Bug 1628371

Summary: [3.9] Fluentd pods failed to start after an update to 3.9.41 when deny_execmem=1 on nodes
Product: OpenShift Container Platform Reporter: Franck Grosjean <fgrosjea>
Component: LoggingAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Anping Li <anli>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 3.9.0CC: anli, aos-bugs, rmeggins, wsun
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: All   
OS: Linux   
Fixed In Version: openshift3/logging-fluentd:v3.9.53-1 Doc Type: Bug Fix
Doc Text:
Cause: rubygem ffi 1.9.25 reverted a patch which allowed it to work on systems with SELinux deny_execmem=1. Consequence: Fluentd crashes. Fix: The fix is to revert the patch reversion. Result: Fluentd does not crash when using SELinux deny_execmem=1.
Story Points: ---
Clone Of:
: 1628405 1655691 (view as bug list) Environment:
Last Closed: 2018-11-20 03:12:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1628405, 1628407    

Description Franck Grosjean 2018-09-12 20:34:40 UTC
Description of problem:
Fluentd pods failed to start after an update to 3.9.41
It was working fine before that (OCP upgrade from 3.9.33 to 3.9.41)

Version-Release number of selected component (if applicable):

How reproducible:
Upgarde fluentd from 3.9.33 to 3.9.41

Actual results:
All fluentd pods crash

Expected results:
All fluentd pods should start

Additional info:
Pods failed to start when setsebool -P deny_execmem 1 on nodes
looks like a regression since https://bugzilla.redhat.com/show_bug.cgi?id=1465039

Comment 13 Anping Li 2018-10-12 10:20:11 UTC
Verified and pass with logging-fluentd/images/v3.9.45-1

Comment 19 errata-xmlrpc 2018-11-20 03:12:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.