Description of problem: Upon updating from munin 2.0.26 to munin 2.0.28 the dynazoom functionality is broken. Errors such as this: 2016/12/23 10:14:04 [WARNING] Could not draw graph "/var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/diskstats_latency/sda-pinpoint=1482408674,1482516674.png?&lower_limit=&upper_limit=&size_x=800&size_y=400": /var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/diskstats_latency/sda-pinpoint=1482408674,1482516674.png?&lower_limit=&upper_limit=&size_x=800&size_y=400 can be seen in the logs. It appears that there was changes to the code in: /var/www/cgi-bin/munin-cgi-graph Which now tries to write to: /var/lib/munin/cgi-tmp/munin-cgi-graph Which doesn't exist. manually creating the directory: mkdir -p /var/lib/munin/cgi-tmp/munin-cgi-graph and setting the permissions: chmod 775 /var/lib/munin/cgi-tmp/munin-cgi-graph chown munin:apache /var/lib/munin/cgi-tmp/munin-cgi-graph fixes the issue. Version-Release number of selected component (if applicable): munin-node-2.0.28-2.fc24.noarch munin-2.0.28-2.fc24.noarch munin-common-2.0.28-2.fc24.noarch Additional info: I can confirm that bug also exists in: munin-2.0.28-2.el7.noarch currently in epel-testing.
Additionally, on selinux systems in enforcing mode, there is selinux policy preventing apache from writing to that directory. Putting selinux into permissive mode, I see the following: type=AVC msg=audit(1482520635.898:15772): avc: denied { execmem } for pid=27210 comm="munin-cgi-graph" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:system_r:munin_script_t:s0 tclass=process permissive=1 type=AVC msg=audit(1482520636.153:15773): avc: denied { write } for pid=27210 comm="munin-cgi-graph" name="<hostname>" dev="dm-0" ino=24911877 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1482520636.154:15774): avc: denied { add_name } for pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1482520636.154:15775): avc: denied { create } for pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482520636.154:15776): avc: denied { write } for pid=27210 comm="munin-cgi-graph" path="/var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482520636.190:15777): avc: denied { setattr } for pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 type=AVC msg=audit(1482520636.191:15778): avc: denied { remove_name } for pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1482520636.191:15779): avc: denied { unlink } for pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1 selinux policy and/or permissions will have to be updated as well to allow this.
What did you set your cgitmpdir to ? This is set in /etc/munin/munin.conf and might be something like /var/tmp/ or other web server writable location. ("semanage fcontext -l |grep tmp_t" for examples)
(In reply to d. johnson from comment #2) > What did you set your cgitmpdir to ? > > This is set in /etc/munin/munin.conf and might be something like /var/tmp/ > or other web server writable location. ("semanage fcontext -l |grep tmp_t" > for examples) Nothing, I've always gone with the defaults for things like this. In this particular instance, it seems like the defaults changed but the packaging didn't.
Futhermore, the munin.conf for 2.0.28 shows: # temporary cgi files are here. note that it has to be writable by # the cgi user (usually nobody or httpd). # # cgitmpdir /var/lib/munin/cgi-tmp
Same bug in epel 6. Chad, thanks for the workaround
munin-2.0.29-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2e436bf718
munin-2.0.29-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc24f72215
munin-2.0.29-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-98c134f556
munin-2.0.29-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-309a41ab53
munin-2.0.29-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-98c134f556
munin-2.0.29-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2e436bf718
munin-2.0.29-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-309a41ab53
munin-2.0.29-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc24f72215
All looks good. I verified on EL7 and Fedora 25 (I upgraded my workstation from 24 -> 25 since opening this ticket). I left appropriate feedback on bodhi.
munin-2.0.29-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
munin-2.0.29-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
munin-2.0.29-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
munin-2.0.29-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.