Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Make sure that SELinux is in enforcing mode 2. Create a Docker-based compute resource pointing to internal or external docker 3. Pull an image using docker cli. 4. Go to New Container wizard and select the created Compute Resource 5. On the next step, try to find that image using the new container wizard Actual results: Search does not work and does not return any feedback Expected results: Search should work properly and do not show any connection error on logs (see additional info for the logs) Additional info: 2015-03-04 10:12:36 [I] Processing by ImageSearchController#auto_complete_repository_name as */* 2015-03-04 10:12:36 [I] Parameters: {"search"=>"bus", "registry_id"=>"", "id"=>"2"} 2015-03-04 10:12:36 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES) 2015-03-04 10:12:36 [I] Rendered common/500.html.erb (44.6ms) 2015-03-04 10:12:36 [I] Completed 500 Internal Server Error in 275ms (Views: 45.3ms | ActiveRecord: 2.8ms) 2015-03-04 10:12:39 [I] Processing by ImageSearchController#auto_complete_repository_name as */* 2015-03-04 10:12:39 [I] Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"} 2015-03-04 10:12:39 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES) 2015-03-04 10:12:39 [I] Rendered common/500.html.erb (46.9ms) 2015-03-04 10:12:39 [I] Completed 500 Internal Server Error in 283ms (Views: 47.7ms | ActiveRecord: 2.8ms) 2015-03-04 10:12:43 [I] Processing by ImageSearchController#search_repository as TEXT 2015-03-04 10:12:43 [I] Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"} 2015-03-04 10:12:43 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker ExternalDockerCR was not decrypted
Filling missing information: Description of problem: When SELinux is in enforcing mode during the image search step on New Container wizard it prevents the search. Also no feedback is provided. Version-Release number of selected component (if applicable): Satellite-6.1.0-RHEL-7-20150303.0 How reproducible: Aways
Please paste output of the following commands in this order: rpm -q foreman-selinux selinux-policy getenforce ps auxZ | grep RackApp semodule -l | grep foreman foreman-selinux-enable foreman-selinux-disable foreman-selinux-enable foreman-selinux-relabel -v semanage boolean -l semanage fcontext -l sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50
*** Bug 1198734 has been marked as a duplicate of this bug. ***
Unable to reproduce on my nightly system. But I hit other interesting bug. Ruby coredumps on search result: 2015-03-05 11:05:24 [I] Processing by ImageSearchController#search_repository as TEXT 2015-03-05 11:05:24 [I] Parameters: {"search"=>"wordpress", "registry_id"=>"", "id"=>"2"} 2015-03-05 11:05:24 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker Test was not decrypted ==> /var/log/messages <== Mar 5 11:05:35 hp-magnycours-01 abrtd: Directory 'ccpp-2015-03-05-11:05:32-27132' creation detected Mar 5 11:05:35 hp-magnycours-01 abrt[30605]: Saved core dump of pid 27132 (/opt/rh/ruby193/root/usr/bin/ruby) to /var/spool/abrt/ccpp-2015-03-05-11:05:32-27132 (404754432 bytes) ==> /var/log/httpd/foreman-ssl_error_ssl.log <== [Thu Mar 05 11:05:36 2015] [error] [client 10.40.204.45] Premature end of script headers: image_search, referer: https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image ==> /var/log/foreman/production.log <== 2015-03-05 11:05:36 [I] Client disconnected. ==> /var/log/httpd/foreman-ssl_access_ssl.log <== 10.40.204.45 - - [05/Mar/2015:11:05:24 -0500] "GET /image_search/2/search_repository?search=wordpress®istry_id= HTTP/1.1" 500 343 "https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0" ==> /var/log/messages <== Mar 5 11:05:36 hp-magnycours-01 abrtd: Size of '/var/spool/abrt' >= 1000 MB, deleting 'ccpp-2015-03-05-11:03:51-25660' Mar 5 11:05:37 hp-magnycours-01 abrtd: New problem directory /var/spool/abrt/ccpp-2015-03-05-11:04:37-27143, processing Mar 5 11:05:37 hp-magnycours-01 abrtd: Sending an email... Mar 5 11:05:37 hp-magnycours-01 abrtd: Email was sent to: root@localhost
One note, please keep in mind that external/internal docker resources MUST have ports from this range: [root@qe-blade-16 ~]# semanage port -l | grep docker docker_port_t tcp 2375-2376 Otherwise they WILL be blocker. If you want to use non-standard port, then you need to redefine those.
Attaching the coredump: Core was generated by `Passenger RackApp: /usr/share/foreman '. Program terminated with signal 6, Aborted. #0 0x0000003519232625 in ?? () "/var/spool/abrt/ccpp-2015-03-05-11:04:37-27143/coredump" is a core file. Please specify an executable to debug. (gdb) st Ambiguous command "st": stack, start, status, step, stepi, stepping, stop, strace. (gdb) bt #0 0x0000003519232625 in ?? () #1 0x0000003519233d8d in ?? () #2 0x0000000000000000 in ?? () (gdb) quit
Created attachment 998456 [details] Coredump of Foreman with Docker plugin
We have tried to reproduce with Daniel, unable to repro. Please re-test. Keep in mind that when using Docker as a remote service, you must use standard ports otherwise SELinux will block the communication.
Verified by QE on Satellite-6.1.0-RHEL-7-20150320.1. Typing the name of a docker image will automatically search within your compute resource for a match.
This bug is slated to be released with Satellite 6.1.
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.