Bug 1518599
Summary: | engine-setup upgrade to postgresql 9.5 sometimes fails due to missing selinux policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Lautrbach <plautrba> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.7 | CC: | bugs, didi, edwardh, lvrabec, mgrepl, mmalik, plautrba, pstehlik, ssekidde, zpytela |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1518253 | Environment: | |
Last Closed: | 2019-03-14 10:24:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Petr Lautrbach
2017-11-29 09:40:23 UTC
It seems to be some corner case when selinux-policy-3.13.1-102.el7.noarch is updated to 3.13.1-166.el7_4.7.noarch in a particular condition Please consider backporting to 7.4.z I need to reproduce it on RHEL-7.2. But as Petr mentioned, it's some corner case of that script. Hi all, We're *not* able to reproduce it. Also in original bugzilla there is a workaround how to deal with this potential bugzilla [1]. Cloasing as WONTFIX. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1518253 Hi again, this happens again now on our CI system. I managed to reproduce it on my own machine, and succeeded, when using the same tools we use in CI. I see this in /var/log/messages: Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: Starting Migrate local SELinux policy changes from the old store structure to the new structure... Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: Starting Tell Plymouth To Write Out Runtime Data... Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: Failed at step STDIN spawning /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh: Inappropriate ioctl for device Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: selinux-policy-migrate-local-changes: main process exited, code=exited, status=208/STDIN Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: Failed to start Migrate local SELinux policy changes from the old store structure to the new structure. Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: Unit selinux-policy-migrate-local-changes entered failed state. Feb 18 06:56:55 lago-upgrade-from-release-suite-master-engine systemd: selinux-policy-migrate-local-changes failed. Searching for 'Failed at step STDIN spawning' I found (also) bug 1049656. Looking there, I guess the root cause is something like: 1. systemd/kernel/whatever fails to assign a tty to selinux-policy-migrate-local-changes@.service when starting it. 2. This service has 'StandardInput=tty', so it fails running as above. Our CI system uses lago, a small framework around libvirt to create several VMs and test oVirt using them. I am not that familiar with lago. Checking the running system, I see (with virsh dumpxml): <console type='pty' tty='/dev/pts/6'> <source path='/dev/pts/6'/> <target type='virtio' port='0'/> <alias name='console0'/> </console> So perhaps something caused /dev/pts/6 to not be available and therefore the console to not be available, not sure. Any idea why we need 'StandardInput=tty' for this service? I gave a brief look at selinux-policy-migrate-local-changes.sh and can't see something obvious that might require interaction. If we know about something specific there that might require a tty, perhaps allow passing an option to the script so that it runs this specific thing with '--quiet' or whatever option it has that makes it not require interaction. Anyway, I think it's worth fixing also for systems that do not have a console. Makes sense? Reopening for evaluation after comment #6 giving more details on the issue. Proposing this bug for 7.6.z consideration. Another update: See also [1] re how we generate images in oVirt CI. TL; DR: We use virt-builder, and the specific image seems to be based on centos7.2. I guess it's due to the specific way we upgrade that we run into current bug. We created new images based on centos7.6 and updated CI to use them, and this seems to work. Seems like virt-builder hard-codes 'console=tty0' in the kernel command line, but in CI we do not create the machines with a serial port, so /dev/console does not work. So current bug is quite hard to reproduce, but still not sure it's worth to fix, especially if there is no concrete reason for 'StandardInput=tty'. [1] https://docs.google.com/document/d/1fxXBcgHnQr3r2qrSzXiSlpNMMLWnbq899s8rUP38KHw/edit?usp=sharing not sure it's _not_ worth to fix :-) This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. |