Bug 1659678

Summary: Grafana unable to fetch data after updating graphite-web to 1.x.x
Product: Red Hat Gluster Storage Reporter: gowtham <gshanmug>
Component: web-admin-tendrl-selinuxAssignee: Timothy Asir <tjeyasin>
Status: CLOSED ERRATA QA Contact: Daniel Horák <dahorak>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rhgs-3.4CC: dahorak, mbukatov, nthomas, rcyriac, sankarshan, sds-qe-bugs
Target Milestone: ---Keywords: ZStream
Target Release: RHGS 3.4.z Batch Update 3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: tendrl-selinux-1.5.4-3.el7rhgs Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-04 07:43:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1658702    

Description gowtham 2018-12-15 03:29:40 UTC
Description of problem:
After upgrading graphite-web 0.x.x to graphite 1.x.x no monitoring data populated in grafana dashboard. But if I switch SELinux to permissive mode then I can see all monitoring data in grafana dashboard.
 

Version-Release number of selected component (if applicable):


How reproducible:
100% with graphite-web 1.x.x

Steps to Reproduce:
1. update packages to:
     graphite-web-1.1.4-1.el7rhgs.noarch.rpm
     python-cachetools-1.0.3-1.el7.noarch.rpm
     python-carbon-1.1.4-1.el7rhgs.noarch.rpm
     python-django-tagging-0.4.6-1.el7rhgs.noarch.rpm
     python-scandir-1.3-1.el7rhgs.x86_64.rpm
     python-whisper-1.1.4-1.el7rhgs.noarch.rpm
     python2-django-1.11.15-1.el7rhgs.noarch.rpm
2. run tendrl-upgrade script to initialize graphite-db
3. reboot the tendrl-server
4. Open grafana dashbaord, it won't show any monitoring data
5. type: setenforce 0
6. then all monitoring-data will present in grafana

Actual results:
Grafana dashboard not showing any data when SELinux is in enforcing 

Expected results:
grafana should show data when SELinux is in enforcing 

Additional info:

Comment 2 Timothy Asir 2018-12-17 05:11:55 UTC
It failed to show the graphical data due to denied access for the link files by the selinux.
The following are the selinux log:

type=AVC msg=audit(1544435268.923:7161): avc:  denied  { read } for  pid=5701 comm="httpd" name="7167366d-26be-4bd5-9662-d6e6fc798480" dev="vda1" ino=923681 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:carbon_var_lib_t:s0 tclass=lnk_file permissive=0

Fix patch sent to upstream: https://github.com/Tendrl/tendrl-selinux/pull/11

Comment 3 Martin Bukatovic 2018-12-17 12:29:45 UTC
This change is necessary because of BZ 1658702. It will be tested via regression testing for update and installation scenarios.

Comment 6 Daniel Horák 2019-01-11 13:57:00 UTC
Tested on both freshly installed (RHGS WA 3.4.3) and updated (from RHGS WA
3.4.2 to 3.4.3) cluster.

Monitoring data are available on the dashboards as expected.

No AVC denial message related to httpd is in audit.log

# cat  /var/log/audit/audit.log | grep AVC | grep httpd 
# 

Versions of related packages:
  carbon-selinux-1.5.4-3.el7rhgs.noarch
  graphite-web-1.1.4-1.el7rhgs.noarch
  python2-django-1.11.15-1.1.el7rhgs.noarch
  python-cachetools-1.0.3-1.1.el7rhgs.noarch
  python-carbon-1.1.4-1.el7rhgs.noarch
  python-django-tagging-0.4.6-1.el7rhgs.noarch
  python-scandir-1.3-1.el7rhgs.x86_64
  python-whisper-1.1.4-1.el7rhgs.noarch
  tendrl-ansible-1.6.3-11.el7rhgs.noarch
  tendrl-api-1.6.3-8.el7rhgs.noarch
  tendrl-api-httpd-1.6.3-8.el7rhgs.noarch
  tendrl-commons-1.6.3-14.el7rhgs.noarch
  tendrl-grafana-plugins-1.6.3-18.el7rhgs.noarch
  tendrl-grafana-selinux-1.5.4-3.el7rhgs.noarch
  tendrl-monitoring-integration-1.6.3-18.el7rhgs.noarch
  tendrl-node-agent-1.6.3-13.el7rhgs.noarch
  tendrl-notifier-1.6.3-4.el7rhgs.noarch
  tendrl-selinux-1.5.4-3.el7rhgs.noarch
  tendrl-ui-1.6.3-14.el7rhgs.noarch

>> VERIFIED

Comment 8 errata-xmlrpc 2019-02-04 07:43:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0265