Bug 672612
Summary: | Augeas plugin fails due to use of noexec on Linux /tmp FS (need to add a note in DOCs) | |||
---|---|---|---|---|
Product: | [Other] RHQ Project | Reporter: | Rafael Soares (Tuelho) <rsoares> | |
Component: | Plugins | Assignee: | Nobody <nobody> | |
Status: | NEW --- | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.0.0 | CC: | hrupp | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 808505 (view as bug list) | Environment: |
RHEL 5.5 x86_64
Sun JDK 1.6
JON 2.4
|
|
Last Closed: | Type: | --- | ||
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 808505 |
Description
Rafael Soares (Tuelho)
2011-01-25 17:59:06 UTC
Description of problem: When you enable the configuration support for Apache Httpd plugin (that uses Augeas) as described at [1] if the /tmp FS is configured as nonexec (on Linux fstab) the agent throws the following error: Agent's log in debug mode snippet: " ... 2011-01-25 16:17:00,296 DEBUG [WorkerThread#0[172.29.1.10:57288]] (rhq.core.pc.inventory.ResourceContainer$ResourceComponentInvocationHandler)- Call to [org.rhq.plugins.apache.ApacheVirtualHostServiceComponent.loadResourceConfiguration()] with args [] failed. java.util.concurrent.ExecutionException: java.lang.Exception: java.lang.NoClassDefFoundError: Could not initialize class net.augeas.jna.Aug at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:232) at java.util.concurrent.FutureTask.get(FutureTask.java:91) at org.rhq.core.pc.inventory.ResourceContainer$ResourceComponentInvocationHandler.invokeInNewThreadWithLock(ResourceContainer.java:446) at org.rhq.core.pc.inventory.ResourceContainer$ResourceComponentInvocationHandler.invoke(ResourceContainer.java:434) at $Proxy58.loadResourceConfiguration(Unknown Source) at org.rhq.core.pc.configuration.LegacyConfigManagement.loadConfigFromFacet(LegacyConfigManagement.java:76) at org.rhq.core.pc.configuration.LegacyConfigManagement.executeLoad(LegacyConfigManagement.java:47) at org.rhq.core.pc.configuration.ConfigurationManager.loadResourceConfiguration(ConfigurationManager.java:250) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.rhq.enterprise.communications.command.impl.remotepojo.server.RemotePojoInvocationCommandService.execute(RemotePojoInvocationCommandService.java:184) at sun.reflect.GeneratedMethodAccessor299.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:93) at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java:27) at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208) at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120) at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262) at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:288) at $Proxy0.execute(Unknown Source) at org.rhq.enterprise.communications.command.server.CommandProcessor.handleIncomingInvocationRequest(CommandProcessor.java:290) at org.rhq.enterprise.communications.command.server.CommandProcessor.invoke(CommandProcessor.java:184) at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:809) at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:608) at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:420) at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:173) Caused by: java.lang.Exception: java.lang.NoClassDefFoundError: Could not initialize class net.augeas.jna.Aug at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocationThread.call(ResourceContainer.java:530) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) at java.util.concurrent.FutureTask.run(FutureTask.java:138) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:619) Caused by: java.lang.NoClassDefFoundError: Could not initialize class net.augeas.jna.Aug at net.augeas.Augeas.<init>(Unknown Source) at net.augeas.Augeas.<init>(Unknown Source) at org.rhq.plugins.apache.ApacheServerComponent.isAugeasEnabled(ApacheServerComponent.java:900) at org.rhq.plugins.apache.ApacheVirtualHostServiceComponent.loadResourceConfiguration(ApacheVirtualHostServiceComponent.java:141) at sun.reflect.GeneratedMethodAccessor93.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.rhq.core.pc.inventory.ResourceContainer$ComponentInvocationThread.call(ResourceContainer.java:525) ... 5 more ... " Version-Release number of selected component (if applicable): JON 2.4 How reproducible: Steps to Reproduce: 1. Configure the /tmp as nonexec flag on /etc/fstab #snippet of a mount command #noexec flag /dev/mapper/RH-LV_TMP on /tmp type ext3 (rw,noexec,nosuid,nodev,noatime) 2. Enable the configuration support (Apache Httpd Resource > Inventory > Connection tab) 3. Try to access the Apache Httpd resource Configuration tab 4. See the rhq-agent logs Actual results: Expected results: I think is import to hilight the issue when using noexec flag on /tmp Linux FS. Today there is no NOTES about this in [1] Additional info: [1] http://docs.redhat.com/docs/en-US/JBoss_Operations_Network/2.4/html/Basic_Admin_Guide/configuring-apache.html I do not think that having users disable the noexec flag is a viable solution in general. From mount(8): noexec Do not allow direct execution of any binaries on the mounted filesystem. So this is a security feature; and disabling it may weaken system security. The noexec flag is a defence-in-depth measure - disabling it does not expose any particular security hole, it just removes a particular line of defence. That line of defence has been historically flawed. Up until recent kernels, an attacker could circumvent noexec by running /lib/ld-linux.so <binary> instead of running the binary directly. Even in the most recent kernels, an attacker can still run system-provided interpreters on scripts that can't be run directly. These interpreters (perl, python, etc.) are not privileged and don't allow the user to directly execute code, but they still provide some scope for circumventing noexec. That said, requiring the user to disable noexec is still a bad idea. It is not a high-risk flaw, but if we can patch the plugin to function correctly when /tmp is mounted as noexec, this would be preferable. |