Bug 1305544 - getpgid syscall fails in cron jobs due to SELinux context mismatch with session leader
getpgid syscall fails in cron jobs due to SELinux context mismatch with sessi...
Status: VERIFIED
Product: OpenShift Online
Classification: Red Hat
Component: Unknown (Show other bugs)
2.x
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rory Thrasher
Meng Bo
:
Depends On:
Blocks: 1277547
  Show dependency treegraph
 
Reported: 2016-02-08 09:42 EST by Andy Grimm
Modified: 2016-11-07 22:49 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andy Grimm 2016-02-08 09:42:19 EST
Currently, cron jobs in OpenShift Online inherit the session from /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

This process is called under runcon, but only the child processes get a new label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY).  Because of the label change, calling getpgid against the sid fails.

One workaround would be to call "setsid" ahead of "timeout" in cron_runjobs.sh, but may be it's time to get a real fix for https://bugzilla.redhat.com/show_bug.cgi?id=1219589 , as that may also fix the problem.

== How to reproduce ==

1) create an app
2) add the cron cartridge to it
3) drop the following script into ~/app-root/repo/.openshift/cron/minutely/

#!usr/bin/env oo-ruby
sid = `ps -p #{Process.pid} -o sess=`.to_i
pgid = Process.getpgid(sid)
puts "#{sid} #{pgid}"

Result:
`getpgid': Permission denied (Errno::EACCES)
Comment 1 Andy Grimm 2016-02-08 10:35:17 EST
translated audit log line for the failure:

type=SYSCALL msg=audit(02/07/2016 22:45:12.996:10062991) : arch=x86_64 syscall=getpgid success=no exit=-13(Permission denied) a0=0x4610f a1=0x8c21f a2=0x4610f a3=0x7fffb6589a10 items=0 ppid=287197 pid=287206 auid=root uid=527007594382ec847e0000cf gid=527007594382ec847e0000cf euid=527007594382ec847e0000cf suid=527007594382ec847e0000cf fsuid=527007594382ec847e0000cf egid=527007594382ec847e0000cf sgid=527007594382ec847e0000cf fsgid=527007594382ec847e0000cf tty=(none) ses=498429 comm=ruby exe=/opt/rh/ruby193/root/usr/bin/ruby subj=unconfined_u:system_r:openshift_t:s0:c2,c167 key=(null)
Comment 2 John W. Lamb 2016-02-08 16:25:48 EST
I just validated that adding "setsid" before "timeout" here resolves this issue: https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L70

I want to note that in Online, cron_runjobs.sh in the gear bin dir is symlinked to /usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh - perhaps that should be the case for OSE/Origin-server as well?
Comment 3 openshift-github-bot 2016-02-16 16:30:20 EST
Commit pushed to master at https://github.com/openshift/origin-server

https://github.com/openshift/origin-server/commit/cdd56c53a1a165979bf607b54424fe833eb6cb4b
cron_runjobs.sh: adds setsid to timeout command

Bug 1305544
https://bugzilla.redhat.com/show_bug.cgi?id=1305544

Currently, cron jobs in OpenShift Online inherit the session from
/usr/libexec/openshift/cartridges/cron/bin/cron_runjobs.sh , which has SELinux
label system_u:system_r:system_cronjob_t:s0-s0:c0.c1023

This process is called under runcon, but only the child processes get a new
label (unconfined_u:system_r:openshift_t:s0:cXXX,cYYY).  Because of the label
change, calling getpgid against the sid fails.

Adds a 'setsid' to the run-parts command to resolve the issue.
Comment 4 Rory Thrasher 2016-03-04 14:41:02 EST
QE,

Can we verify that this works based on the comment #0 How to Reproduce steps?  Thank you.
Comment 5 Meng Bo 2016-03-07 01:44:26 EST
Checked on devenv_5778, issue has been fixed.
The sid and pgid can be shown in user's cronjob.


# rhc tail py33
==> app-root/logs/cron_minutely.log <==
Mon Mar  7 01:40:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________
__________________________________________________________________________
Mon Mar  7 01:41:02 EST 2016: START minutely cron run
__________________________________________________________________________
/var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb:
24006 24006
__________________________________________________________________________
Mon Mar  7 01:41:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________

==> app-root/logs/python.log <==
[Mon Mar 07 01:12:39 2016] [notice] Digest: generating secret for digest authentication ...
[Mon Mar 07 01:12:39 2016] [notice] Digest: done
[Mon Mar 07 01:12:39 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations
[Mon Mar 07 01:38:08 2016] [notice] caught SIGWINCH, shutting down gracefully
- - - [07/Mar/2016:01:38:08 -0500] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (Red Hat) (internal dummy connection)"
[Mon Mar 07 01:38:15 2016] [notice] Digest: generating secret for digest authentication ...
[Mon Mar 07 01:38:15 2016] [notice] Digest: done
[Mon Mar 07 01:38:15 2016] [notice] Apache/2.2.15 (Unix) mod_wsgi/3.4 Python/3.3.2 configured -- resuming normal operations

==> app-root/logs/cron_minutely.log <==
__________________________________________________________________________
Mon Mar  7 01:42:02 EST 2016: START minutely cron run
__________________________________________________________________________
/var/lib/openshift/56dd1bbe7804afdf14000018/app-root/runtime/repo//.openshift/cron/minutely/test.rb:
24675 24675
__________________________________________________________________________
Mon Mar  7 01:42:02 EST 2016: END minutely cron run - status=0
__________________________________________________________________________

Note You need to log in before you can comment on or make changes to this bug.