Bug 2149171
| Summary: | RHEL 8.7 kickstart installation fails when frr package is included in the %packages section. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | mkenjale |
| Component: | frr | Assignee: | Michal Ruprich <mruprich> |
| Status: | CLOSED ERRATA | QA Contact: | FrantiĊĦek Hrdina <fhrdina> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.7 | CC: | fhrdina, mruprich |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | frr-7.5.1-6.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-16 08:30:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
mkenjale
2022-11-29 04:58:42 UTC
Hi Mahesh, thanks for the report, I was aware of this problem when installing frr regularly via dnf but there, the error is just a sort of a warning and does not abort the installation. I was not aware of the fact that kickstart will abort if there is an error in a post scriptlet. I think the failure is here on lines 218 and 219: https://pkgs.devel.redhat.com/cgit/rpms/frr/tree/frr.spec?h=rhel-8.7.0#n218 I've added a condition in RHEL9 to run these lines only on upgrade, not on a fresh install: https://pkgs.devel.redhat.com/cgit/rpms/frr/tree/frr.spec?h=rhel-9-main#n231 I am planning to do this in RHEL-8.8.0 as well. I have two things to ask of you: 1. Can the customer try to install the package via the %post section in the kickstart? Please forgive me, I am not very skilled with kickstart but I was thinking that something like this could help: %post dnf -y install frr %end As far as I can tell, this should not end in error since even though the error is visible, the whole process ends with 0. Testing on latest RHEL8: # dnf -y install frr ... Installing : frr-selinux-7.5.1-5.el8.noarch 9/10 Running scriptlet: frr-selinux-7.5.1-5.el8.noarch 9/10 warning: %post(frr-selinux-7.5.1-5.el8.noarch) scriptlet failed, exit status 255 Error in POSTIN scriptlet in rpm package frr-selinux Running scriptlet: frr-7.5.1-5.el8.x86_64 10/10 Installing : frr-7.5.1-5.el8.x86_64 10/10 Running scriptlet: frr-7.5.1-5.el8.x86_64 10/10 ... Installed products updated. ... # echo $? 0 This could be our workaround for RHEL-8.7.0 2. Please ask the customer, if they require the fix in RHEL-8.7.0. As I mentioned above, I have a fix planned for RHEL-8.8.0 now. Thanks and regards, Michal Hello Michal, When I tried installing frr package in the %post section(using rpm command not dnf), the installation did not fail/abort, but the frr-selinux package post script failed. The frr-selinux package is dependency for frr package. --- %post --nochroot --log=/mnt/sysimage/var/log/kickstart_post_nochroot.log echo "Installing frr package" cd /run/install/sources/mount-0000-cdrom/BaseOS/Packages rpm -ivh --root=/mnt/sysimage/ checkpolicy-2.9-1.el8.x86_64.rpm lm_sensors-libs-3.4.0-23.20180522git70f7e08.el8.x86_64.rpm net-snmp-libs-5.8-25.el8.x86_64.rpm perl-Carp-1.42-396.el8.noarch.rpm perl-constant-1.33-396.el8.noarch.rpm perl-Data-Dumper-2.167-399.el8.x86_64.rpm perl-Encode-2.97-3.el8.x86_64.rpm perl-Errno-1.28-421.el8.x86_64.rpm perl-Exporter-5.72-396.el8.noarch.rpm perl-File-Path-2.15-2.el8.noarch.rpm perl-File-Temp-0.230.600-1.el8.noarch.rpm perl-Getopt-Long-2.50-4.el8.noarch.rpm perl-HTTP-Tiny-0.074-1.el8.noarch.rpm perl-interpreter-5.26.3-421.el8.x86_64.rpm perl-IO-1.38-421.el8.x86_64.rpm perl-libs-5.26.3-421.el8.x86_64.rpm perl-macros-5.26.3-421.el8.x86_64.rpm perl-MIME-Base64-3.15-396.el8.x86_64.rpm perl-parent-0.237-1.el8.noarch.rpm perl-PathTools-3.74-1.el8.x86_64.rpm perl-Pod-Escapes-1.07-395.el8.noarch.rpm perl-podlators-4.11-1.el8.noarch.rpm perl-Pod-Perldoc-3.28-396.el8.noarch.rpm perl-Pod-Simple-3.35-395.el8.noarch.rpm perl-Pod-Usage-1.69-395.el8.noarch.rpm perl-Scalar-List-Utils-1.49-2.el8.x86_64.rpm perl-Socket-2.027-3.el8.x86_64.rpm perl-Storable-3.11-3.el8.x86_64.rpm perl-Term-ANSIColor-4.06-396.el8.noarch.rpm perl-Term-Cap-1.17-395.el8.noarch.rpm perl-Text-ParseWords-3.30-395.el8.noarch.rpm perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch.rpm perl-threads-2.21-2.el8.x86_64.rpm perl-threads-shared-1.58-2.el8.x86_64.rpm perl-Time-Local-1.280-1.el8.noarch.rpm perl-Unicode-Normalize-1.25-396.el8.x86_64.rpm policycoreutils-python-utils-2.9-20.el8.noarch.rpm python3-audit-3.0.7-4.el8.x86_64.rpm python3-libsemanage-2.9-9.el8.x86_64.rpm python3-policycoreutils-2.9-20.el8.noarch.rpm python3-setools-4.3.0-3.el8.x86_64.rpm ../../AppStream/Packages/frr-7.5.1-4.el8.x86_64.rpm ../../AppStream/Packages/frr-selinux-7.5.1-4.el8.noarch.rpm ../../AppStream/Packages/libyang-1.0.184-1.el8.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-3.1.11-2.el8_3.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-config-3.1.11-2.el8_3.noarch.rpm ../../AppStream/Packages/net-snmp-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/net-snmp-agent-libs-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/perl-Digest-1.17-395.el8.noarch.rpm ../../AppStream/Packages/perl-Digest-MD5-2.55-396.el8.x86_64.rpm ../../AppStream/Packages/perl-IO-Socket-IP-0.39-5.el8.noarch.rpm ../../AppStream/Packages/perl-IO-Socket-SSL-2.066-4.module+el8.3.0+6446+594cad75.noarch.rpm ../../AppStream/Packages/perl-libnet-3.11-3.el8.noarch.rpm ../../AppStream/Packages/perl-Mozilla-CA-20160104-7.module+el8.3.0+6498+9eecfe51.noarch.rpm ../../AppStream/Packages/perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+f0897f98.x86_64.rpm ../../AppStream/Packages/perl-URI-1.73-3.el8.noarch.rpm %end # tail -8 mnt/sysimage/var/log/kickstart_post_nochroot.log checkpolicy-2.9-1.el8 ######################################## python3-policycoreutils-2.9-20.el8 ######################################## policycoreutils-python-utils-2.9-20.el######################################## frr-selinux-7.5.1-4.el8 ######################################## warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255 frr-7.5.1-4.el8 ######################################## Running in chroot, ignoring request: daemon-reload Running in chroot, ignoring request: daemon-reload --- - When I installed frr package post OS installation, using "dnf install frr" command, the post script of frr-selinux package did not fail. - Installation is only failing when we add frr package in %packages section, not when we try installing the package in %post section. - The only problem installing the package in the %post section is the post script of the frr-selinux package is failing. 1. Can the customer try to install the package via the %post section in the kickstart? Please forgive me, I am not very skilled with kickstart but I was thinking that something like this could help: %post dnf -y install frr %end As far as I can tell, this should not end in error since even though the error is visible, the whole process ends with 0. Testing on latest RHEL8: # dnf -y install frr ... Installing : frr-selinux-7.5.1-5.el8.noarch 9/10 Running scriptlet: frr-selinux-7.5.1-5.el8.noarch 9/10 warning: %post(frr-selinux-7.5.1-5.el8.noarch) scriptlet failed, exit status 255 Error in POSTIN scriptlet in rpm package frr-selinux Running scriptlet: frr-7.5.1-5.el8.x86_64 10/10 Installing : frr-7.5.1-5.el8.x86_64 10/10 Running scriptlet: frr-7.5.1-5.el8.x86_64 10/10 ... Installed products updated. ... # echo $? 0 ==> Even if we install the frr package in the %post section using dnf command, the post script of frr-selinux package will fail, however the installation will not fail/abort. I will give it a try and will get back to you. 2. Please ask the customer, if they require the fix in RHEL-8.7.0. As I mentioned above, I have a fix planned for RHEL-8.8.0 now. ==> I will check with cu and update you. Hi Mahesh, thank you for the feedback. It is as I suspected. I would like to give a full explanation about the situation here. So in RHEL-8.7.0 I've added new SELinux policy for FRR resulting in the aforementioned frr-selinux sub-package. This meant that every file installed or created by FRR needed to be relabeled including files in /var/tmp/frr and /var/run/frr. These files had tmp_t and needed tmp_frr_t. But in a situation when a user is upgrading from previous version of RHEL, these files might be present in the system since FRR might be running before the upgrade. The result of upgrade would be a couple of AVCs since the newly labeled FRR binaries cannot properly access files with tmp_t. This is why I added those two lines with restorecon in the specfile to prevent AVCs. What I did not realize was, that this needed to be under a condition that the install is an upgrade, not a fresh install because with fresh install, the files do not exist yet. To demonstrate, I am using the same line on a system without FRR: # restorecon -R /var/tmp/frr restorecon: lstat(/var/tmp/frr) failed: No such file or directory # echo $? 255 This is the failure that causes the whole %post to return 255 and thus fail. But the good thing here is, that it does not prevent the package from being installed as shown on RHEL-8.7.0 example(the version of RHEL where I created this error): # dnf -y install frr ... Running scriptlet: frr-selinux-7.5.1-4.el8.noarch 9/10 Installing : frr-selinux-7.5.1-4.el8.noarch 9/10 Running scriptlet: frr-selinux-7.5.1-4.el8.noarch 9/10 warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255 Error in POSTIN scriptlet in rpm package frr-selinux Running scriptlet: frr-7.5.1-4.el8.x86_64 10/10 Installing : frr-7.5.1-4.el8.x86_64 10/10 Running scriptlet: frr-7.5.1-4.el8.x86_64 ... Installed products updated. ... Complete! # rpm -qa | grep frr frr-7.5.1-4.el8.x86_64 frr-selinux-7.5.1-4.el8.noarch So the gist is that even though I understand that the error should not be there, at least in the %post section it does not disrupt the install and you(or the customer) can just ignore it. Hope this helps. Regards, Michal Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: frr security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:2801 |