1198727 – Docker registry search causes Ruby to coredump

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1198727 - Docker registry search causes Ruby to coredump

Summary: Docker registry search causes Ruby to coredump

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Container Management
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Daniel Lobato Garcia
QA Contact:	Og Maciel
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1198734 (view as bug list)
Depends On:
Blocks:	1190289
TreeView+	depends on / blocked

Reported:	2015-03-04 17:17 UTC by Elyézer Rezende
Modified:	2019-04-01 20:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-12 13:57:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Coredump of Foreman with Docker plugin (1.32 MB, application/x-xz) 2015-03-05 16:16 UTC, Lukas Zapletal	no flags	Details
View All

Description Elyézer Rezende 2015-03-04 17:17:54 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Make sure that SELinux is in enforcing mode
2. Create a Docker-based compute resource pointing to internal or external docker
3. Pull an image using docker cli.
4. Go to New Container wizard and select the created Compute Resource
5. On the next step, try to find that image using the new container wizard

Actual results:

Search does not work and does not return any feedback


Expected results:

Search should work properly and do not show any connection error on logs (see additional info for the logs)


Additional info:

2015-03-04 10:12:36 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:36 [I]   Parameters: {"search"=>"bus", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:36 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:36 [I]   Rendered common/500.html.erb (44.6ms)
2015-03-04 10:12:36 [I] Completed 500 Internal Server Error in 275ms (Views: 45.3ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:39 [I] Processing by ImageSearchController#auto_complete_repository_name as */*
2015-03-04 10:12:39 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:39 [W] Operation FAILED: Permission denied - connect(2) (Errno::EACCES)
2015-03-04 10:12:39 [I]   Rendered common/500.html.erb (46.9ms)
2015-03-04 10:12:39 [I] Completed 500 Internal Server Error in 283ms (Views: 47.7ms | ActiveRecord: 2.8ms)
2015-03-04 10:12:43 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-04 10:12:43 [I]   Parameters: {"search"=>"busybox", "registry_id"=>"", "id"=>"2"}
2015-03-04 10:12:43 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker ExternalDockerCR was not decrypted

Comment 1 Elyézer Rezende 2015-03-04 17:26:39 UTC

Filling missing information:

Description of problem:
When SELinux is in enforcing mode during the image search step on New Container wizard it prevents the search. Also no feedback is provided.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-7-20150303.0

How reproducible:
Aways

Comment 3 Lukas Zapletal 2015-03-05 14:54:07 UTC

Please paste output of the following commands in this order:

  rpm -q foreman-selinux selinux-policy
  getenforce
  ps auxZ | grep RackApp
  semodule -l | grep foreman
  foreman-selinux-enable
  foreman-selinux-disable
  foreman-selinux-enable
  foreman-selinux-relabel -v
  semanage boolean -l
  semanage fcontext -l
  sepolgen-ifgen &>/dev/null && audit2allow -Ra || audit2allow -a
  ausearch -m AVC -m USER_AVC -m SELINUX_ERR | head -n 50

Comment 5 Lukas Zapletal 2015-03-05 16:01:35 UTC

*** Bug 1198734 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Zapletal 2015-03-05 16:07:29 UTC

Unable to reproduce on my nightly system. But I hit other interesting bug. Ruby coredumps on search result:

2015-03-05 11:05:24 [I] Processing by ImageSearchController#search_repository as TEXT
2015-03-05 11:05:24 [I]   Parameters: {"search"=>"wordpress", "registry_id"=>"", "id"=>"2"}
2015-03-05 11:05:24 [I] String does not start with the prefix 'encrypted-', so ForemanDocker::Docker Test was not decrypted

==> /var/log/messages <==
Mar  5 11:05:35 hp-magnycours-01 abrtd: Directory 'ccpp-2015-03-05-11:05:32-27132' creation detected
Mar  5 11:05:35 hp-magnycours-01 abrt[30605]: Saved core dump of pid 27132 (/opt/rh/ruby193/root/usr/bin/ruby) to /var/spool/abrt/ccpp-2015-03-05-11:05:32-27132 (404754432 bytes)

==> /var/log/httpd/foreman-ssl_error_ssl.log <==
[Thu Mar 05 11:05:36 2015] [error] [client 10.40.204.45] Premature end of script headers: image_search, referer: https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image

==> /var/log/foreman/production.log <==
2015-03-05 11:05:36 [I] Client disconnected.

==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.40.204.45 - - [05/Mar/2015:11:05:24 -0500] "GET /image_search/2/search_repository?search=wordpress&registry_id= HTTP/1.1" 500 343 "https://hp-magnycours-01.rhts.eng.bos.redhat.com/wizard_states/3/steps/image" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:35.0) Gecko/20100101 Firefox/35.0"

==> /var/log/messages <==
Mar  5 11:05:36 hp-magnycours-01 abrtd: Size of '/var/spool/abrt' >= 1000 MB, deleting 'ccpp-2015-03-05-11:03:51-25660'
Mar  5 11:05:37 hp-magnycours-01 abrtd: New problem directory /var/spool/abrt/ccpp-2015-03-05-11:04:37-27143, processing
Mar  5 11:05:37 hp-magnycours-01 abrtd: Sending an email...
Mar  5 11:05:37 hp-magnycours-01 abrtd: Email was sent to: root@localhost

Comment 7 Lukas Zapletal 2015-03-05 16:09:35 UTC

One note, please keep in mind that external/internal docker resources MUST have ports from this range:

[root@qe-blade-16 ~]# semanage port -l | grep docker
docker_port_t                  tcp      2375-2376

Otherwise they WILL be blocker. If you want to use non-standard port, then you need to redefine those.

Comment 8 Lukas Zapletal 2015-03-05 16:15:34 UTC

Attaching the coredump:

Core was generated by `Passenger RackApp: /usr/share/foreman                                         '.
Program terminated with signal 6, Aborted.
#0  0x0000003519232625 in ?? ()
"/var/spool/abrt/ccpp-2015-03-05-11:04:37-27143/coredump" is a core file.
Please specify an executable to debug.
(gdb) st
Ambiguous command "st": stack, start, status, step, stepi, stepping, stop, strace.
(gdb) bt
#0  0x0000003519232625 in ?? ()
#1  0x0000003519233d8d in ?? ()
#2  0x0000000000000000 in ?? ()
(gdb) quit

Comment 9 Lukas Zapletal 2015-03-05 16:16:05 UTC

Created attachment 998456 [details]
Coredump of Foreman with Docker plugin

Comment 11 Lukas Zapletal 2015-03-24 11:35:16 UTC

We have tried to reproduce with Daniel, unable to repro. Please re-test.

Keep in mind that when using Docker as a remote service, you must use standard ports otherwise SELinux will block the communication.

Comment 12 Og Maciel 2015-03-24 19:54:40 UTC

Verified by QE on Satellite-6.1.0-RHEL-7-20150320.1. Typing the name of a docker image will automatically search within your compute resource for a match.

Comment 13 Bryan Kearney 2015-08-11 13:31:06 UTC

This bug is slated to be released with Satellite 6.1.

Comment 14 Bryan Kearney 2015-08-12 13:57:10 UTC

This bug was fixed in version 6.1.1 of Satellite which was released on 12 August, 2015.

Note You need to log in before you can comment on or make changes to this bug.