Bug 476402
| Summary: | ConsoleKit/vncserver incompatibility (20081213 software) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | bob mckay <urilabob> |
| Component: | vnc | Assignee: | Adam Tkac <atkac> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | atkac, ovasik |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-07-14 17:47:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Attachments: | |||
|
Description
bob mckay
2008-12-14 05:45:31 UTC
Created attachment 326842 [details]
ConnectKit Sessions Registered at time of problem
Created attachment 326843 [details]
Relevant part of vncserver log
Created attachment 326844 [details]
xstartup script
Created attachment 326845 [details]
setroubleshoot of ck-get-x11-serv (consolekit_t) problem
Created attachment 326846 [details]
setroubleshoot of failed restorecon (possible failed autorelabel?)
*** This bug has been marked as a duplicate of bug 477121 *** Hope I'm doing this the right way; this bug is _not_ a duplicate of 477121. Recent updates fixed 477121 without fixing this. The present stage of trying to run ssh-tunneled vncserver and undertake admin tasks is that it fails in two separate ways (FC9 updated to 2009/02/02). Firstly, there is a problem related to 446143 and 452156, namely that consolekit is not called for the vncserver x11 session. This is essentially a problem in the standard xstartup file, which uses: exec /etc/X11/xinit/xinitrc This means that the ConsoleKit calls supplied by the patch in response to 477121 are applied to the spawned process, not the vncserver x11 process (by the way, this means that the marking of 446143 as a duplicate of 477121 was almost certainly wrong, since the patches almost certainly did not fix 446143 - of course I have no direct way to verify this). I'm not sure that there's any way to fix this that doesn't involve changing the user xstartup files. However even substituting the xstartup call with the result of what is in the 477121 patch: . /etc/X11/xinit/xinitrc-common exec $CK_XINIT_SESSION $SSH_AGENT /etc/X11/xinit/Xclients || \ exec $CK_XINIT_SESSION $SSH_AGENT /etc/X11/xinit/Xclients still fails to give the vncserver process console capabilities. My best guess is that this is because of selinux interactions; when we initiate a vncserver session as above, we are still getting selinux violations identical to those reported in 471121 (even though 471121 selinux violations - i.e. relating to starting X11 independent of vncserver - have now gone away). This is a complete show-stopper for us. We have servers that need to be maintained headlessly; they are currently stuck at F8 and pre-December F9 because of this issue. We are about to install a replacement for the F8 server. Is there any hope of a fix or workaround, or should we be switching to CentOS? Sorry, got my bug numbering wrong in some of the preceding (right numbers, wrong roles), should have read: >This means that the ConsoleKit calls supplied by the patch in response to >452156 are applied to the spawned process, not the vncserver x11 process (by >the way, this means that the marking of 446143 as a duplicate of 452156 was >almost certainly wrong, since the patches almost certainly did not fix 446143 - >of course I have no direct way to verify this). I'm not sure that there's any >way to fix this that doesn't involve changing the user xstartup files. > However even substituting the xstartup call with the result of what is in the > 452156 patch: I'm not sure if I understand you correctly. Does patch written in https://bugzilla.redhat.com/show_bug.cgi?id=452156#c18 fix your problems? (you don't have to build entire rpm, patch only /etc/X11/xinit/Xsession and /etc/X11/xinit/xinitrc-common files) *** This bug has been marked as a duplicate of bug 452156 *** Dear Adam, firstly may I apologise? For some reason, I did not receive notification of the request in comment #10 - it may have got spam-trapped. Hence the delayed reply. Unfortunately, no, the patch in https://bugzilla.redhat.com/show_bug.cgi?id=452156#c18 doesn't fix the problem. I'm sorry, I don't fully understand the workings of ConsoleKit. But I would guess the problem is this. The standard vncserver ~user/.vnc/xstartup file (which presumably has an active seat) doesn't directly call xinitrc. Instead, it exec's it. Does this mean that the spawned process doesn't inherit the active seat? If so, I think it's probably the explanation: the ConsoleKit call supplied by the patch is applied to a process that already doesn't have an active seat. It may be that there is no way to fix this short of changing the standard vnc xstartup file (which will break most installations of vnc clients). But even including ConsoleKit calls in the xstartup file doesn't fix the problem, because selinux blocks the calls. Whether there is a secure way of overcoming that problem is way beyond my knowledge. I'll attempt to remove the "mark duplicate", but not confident I understand bugzilla well enough to do so successfully. This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |