Bug 2126778

Summary: Port 3000 blocked between engine and remote DWH with Grafana
Product: Red Hat Enterprise Virtualization Manager Reporter: Tadeas Kozub <tkozub>
Component: ovirt-engineAssignee: Yedidyah Bar David <didi>
Status: CLOSED ERRATA QA Contact: Tadeas Kozub <tkozub>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5.2CC: didi, emarcus, gdeolive, lleistne, lsurette, mavital, mhicks, michal.skrivanek, mperina, pnovotny, sradco, srevivo
Target Milestone: ovirt-4.5.3-asyncKeywords: Automation, Regression
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.3.5 Doc Type: Bug Fix
Doc Text:
With this release, SELinux rules for the Grafana HTTP port are now properly set up for new remote DWH installations as part of the Red Hat Virtualization Manager engine-setup.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-11 11:25:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Metrics RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tadeas Kozub 2022-09-14 11:52:14 UTC 
Description of problem:

When you configure an engine without a local DWH and then setup a remote DWH with Grafana on another host, the Grafana Monitoring Portal link returns code 503: Service Unavailable due to SELinux policies blocking port 3000 on the DWH host.


Version-Release number of selected component (if applicable):

ovirt-engine-dwh.noarch                              4.5.5-1.el8ev                               @rhv-4.5.2                        
ovirt-engine-dwh-grafana-integration-setup.noarch    4.5.5-1.el8ev                               @rhv-4.5.2                        
ovirt-engine-dwh-setup.noarch                        4.5.5-1.el8ev                               @rhv-4.5.2                        
ovirt-engine-setup-base.noarch                       4.5.2.5-0.1.el8ev                           @rhv-4.5.2 

How reproducible:


Steps to Reproduce:
1. Setup engine without local DWH
2. Setup remote DWH on another host and connect it to the engine
3. Visit the Monitoring Portal page

Actual results:

Grafana monitoring portal returns 503: Service unavailable.

Expected results:

Grafana monitoring portal is reachable and working.

Additional info:

$ sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 3000.
-- rest ommited --
Comment 1 Casper (RHV QE bot) 2022-09-15 07:00:43 UTC 
This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).
Comment 12 Yedidyah Bar David 2022-11-30 13:35:49 UTC 
Thanks, Tadeas, for providing access to a machine reproducing this bug. It was caused by the fix to bug 1903052 (4.4.5). That bug was just an optimization enhancement - even if not marked so - requested by me, and I reviewed the patch and didn't realize it is causing current. Sorry for that.

The bug is that the code that handles this (sets httpd_can_network_connect to on) is part of the package ovirt-engine-setup-plugin-ovirt-engine. In my custom OST patch I made the dwh machine use the same image as the engine machine, thus already had it. Perhaps I should update the patch (if we ever want to have it) to not include it. Installing this package requires (currently) the entire engine (and jboss, etc.) - on your dwh machine, this is:

Total download size: 895 M
Installed size: 2.2 G

Possible options:

1. Do not fix, but just document to install ovirt-engine-setup-plugin-ovirt-engine, despite the drawback of filling up the disk with garbage. If we go this way, we should also add another step to the engine-setup procedure, to reply 'No' to the question 'Configure Engine on this host'.

2. Fix by patching only the respective spec files - make ovirt-engine-setup-plugin-ovirt-engine not require the engine, and make ovirt-engine-dwh-setup require ovirt-engine-setup-plugin-ovirt-engine. This is a rather simple fix, and rather simple to verify the simple/positive flows. Main drawback is that if someone then takes a clean machine and installs only 'ovirt-engine-setup-plugin-ovirt-engine', and runs 'engine-setup', it will not work well.

3. Fix by reverting bug 1903052's fix (and perhaps provide some other, somewhat more complex fix, or just give up on it - it was just an optimization).

Michal, what do you think?
Comment 13 Yedidyah Bar David 2022-11-30 13:41:34 UTC 
OK, seems like a revert is enough and bug 1903052 does not apply anymore, because we removed ansible-runner-service.
Comment 19 Tadeas Kozub 2023-01-09 16:21:27 UTC 
Fix for this bug verified in version 4.5.3.5. Grafana is running and reachable as it should be.


ovirt-engine-dwh.noarch                              4.5.7-1.el8ev                                       @rhv-4.5-nightly                 
ovirt-engine-dwh-grafana-integration-setup.noarch    4.5.7-1.el8ev                                       @rhv-4.5-nightly                 
ovirt-engine-dwh-setup.noarch                        4.5.7-1.el8ev                                       @rhv-4.5-nightly


# curl -skLo /dev/null -w '%{http_code}' REMOTE_DWH_ADDRESS/ovirt-engine-grafana/
> 200

# sealert -a /var/log/audit/audit.log
> 100% done
> found 0 alerts in /var/log/audit/audit.log
Comment 21 errata-xmlrpc 2023-01-11 11:25:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0074