Bug 1542833

Summary: oVirt Node upgrade fails if SELINUX is disabled
Product: Red Hat Enterprise Virtualization Manager Reporter: Germano Veit Michel <gveitmic>
Component: imgbasedAssignee: Yuval Turgeman <yturgema>
Status: CLOSED ERRATA QA Contact: Huijuan Zhao <huzhao>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.1.9CC: bugs, cshao, dfediuck, gveitmic, huzhao, lveyde, mail, rbarry, usurse, yturgema
Target Milestone: ovirt-4.2.1Flags: lsvaty: testing_plan_complete-
Target Release: 4.2.0   
Hardware: x86_64   
OS: Linux   
Fixed In Version: imgbased-1.0.11 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1519784 Environment:
Last Closed: 2018-05-15 17:57:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Node RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1519784    
Bug Blocks:    

Description Germano Veit Michel 2018-02-07 06:19:42 UTC
+++ This bug was initially created as a clone of Bug #1519784 +++

Description of problem:

If SELINUX is disabled, upgrade of node fails.

Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1. Install oVirt Node
2. Disable SELINUX
3. Try to upgrade oVirt Node

Actual results:

Upgrade fails


2017-11-28 17:25:28,372 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Creating /home as {'attach': True, 'size': '1G'}
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Calling binary: (['vgs', '--noheadings', '@imgbased:volume', '-o', 'lv_full_name'],) {'stderr': <open file '/dev/null', mode 'w' at 0x7fa2d1ad8ed0>}
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Calling: (['vgs', '--noheadings', '@imgbased:volume', '-o', 'lv_full_name'],) {'close_fds': True, 'stderr': <open file '/dev/null', mode 'w' at 0x7fa2d1ad8ed0>}
2017-11-28 17:25:28,533 [DEBUG] (MainThread) Returned: onn/home         
2017-11-28 17:25:28,533 [DEBUG] (MainThread) Calling binary: (['umount', '-l', '/etc'],) {}
2017-11-28 17:25:28,534 [DEBUG] (MainThread) Calling: (['umount', '-l', '/etc'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,539 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,540 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.tuHU8'],) {}
2017-11-28 17:25:28,540 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.tuHU8'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.tuHU8'],) {}
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.tuHU8'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,640 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,641 [ERROR] (MainThread) Failed to migrate etc
Traceback (most recent call last):
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 109, in on_new_layer
    check_nist_layout(imgbase, new_lv)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 179, in check_nist_layout
    v.create(t, paths[t]["size"], paths[t]["attach"])
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/volume.py", line 48, in create
    "Path is already a volume: %s" % where
AssertionError: Path is already a volume: /home
2017-11-28 17:25:28,642 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.bEW2k'],) {}
2017-11-28 17:25:28,642 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.bEW2k'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.bEW2k'],) {}
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.bEW2k'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.UB5Yg'],) {}
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.UB5Yg'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,625 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,625 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.UB5Yg'],) {}
2017-11-28 17:25:29,626 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.UB5Yg'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,631 [DEBUG] (MainThread) Returned: 
Traceback (most recent call last):
  File "/usr/lib64/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/__main__.py", line 53, in <module>
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/__init__.py", line 82, in CliApplication
    app.hooks.emit("post-arg-parse", args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/hooks.py", line 120, in emit
    cb(self.context, *args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 56, in post_argparse
    base_lv, _ = LiveimgExtractor(app.imgbase).extract(args.FILENAME)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 118, in extract
    "%s" % size, nvr)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 99, in add_base_with_tree
    new_layer_lv = self.imgbase.add_layer(new_base)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/imgbase.py", line 191, in add_layer
    self.hooks.emit("new-layer-added", prev_lv, new_lv)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/hooks.py", line 120, in emit
    cb(self.context, *args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 123, in on_new_layer
    raise ConfigMigrationError()

$semanage permissive -a setfiles_t
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.30:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.30:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
OSError: No such file or directory


Expected results:

Upgrade / Update should work

Additional info:

--- Additional comment from Ryan Barry on 2017-12-01 08:14:27 EST ---

The traceback here is misleading. Please remove the NIST LVs before attempting to upgrade again.

Why is selinux disabled? We can patch around this by checking in SELinuxContext, but oVirt Node runs without problems with SELinux enabled.

--- Additional comment from Kilian Ries on 2017-12-01 09:58:26 EST ---

Yes that is right, it was not the right imgbased-log. I have another one where i removed the LVs before upgrade.

SELINUX is disabled because of a third party package which i installed via yum (wich is not compatible with SELINUX) ...

--- Additional comment from Huijuan Zhao on 2017-12-04 03:37:59 EST ---

QE can reproduce this issue.

Test version:
From: ovovirt-node-ng-installer-ovirt-4.1-pre-2017101110.iso
To:   ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm

Test steps:
1. Install ovovirt-node-ng-installer-ovirt-4.1-pre-2017101110.iso
2. Disable selinux
# getenforce 
3. Upgrade ovirt-node to ovovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm

Actual results:
After step3, upgrade failed.

# yum install ovirt-node to ovovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch                                          1/2 
warning: %post(ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch
  Erasing    : ovirt-node-ng-image-update-placeholder-4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos.noarch                               2/2 
  Verifying  : ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch                                          1/2 
  Verifying  : ovirt-node-ng-image-update-placeholder-4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos.noarch                               2/2 

  ovirt-node-ng-image-update.noarch 0:4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos                                                         

  ovirt-node-ng-image-update-placeholder.noarch 0:4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos                                              


Expected results:
After step3, can upgrade successful.

--- Additional comment from Huijuan Zhao on 2018-01-30 02:46:47 EST ---

Test version:
From: rhvh-4.1-0.20171101.0
To:   rhvh-

Test steps:
Same as Comment 3

Test results:
After Step3, can upgrade successful.

So this bug is fixed in rhvh-, change the status to VERIFIED.

Comment 7 Huijuan Zhao 2018-02-08 08:34:01 UTC
According to comment 0, this bug is fixed in rhvh-, change the status to VERIFIED.

Comment 14 errata-xmlrpc 2018-05-15 17:57:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 15 Franta Kust 2019-05-16 13:08:04 UTC
BZ<2>Jira Resync

Comment 16 Daniel Gur 2019-08-28 13:14:25 UTC

Comment 17 Daniel Gur 2019-08-28 13:19:27 UTC