Bug 842487

Summary: cobblerd fails to start (python can't find pam_start)
Product: [Fedora] Fedora Reporter: Alan Crosswell <alan>
Component: cobblerAssignee: James C. <jimi>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 17CC: awood, cristian.ciupitu, ikke, jimi, ppinatti, scott, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-01 01:14:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Crosswell 2012-07-24 01:46:06 UTC 
Description of problem:

systemctl start cobblerd fails because python can't find pam_start. However, cobblerd can be started manually but then more errors are thrown by "cobbler check". 

This seems possibly related to bug 837161 and bug 827813 although the fix in those bugs (selinux-policy update) is in place.

Version-Release number of selected component (if applicable):
cobbler-2.2.3-2.fc17.noarch
python-2.7.3-6.fc17.x86_64
selinux-policy-3.10.0-140.fc17.noarch

How reproducible:
always

Steps to Reproduce:
1. install fc17
2. yum -y install cobbler cobbler-web
3. yum -y upgrade
4. systemctl start cobblerd
5. /usr/bin/cobblerd
  
Actual results:

cobblerd doesn't start via systemctl

Expected results:

cobblerd should start via systemctl

Additional info:

[root@fc17vm alan]# systemctl start cobblerd.service
[root@fc17vm alan]# systemctl status cobblerd.service
cobblerd.service - Cobbler Helper Daemon
	  Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled)
	  Active: active (exited) since Mon, 23 Jul 2012 20:49:38 -0400; 39min ago
	Main PID: 1094 (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/cobblerd.service

Jul 23 20:49:38 fc17vm cobblerd[1094]: module_loader.load_modules()
Jul 23 20:49:38 fc17vm cobblerd[1094]: File "/usr/lib/python2.7/site-packages/cobbler/module_loader.py", line 62, in load_modules
Jul 23 20:49:38 fc17vm cobblerd[1094]: blip =  __import__("modules.%s" % ( modname), globals(), locals(), [modname])
Jul 23 20:49:38 fc17vm cobblerd[1094]: File "/usr/lib/python2.7/site-packages/cobbler/modules/authn_pam.py", line 121, in <module>
Jul 23 20:49:38 fc17vm cobblerd[1094]: PAM_START = LIBPAM.pam_start
Jul 23 20:49:38 fc17vm cobblerd[1094]: File "/usr/lib64/python2.7/ctypes/__init__.py", line 373, in __getattr__
Jul 23 20:49:38 fc17vm cobblerd[1094]: func = self.__getitem__(name)
Jul 23 20:49:38 fc17vm cobblerd[1094]: File "/usr/lib64/python2.7/ctypes/__init__.py", line 378, in __getitem__
Jul 23 20:49:38 fc17vm cobblerd[1094]: func = self._FuncPtr((name_or_ordinal, self))
Jul 23 20:49:38 fc17vm cobblerd[1094]: AttributeError: /usr/bin/python: undefined symbol: pam_start

[root@fc17vm alan]# /usr/bin/cobblerd
[root@fc17vm alan]# ps ax | grep cobblerd
20738 ?        S      0:00 /usr/bin/python /usr/bin/cobblerd
20740 pts/0    S+     0:00 grep --color=auto cobblerd
[root@fc17vm alan]# cobbler check
httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cobbler/cli.py", line 184, in check_setup
    s.ping()
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1312, in single_request
    response.msg,
ProtocolError: <ProtocolError for 127.0.0.1:80/cobbler_api: 503 Service Temporarily Unavailable>
[root@fc17vm alan]# 

---

once cobblerd is launched manually and a "cobbler check" is performed, get this:

[root@fc17vm alan]# cobbler check
httpd does not appear to be running and proxying cobbler, or SELinux is in the way. Original traceback:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cobbler/cli.py", line 184, in check_setup
    s.ping()
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1264, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib64/python2.7/xmlrpclib.py", line 1312, in single_request
    response.msg,
ProtocolError: <ProtocolError for 127.0.0.1:80/cobbler_api: 503 Service Temporarily Unavailable>

[root@fc17vm alan]# grep cobbler /var/log/audit/audit.log | audit2why
WARNING: Policy would be downgraded from version 27 to 26.
type=AVC msg=audit(1343091333.707:93): avc:  denied  { name_connect } for  pid=1382 comm="httpd" dest=25151 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_port_t:s0 tclass=tcp_socket

	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	httpd_can_network_connect_cobbler

	Allow access by executing:
	# setsebool -P httpd_can_network_connect_cobbler 1
	Description:
	httpd_can_network_connect

	Allow access by executing:
	# setsebool -P httpd_can_network_connect 1
type=AVC msg=audit(1343093480.865:111): avc:  denied  { name_connect } for  pid=1383 comm="httpd" dest=25151 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cobbler_port_t:s0 tclass=tcp_socket

	Was caused by:
	One of the following booleans was set incorrectly.
	Description:
	httpd_can_network_connect_cobbler

	Allow access by executing:
	# setsebool -P httpd_can_network_connect_cobbler 1
	Description:
	httpd_can_network_connect

	Allow access by executing:
	# setsebool -P httpd_can_network_connect 1
Comment 1 Alan Crosswell 2012-07-25 01:00:30 UTC 
Worked around with "setsebool -P httpd_can_network_connect_cobbler 1" 

Not sure whether this is supposed to be done by the cobbler RPM post-install script....
Comment 2 Cristian Ciupitu 2012-09-04 16:11:44 UTC 
Unfortunately it's not a clear cut. The packaging guidelines don't mention
anything explicit about SELinux, but you have to keep in mind that messing with
the system configuration is controversial. Maybe the system administrator wants
that boolean disabled and he will activate it only much later.

On the other hand, maybe some basic stuff needed for start-up could be
mentioned in a tiny document, e.g. README.Fedora (and README.(RH)EL). Right now
http://cobbler.github.com/manuals/2.2.3/3/2_-_Installing_From_Packages.html
doesn't mention too much.
Comment 3 Paulo de Rezende Pinatti 2012-11-02 00:29:43 UTC 
The SELinux tweak is indeed arguable, but the systemctl issue still remains. Adding the python interpreter in cobblerd.service (ExecStart=/usr/bin/python /usr/bin/cobblerd) seems to solve it. Could it be done so that cobbler can be started from systemctl again?

Thanks
Comment 4 Ilkka Tengvall 2012-11-28 14:34:13 UTC 
I confirm it works if one adds python to sysctl script. The service not working without it definitely is a bug.

cobbler-2.4.0-beta2.fc17.noarch
cobbler-web-2.2.3-2.fc17.noarch
Comment 5 Cristian Ciupitu 2012-11-28 14:38:37 UTC 
You shouldn't have to mention the interpretor in the ExecStart field if the executable has the proper shebang.
Comment 6 Ilkka Tengvall 2012-11-29 06:52:02 UTC 
I know, that's weird. I didn't take time to investigate the reason. I wan't to get the first taste of cobbler before starting fixing anything. Just wanted to report back, since this bug is in new state. I could be changed to confirmed now.
Comment 7 Paulo de Rezende Pinatti 2013-02-20 12:20:30 UTC 
Hello,

this issue has been opened for some time while we have a working fix. Can't we apply it so that users are able to start the cobbler service again in parallel to investigating the reason?

Thanks!
Comment 8 Fedora End Of Life 2013-07-03 22:58:27 UTC 
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 9 Fedora End Of Life 2013-08-01 01:14:35 UTC 
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.