Bug 2095776
| Summary: | openstack-selinux should have a simple way to verify policy modules are installed correctly | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Julie Pichon <jpichon> |
| Component: | openstack-selinux | Assignee: | Cédric Jeanneret <cjeanner> |
| Status: | CLOSED ERRATA | QA Contact: | nlevinki <nlevinki> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 17.1 (Wallaby) | CC: | cjeanner, jschluet, lhh, lvrabec |
| Target Milestone: | ga | Keywords: | Triaged |
| Target Release: | 17.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost tripleo-ansible-3.3.1-0.20220712130434.fa5422f.el9ost | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-09-21 12:22:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Julie Pichon
2022-06-10 14:16:28 UTC
Unfortunately, it seems that failing the %post scriptlet will not cause the RPM transaction to fail - the RPM will still be installed, and 'rpm' and 'dnf' still return 0. However, it will still raise visibility. Example of what a silent failure looks like today:
[...]
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1
Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
os-neutron: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
os-neutron: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
(No such file or directory).
FileNotFoundError: [Errno 2] No such file or directory
ValueError: Boolean os_nova_use_execmem is not defined
Verifying : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1
Installed:
openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch
Complete!
"ValueError: Boolean os_nova_use_execmem is not defined" is usually consistent in the output, since that's the first of the openstack-specific booleans we try to set in local_settings.sh.
Proposal:
1- modify the local_settings.sh; add a "-V" option to it, that will loop on the MODULES and ensure they are present
2- modify the RPM spec: add a %verify that will call that local_settings.sh -V
2- create a validation (tripleo-validations, or the like) that will just call `rpm -V openstack-selinux'
Notes:
- local_settings.sh -V should check the selinux state of the host
- if permissive/disabled, don't bother, exit 0
- if enforcing, exit 0 IFF all modules are present, else exit 1 (with a mention of the failed modules)
The %verify will look like that, more or less:
%verify
BINDIR=%{_bindir} \
SBINDIR=%{_sbindir} \
LOCALSTATEDIR=%{_localstatedir} \
DATADIR=%{_datadir} \
SHAREDSTATEDIR=%{_sharedstatedir} \
%{_datadir}/%{name}/%{version}/local_settings.sh -V
(thanks Lon :)
Adding the new -V option to the local_settings.sh: https://github.com/redhat-openstack/openstack-selinux/pull/93 Spec modification: https://review.rdoproject.org/r/c/openstack/openstack-selinux-distgit/+/43578 tripleo-ansible patch: will allow to fail early, namely once the deploy installs the needed deps: a new step is now running `rpm -V' against the listed packages, and will crash if, for instance, openstack-selinux isn't well installed. RDO merged today, I thought it was already in for ages now :(. In order to verify this, you can: 1. Quick check - deploy the UC as usual, connect to it, and run `sudo rpm -vV openstack-selinux'. It should output a message like this: [file listing] Found 0 missing module(s). 2. Deeper verification: - Get the UC ready for deploy, with all packages installed - run the `sudo rpm -V openstack-selinux' - should be fine - run `sudo semodule -r os-barbican' - run `sudo rpm -V openstack-selinux' This time, it should show "Found 1 missing module(s)". Going further, you can start to deploy the UC, it should fail pretty early with the verification and the same message content. Lemme know if you need more directions. Cheers, C. [root@localhost ~]# dnf install -y openstack-selinux Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:16:09 ago on Wed 03 Aug 2022 12:59:57 PM EDT. Dependencies resolved. ================================================================================================================== Package Architecture Version Repository Size ================================================================================================================== Installing: openstack-selinux noarch 0.8.34-0.20220711150341.a82a63a.el9ost rhelosp-17.0 225 k Transaction Summary ================================================================================================================== Install 1 Package Total download size: 225 k Installed size: 304 k Downloading Packages: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch.rpm 446 kB/s | 225 kB 00:00 ------------------------------------------------------------------------------------------------------------------ Total 444 kB/s | 225 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Running scriptlet: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Verifying : openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Installed products updated. Installed: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch Complete! [root@localhost ~]# rpm -vV openstack-selinux ......... /usr/share/licenses/openstack-selinux ......... l /usr/share/licenses/openstack-selinux/COPYING ......... /usr/share/openstack-selinux ......... /usr/share/openstack-selinux/0.8.34 ......... /usr/share/openstack-selinux/0.8.34/local_settings.sh ......... /usr/share/selinux/packages/os-barbican.pp.bz2 ......... /usr/share/selinux/packages/os-certmonger.pp.bz2 ......... /usr/share/selinux/packages/os-cinder.pp.bz2 ......... /usr/share/selinux/packages/os-collectd.pp.bz2 ......... /usr/share/selinux/packages/os-dnsmasq.pp.bz2 ......... /usr/share/selinux/packages/os-glance.pp.bz2 ......... /usr/share/selinux/packages/os-gnocchi.pp.bz2 ......... /usr/share/selinux/packages/os-haproxy.pp.bz2 ......... /usr/share/selinux/packages/os-httpd.pp.bz2 ......... /usr/share/selinux/packages/os-ipxe.pp.bz2 ......... /usr/share/selinux/packages/os-keepalived.pp.bz2 ......... /usr/share/selinux/packages/os-keystone.pp.bz2 ......... /usr/share/selinux/packages/os-logrotate.pp.bz2 ......... /usr/share/selinux/packages/os-mongodb.pp.bz2 ......... /usr/share/selinux/packages/os-mysql.pp.bz2 ......... /usr/share/selinux/packages/os-neutron.pp.bz2 ......... /usr/share/selinux/packages/os-nova.pp.bz2 ......... /usr/share/selinux/packages/os-octavia.pp.bz2 ......... /usr/share/selinux/packages/os-ovs.pp.bz2 ......... /usr/share/selinux/packages/os-pbis.pp.bz2 ......... /usr/share/selinux/packages/os-podman.pp.bz2 ......... /usr/share/selinux/packages/os-rabbitmq.pp.bz2 ......... /usr/share/selinux/packages/os-redis.pp.bz2 ......... /usr/share/selinux/packages/os-rsync.pp.bz2 ......... /usr/share/selinux/packages/os-rsyslog.pp.bz2 ......... /usr/share/selinux/packages/os-swift.pp.bz2 ......... /usr/share/selinux/packages/os-timemaster.pp.bz2 ......... /usr/share/selinux/packages/os-virt.pp.bz2 Found 0 missing module(s). [root@localhost ~]# semodule -r os-nova libsemanage.semanage_direct_remove_key: Removing last os-nova module (no other os-nova module exists at another priority). [root@localhost ~]# rpm -vV openstack-selinux ......... /usr/share/licenses/openstack-selinux ......... l /usr/share/licenses/openstack-selinux/COPYING ......... /usr/share/openstack-selinux ......... /usr/share/openstack-selinux/0.8.34 ......... /usr/share/openstack-selinux/0.8.34/local_settings.sh ......... /usr/share/selinux/packages/os-barbican.pp.bz2 ......... /usr/share/selinux/packages/os-certmonger.pp.bz2 ......... /usr/share/selinux/packages/os-cinder.pp.bz2 ......... /usr/share/selinux/packages/os-collectd.pp.bz2 ......... /usr/share/selinux/packages/os-dnsmasq.pp.bz2 ......... /usr/share/selinux/packages/os-glance.pp.bz2 ......... /usr/share/selinux/packages/os-gnocchi.pp.bz2 ......... /usr/share/selinux/packages/os-haproxy.pp.bz2 ......... /usr/share/selinux/packages/os-httpd.pp.bz2 ......... /usr/share/selinux/packages/os-ipxe.pp.bz2 ......... /usr/share/selinux/packages/os-keepalived.pp.bz2 ......... /usr/share/selinux/packages/os-keystone.pp.bz2 ......... /usr/share/selinux/packages/os-logrotate.pp.bz2 ......... /usr/share/selinux/packages/os-mongodb.pp.bz2 ......... /usr/share/selinux/packages/os-mysql.pp.bz2 ......... /usr/share/selinux/packages/os-neutron.pp.bz2 ......... /usr/share/selinux/packages/os-nova.pp.bz2 ......... /usr/share/selinux/packages/os-octavia.pp.bz2 ......... /usr/share/selinux/packages/os-ovs.pp.bz2 ......... /usr/share/selinux/packages/os-pbis.pp.bz2 ......... /usr/share/selinux/packages/os-podman.pp.bz2 ......... /usr/share/selinux/packages/os-rabbitmq.pp.bz2 ......... /usr/share/selinux/packages/os-redis.pp.bz2 ......... /usr/share/selinux/packages/os-rsync.pp.bz2 ......... /usr/share/selinux/packages/os-rsyslog.pp.bz2 ......... /usr/share/selinux/packages/os-swift.pp.bz2 ......... /usr/share/selinux/packages/os-timemaster.pp.bz2 ......... /usr/share/selinux/packages/os-virt.pp.bz2 Missing os-nova! Found 1 missing module(s). error: %verify(openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch) scriptlet failed, exit status 1 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543 |