Bug 1198727

Summary: Docker registry search causes Ruby to coredump
Product: Red Hat Satellite Reporter: Elyézer Rezende <erezende>
Component: Container ManagementAssignee: Daniel Lobato Garcia <dlobatog>
Status: CLOSED CURRENTRELEASE QA Contact: Og Maciel <omaciel>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.1.0CC: bbuckingham, mmccune, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-12 13:57:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1190289    
Attachments:
Description Flags
Coredump of Foreman with Docker plugin none

Description Elyézer Rezende 2015-03-04 17:17:54 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Make sure that SELinux is in enforcing mode
2. Create a Docker-based compute resource pointing to internal or external docker
3. Pull an image using docker cli.
4. Go to New Container wizard and select the created Compute Resource
5. On the next step, try to find that image using the new container wizard

Actual results:

Search does not work and does not return any feedback


Expected results:

Search should work properly and do not show any connection error on logs (see additional info for the logs)


Additional info:

2015-03-04 10:12:36 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:36 [I]   Parameters: {"search"=>"bus", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:36 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:36 [I]   Rendered common/500.html.erb (44.6ms)
2015-03-04 10:12:36 [I] Completed 500 Internal Server Error in 275ms (Views: 45.3ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:39 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:39 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:39 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:39 [I]   Rendered common/500.html.erb (46.9ms)
2015-03-04 10:12:39 [I] Completed 500 Internal Server Error in 283ms (Views: 47.7ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:43 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-04 10:12:43 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:43 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker ExternalDockerCR was not decrypted
Comment 1 Elyézer Rezende 2015-03-04 17:26:39 UTC 
Filling missing information:

Description of problem:
When SELinux is in enforcing mode during the image search step on New Container wizard it prevents the search. Also no feedback is provided.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-7-20150303.0

How reproducible:
Aways
Comment 3 Lukas Zapletal 2015-03-05 14:54:07 UTC 
Please paste output of the following commands in this order:

  rpm -q foreman-selinux selinux-policy
  getenforce
  ps auxZ | grep RackApp
  semodule -l | grep foreman
  foreman-selinux-enable
  foreman-selinux-disable
  foreman-selinux-enable
  foreman-selinux-relabel -v
  semanage boolean -l
  semanage fcontext -l
  sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a
  ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50
Comment 5 Lukas Zapletal 2015-03-05 16:01:35 UTC 
*** Bug 1198734 has been marked as a duplicate of this bug. ***
Comment 6 Lukas Zapletal 2015-03-05 16:07:29 UTC 
Unable to reproduce on my nightly system. But I hit other interesting bug. Ruby coredumps on search result:

2015-03-05 11:05:24 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-05 11:05:24 [I]   Parameters: {"search"=>"wordpress", "registry_id"=>"", "id"=>"2"}
2015-03-05 11:05:24 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker Test was not decrypted

==> /var/log/messages <==
Mar  5 11:05:35 hp-magnycours-01 abrtd: Directory 'ccpp-2015-03-05-11:05:32-27132' creation detected
Mar  5 11:05:35 hp-magnycours-01 abrt[30605]: Saved core dump of pid 27132 (/opt/rh/ruby193/root/usr/bin/ruby) to /var/spool/abrt/ccpp-2015-03-05-11:05:32-27132 (404754432 bytes)

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Thu Mar 05 11:05:36 2015] [error] [client 10.40.204.45] Premature end of script headers: image_search, referer: https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image

==> /var/log/foreman/production.log <==
2015-03-05 11:05:36 [I] Client disconnected.

==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.40.204.45 - - [05/Mar/2015:11:05:24 -0500] "GET /image_search/2/search_repository?search=wordpress&registry_id= HTTP/1.1" 500 343 "https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"

==> /var/log/messages <==
Mar  5 11:05:36 hp-magnycours-01 abrtd: Size of '/var/spool/abrt' >= 1000 MB, deleting 'ccpp-2015-03-05-11:03:51-25660'
Mar  5 11:05:37 hp-magnycours-01 abrtd: New problem directory /var/spool/abrt/ccpp-2015-03-05-11:04:37-27143, processing
Mar  5 11:05:37 hp-magnycours-01 abrtd: Sending an email...
Mar  5 11:05:37 hp-magnycours-01 abrtd: Email was sent to: root@localhost
Comment 7 Lukas Zapletal 2015-03-05 16:09:35 UTC 
One note, please keep in mind that external/internal docker resources MUST have ports from this range:

[root@qe-blade-16 ~]# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376

Otherwise they WILL be blocker. If you want to use non-standard port, then you need to redefine those.
Comment 8 Lukas Zapletal 2015-03-05 16:15:34 UTC 
Attaching the coredump:

Core was generated by `Passenger RackApp: /usr/share/foreman                                         '.
Program terminated with signal 6, Aborted.
#0  0x0000003519232625 in ?? ()
"/var/spool/abrt/ccpp-2015-03-05-11:04:37-27143/coredump" is a core file.
Please specify an executable to debug.
(gdb) st
Ambiguous command "st": stack, start, status, step, stepi, stepping, stop, strace.
(gdb) bt
#0  0x0000003519232625 in ?? ()
#1  0x0000003519233d8d in ?? ()
#2  0x0000000000000000 in ?? ()
(gdb) quit
Comment 9 Lukas Zapletal 2015-03-05 16:16:05 UTC 
Created attachment 998456 [details]
Coredump of Foreman with Docker plugin
Comment 11 Lukas Zapletal 2015-03-24 11:35:16 UTC 
We have tried to reproduce with Daniel, unable to repro. Please re-test.

Keep in mind that when using Docker as a remote service, you must use standard ports otherwise SELinux will block the communication.
Comment 12 Og Maciel 2015-03-24 19:54:40 UTC 
Verified by QE on Satellite-6.1.0-RHEL-7-20150320.1. Typing the name of a docker image will automatically search within your compute resource for a match.
Comment 13 Bryan Kearney 2015-08-11 13:31:06 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 14 Bryan Kearney 2015-08-12 13:57:10 UTC 
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.