Hide Forgot
Currently, cron jobs in OpenShift Online inherit the session from /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 This process is called under runcon, but only the child processes get a new label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY). Because of the label change, calling getpgid against the sid fails. One workaround would be to call "setsid" ahead of "timeout" in cron_runjobs.sh, but may be it's time to get a real fix for https://bugzilla.redhat.com/show_bug.cgi?id=1219589 , as that may also fix the problem. == How to reproduce == 1) create an app 2) add the cron cartridge to it 3) drop the following script into ~/app-root/repo/.openshift/cron/minutely/ #!usr/bin/env oo-ruby sid = `ps -p #{Process.pid} -o sess=`.to_i pgid = Process.getpgid(sid) puts "#{sid} #{pgid}" Result: `getpgid': Permission denied (Errno::EACCES)
translated audit log line for the failure: type=SYSCALL msg=audit(02/07/2016 22:45:12.996:10062991) : arch=x86_64 syscall=getpgid success=no exit=-13(Permission denied) a0=0x4610f a1=0x8c21f a2=0x4610f a3=0x7fffb6589a10 items=0 ppid=287197 pid=287206 auid=root uid=527007594382ec847e0000cf gid=527007594382ec847e0000cf euid=527007594382ec847e0000cf suid=527007594382ec847e0000cf fsuid=527007594382ec847e0000cf egid=527007594382ec847e0000cf sgid=527007594382ec847e0000cf fsgid=527007594382ec847e0000cf tty=(none) ses=498429 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=unconfined_u:system_r:openshift_t:s0:c2,c167 key=(null)
I just validated that adding "setsid" before "timeout" here resolves this issue: https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L70 I want to note that in Online, cron_runjobs.sh in the gear bin dir is symlinked to /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh - perhaps that should be the case for OSE/Origin-server as well?
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/cdd56c53a1a165979bf607b54424fe833eb6cb4b cron_runjobs.sh: adds setsid to timeout command Bug 1305544 https://bugzilla.redhat.com/show_bug.cgi?id=1305544 Currently, cron jobs in OpenShift Online inherit the session from /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023 This process is called under runcon, but only the child processes get a new label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY). Because of the label change, calling getpgid against the sid fails. Adds a 'setsid' to the run-parts command to resolve the issue.
QE, Can we verify that this works based on the comment #0 How to Reproduce steps? Thank you.
Checked on devenv_5778, issue has been fixed. The sid and pgid can be shown in user's cronjob. # rhc tail py33 ==> app-root/logs/cron_minutely.log <== Mon Mar 7 01:40:02 EST 2016: END minutely cron run - status=0 __________________________________________________________________________ __________________________________________________________________________ Mon Mar 7 01:41:02 EST 2016: START minutely cron run __________________________________________________________________________ /var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb: 24006 24006 __________________________________________________________________________ Mon Mar 7 01:41:02 EST 2016: END minutely cron run - status=0 __________________________________________________________________________ ==> app-root/logs/python.log <== [Mon Mar 07 01:12:39 2016] [notice] Digest: generating secret for digest authentication ... [Mon Mar 07 01:12:39 2016] [notice] Digest: done [Mon Mar 07 01:12:39 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations [Mon Mar 07 01:38:08 2016] [notice] caught SIGWINCH, shutting down gracefully - - - [07/Mar/2016:01:38:08 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (Red Hat) (internal dummy connection)" [Mon Mar 07 01:38:15 2016] [notice] Digest: generating secret for digest authentication ... [Mon Mar 07 01:38:15 2016] [notice] Digest: done [Mon Mar 07 01:38:15 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations ==> app-root/logs/cron_minutely.log <== __________________________________________________________________________ Mon Mar 7 01:42:02 EST 2016: START minutely cron run __________________________________________________________________________ /var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb: 24675 24675 __________________________________________________________________________ Mon Mar 7 01:42:02 EST 2016: END minutely cron run - status=0 __________________________________________________________________________