Bug 1305544

Summary: getpgid syscall fails in cron jobs due to SELinux context mismatch with session leader
Product: OpenShift Online Reporter: Andy Grimm <agrimm>
Component: UnknownAssignee: Rory Thrasher <rthrashe>
Status: CLOSED EOL QA Contact: Meng Bo <bmeng>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.xCC: aos-bugs, eparis, jgoulding, jokerman, jolamb, mmccomas, rthrashe
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-11 02:14:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1277547    

Description Andy Grimm 2016-02-08 14:42:19 UTC 
Currently, cron jobs in OpenShift Online inherit the session from /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

This process is called under runcon, but only the child processes get a new label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY).  Because of the label change, calling getpgid against the sid fails.

One workaround would be to call "setsid" ahead of "timeout" in cron_runjobs.sh, but may be it's time to get a real fix for https://bugzilla.redhat.com/show_bug.cgi?id=1219589 , as that may also fix the problem.

== How to reproduce ==

1) create an app
2) add the cron cartridge to it
3) drop the following script into ~/app-root/repo/.openshift/cron/minutely/

#!usr/bin/env oo-ruby
sid = `ps -p #{Process.pid} -o sess=`.to_i
pgid = Process.getpgid(sid)
puts "#{sid} #{pgid}"

Result:
`getpgid': Permission denied (Errno::EACCES)
Comment 1 Andy Grimm 2016-02-08 15:35:17 UTC 
translated audit log line for the failure:

type=SYSCALL msg=audit(02/07/2016 22:45:12.996:10062991) : arch=x86_64 syscall=getpgid success=no exit=-13(Permission denied) a0=0x4610f a1=0x8c21f a2=0x4610f a3=0x7fffb6589a10 items=0 ppid=287197 pid=287206 auid=root uid=527007594382ec847e0000cf gid=527007594382ec847e0000cf euid=527007594382ec847e0000cf suid=527007594382ec847e0000cf fsuid=527007594382ec847e0000cf egid=527007594382ec847e0000cf sgid=527007594382ec847e0000cf fsgid=527007594382ec847e0000cf tty=(none) ses=498429 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=unconfined_u:system_r:openshift_t:s0:c2,c167 key=(null)
Comment 2 John W. Lamb 2016-02-08 21:25:48 UTC 
I just validated that adding "setsid" before "timeout" here resolves this issue: https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L70

I want to note that in Online, cron_runjobs.sh in the gear bin dir is symlinked to /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh - perhaps that should be the case for OSE/Origin-server as well?
Comment 3 openshift-github-bot 2016-02-16 21:30:20 UTC 
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/cdd56c53a1a165979bf607b54424fe833eb6cb4b
cron_runjobs.sh: adds setsid to timeout command

Bug 1305544
https://bugzilla.redhat.com/show_bug.cgi?id=1305544

Currently, cron jobs in OpenShift Online inherit the session from
/usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux
label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

This process is called under runcon, but only the child processes get a new
label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY).  Because of the label
change, calling getpgid against the sid fails.

Adds a 'setsid' to the run-parts command to resolve the issue.
Comment 4 Rory Thrasher 2016-03-04 19:41:02 UTC 
QE,

Can we verify that this works based on the comment #0 How to Reproduce steps?  Thank you.
Comment 5 Meng Bo 2016-03-07 06:44:26 UTC 
Checked on devenv_5778, issue has been fixed.
The sid and pgid can be shown in user's cronjob.


# rhc tail py33
==> app-root/logs/cron_minutely.log <==
Mon Mar  7 01:40:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________
__________________________________________________________________________
Mon Mar  7 01:41:02 EST 2016: START minutely cron run
__________________________________________________________________________
/var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb:
24006 24006
__________________________________________________________________________
Mon Mar  7 01:41:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________

==> app-root/logs/python.log <==
[Mon Mar 07 01:12:39 2016] [notice] Digest: generating secret for digest authentication ...
[Mon Mar 07 01:12:39 2016] [notice] Digest: done
[Mon Mar 07 01:12:39 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations
[Mon Mar 07 01:38:08 2016] [notice] caught SIGWINCH, shutting down gracefully
- - - [07/Mar/2016:01:38:08 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (Red Hat) (internal dummy connection)"
[Mon Mar 07 01:38:15 2016] [notice] Digest: generating secret for digest authentication ...
[Mon Mar 07 01:38:15 2016] [notice] Digest: done
[Mon Mar 07 01:38:15 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations

==> app-root/logs/cron_minutely.log <==
__________________________________________________________________________
Mon Mar  7 01:42:02 EST 2016: START minutely cron run
__________________________________________________________________________
/var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb:
24675 24675
__________________________________________________________________________
Mon Mar  7 01:42:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________