem-hammer_cli_import-0.10.4-1.el7.noarch
* rubygem-hammer_cli_katello-0.0.7-1.201501141309git0c77aa4.git.0.b4acc0a.el7.noarch

How reproducible:


Steps to Reproduce:
1. Add a new Docker compute resource to your satellite, where the compute resource is in a different computer/system
2. Start up a new container
3. Using the web UI try to stop the container

Actual results:

The web UI shows

   Error - private method `delete' called for nil:NilClass

Logs show

type=AVC msg=audit(1421432913.646:1467): avc:  denied  { name_connect } for  pid=21340 comm="ruby" dest=5671 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1421432913.646:1467): arch=c000003e syscall=42 success=no exit=-115 a0=10c a1=7f44983ac7f0 a2=10 a3=0 items=0 ppid=1 pid=21340 auid=4294967295 uid=993 gid=991 euid=993 suid=993 fsuid=993 egid=991 sgid=991 fsgid=991 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:passenger_t:s0 key=(null)

Expected results:


Additional info:
Comment 3 Lukas Zapletal 2015-02-04 14:32:42 UTC 
Correcting status, sorry about that :-)
Comment 6 Elyézer Rezende 2015-02-13 21:49:34 UTC 
Verified on Satellite-6.1.0-RHEL-7-20150210.0

Verification steps:

1) Added an external Docker computer resource (docker daemon running on other machine)
2) Navigate to Containers > All Containers and powered on a already created container
3) Checked its console for output
4) Checked All Containers for expected status
5) After an uptime of 2 minutes powered down the container
6) Checked All containers again for status
Comment 7 Bryan Kearney 2015-08-11 13:22:00 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 8 errata-xmlrpc 2015-08-12 05:22:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592