Bug 1198727 - Docker registry search causes Ruby to coredump
Summary: Docker registry search causes Ruby to coredump
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Container Management
Version: 6.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: Og Maciel
URL:
Whiteboard:
: 1198734 (view as bug list)
Depends On:
Blocks: 1190289
TreeView+ depends on / blocked
 
Reported: 2015-03-04 17:17 UTC by Elyézer Rezende
Modified: 2019-04-01 20:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 13:57:10 UTC
Target Upstream Version:


Attachments (Terms of Use)
Coredump of Foreman with Docker plugin (1.32 MB, application/x-xz)
2015-03-05 16:16 UTC, Lukas Zapletal
no flags Details

Description Elyézer Rezende 2015-03-04 17:17:54 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Make sure that SELinux is in enforcing mode
2. Create a Docker-based compute resource pointing to internal or external docker
3. Pull an image using docker cli.
4. Go to New Container wizard and select the created Compute Resource
5. On the next step, try to find that image using the new container wizard

Actual results:

Search does not work and does not return any feedback


Expected results:

Search should work properly and do not show any connection error on logs (see additional info for the logs)


Additional info:

2015-03-04 10:12:36 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:36 [I]   Parameters: {"search"=>"bus", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:36 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:36 [I]   Rendered common/500.html.erb (44.6ms)
2015-03-04 10:12:36 [I] Completed 500 Internal Server Error in 275ms (Views: 45.3ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:39 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:39 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:39 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:39 [I]   Rendered common/500.html.erb (46.9ms)
2015-03-04 10:12:39 [I] Completed 500 Internal Server Error in 283ms (Views: 47.7ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:43 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-04 10:12:43 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:43 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker ExternalDockerCR was not decrypted

Comment 1 Elyézer Rezende 2015-03-04 17:26:39 UTC
Filling missing information:

Description of problem:
When SELinux is in enforcing mode during the image search step on New Container wizard it prevents the search. Also no feedback is provided.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-7-20150303.0

How reproducible:
Aways

Comment 3 Lukas Zapletal 2015-03-05 14:54:07 UTC
Please paste output of the following commands in this order:

  rpm -q foreman-selinux selinux-policy
  getenforce
  ps auxZ | grep RackApp
  semodule -l | grep foreman
  foreman-selinux-enable
  foreman-selinux-disable
  foreman-selinux-enable
  foreman-selinux-relabel -v
  semanage boolean -l
  semanage fcontext -l
  sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a
  ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50

Comment 5 Lukas Zapletal 2015-03-05 16:01:35 UTC
*** Bug 1198734 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Zapletal 2015-03-05 16:07:29 UTC
Unable to reproduce on my nightly system. But I hit other interesting bug. Ruby coredumps on search result:

2015-03-05 11:05:24 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-05 11:05:24 [I]   Parameters: {"search"=>"wordpress", "registry_id"=>"", "id"=>"2"}
2015-03-05 11:05:24 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker Test was not decrypted

==> /var/log/messages <==
Mar  5 11:05:35 hp-magnycours-01 abrtd: Directory 'ccpp-2015-03-05-11:05:32-27132' creation detected
Mar  5 11:05:35 hp-magnycours-01 abrt[30605]: Saved core dump of pid 27132 (/opt/rh/ruby193/root/usr/bin/ruby) to /var/spool/abrt/ccpp-2015-03-05-11:05:32-27132 (404754432 bytes)

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Thu Mar 05 11:05:36 2015] [error] [client 10.40.204.45] Premature end of script headers: image_search, referer: https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image

==> /var/log/foreman/production.log <==
2015-03-05 11:05:36 [I] Client disconnected.

==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.40.204.45 - - [05/Mar/2015:11:05:24 -0500] "GET /image_search/2/search_repository?search=wordpress&registry_id= HTTP/1.1" 500 343 "https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"

==> /var/log/messages <==
Mar  5 11:05:36 hp-magnycours-01 abrtd: Size of '/var/spool/abrt' >= 1000 MB, deleting 'ccpp-2015-03-05-11:03:51-25660'
Mar  5 11:05:37 hp-magnycours-01 abrtd: New problem directory /var/spool/abrt/ccpp-2015-03-05-11:04:37-27143, processing
Mar  5 11:05:37 hp-magnycours-01 abrtd: Sending an email...
Mar  5 11:05:37 hp-magnycours-01 abrtd: Email was sent to: root@localhost

Comment 7 Lukas Zapletal 2015-03-05 16:09:35 UTC
One note, please keep in mind that external/internal docker resources MUST have ports from this range:

[root@qe-blade-16 ~]# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376

Otherwise they WILL be blocker. If you want to use non-standard port, then you need to redefine those.

Comment 8 Lukas Zapletal 2015-03-05 16:15:34 UTC
Attaching the coredump:

Core was generated by `Passenger RackApp: /usr/share/foreman                                         '.
Program terminated with signal 6, Aborted.
#0  0x0000003519232625 in ?? ()
"/var/spool/abrt/ccpp-2015-03-05-11:04:37-27143/coredump" is a core file.
Please specify an executable to debug.
(gdb) st
Ambiguous command "st": stack, start, status, step, stepi, stepping, stop, strace.
(gdb) bt
#0  0x0000003519232625 in ?? ()
#1  0x0000003519233d8d in ?? ()
#2  0x0000000000000000 in ?? ()
(gdb) quit

Comment 9 Lukas Zapletal 2015-03-05 16:16:05 UTC
Created attachment 998456 [details]
Coredump of Foreman with Docker plugin

Comment 11 Lukas Zapletal 2015-03-24 11:35:16 UTC
We have tried to reproduce with Daniel, unable to repro. Please re-test.

Keep in mind that when using Docker as a remote service, you must use standard ports otherwise SELinux will block the communication.

Comment 12 Og Maciel 2015-03-24 19:54:40 UTC
Verified by QE on Satellite-6.1.0-RHEL-7-20150320.1. Typing the name of a docker image will automatically search within your compute resource for a match.

Comment 13 Bryan Kearney 2015-08-11 13:31:06 UTC
This bug is slated to be released with Satellite 6.1.

Comment 14 Bryan Kearney 2015-08-12 13:57:10 UTC
This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.


Note You need to log in before you can comment on or make changes to this bug.