1408492 – Munin 2.0.28 update breaks dynazoom

Bug 1408492 - Munin 2.0.28 update breaks dynazoom

Summary: Munin 2.0.28 update breaks dynazoom

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	munin
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	d. johnson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-23 18:48 UTC by Chad Feller
Modified:	2017-01-20 20:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	munin-2.0.29-1.fc25 munin-2.0.29-1.fc24 munin-2.0.29-1.el7 munin-2.0.29-1.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-12 05:23:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Chad Feller 2016-12-23 18:48:59 UTC

Description of problem:  Upon updating from munin 2.0.26 to munin 2.0.28 the dynazoom functionality is broken.  Errors such as this:

2016/12/23 10:14:04 [WARNING] Could not draw graph "/var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/diskstats_latency/sda-pinpoint=1482408674,1482516674.png?&lower_limit=&upper_limit=&size_x=800&size_y=400": /var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/diskstats_latency/sda-pinpoint=1482408674,1482516674.png?&lower_limit=&upper_limit=&size_x=800&size_y=400

can be seen in the logs.

It appears that there was changes to the code in:

  /var/www/cgi-bin/munin-cgi-graph

Which now tries to write to:

  /var/lib/munin/cgi-tmp/munin-cgi-graph

Which doesn't exist.

manually creating the directory:

  mkdir -p /var/lib/munin/cgi-tmp/munin-cgi-graph

and setting the permissions:

  chmod 775 /var/lib/munin/cgi-tmp/munin-cgi-graph

  chown munin:apache /var/lib/munin/cgi-tmp/munin-cgi-graph

fixes the issue.

Version-Release number of selected component (if applicable):
munin-node-2.0.28-2.fc24.noarch
munin-2.0.28-2.fc24.noarch
munin-common-2.0.28-2.fc24.noarch


Additional info:
I can confirm that bug also exists in:

  munin-2.0.28-2.el7.noarch 

currently in epel-testing.

Comment 1 Chad Feller 2016-12-23 19:22:38 UTC

Additionally, on selinux systems in enforcing mode, there is selinux policy preventing apache from writing to that directory.  

Putting selinux into permissive mode, I see the following:

type=AVC msg=audit(1482520635.898:15772): avc:  denied  { execmem } for  pid=27210 comm="munin-cgi-graph" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:system_r:munin_script_t:s0 tclass=process permissive=1
type=AVC msg=audit(1482520636.153:15773): avc:  denied  { write } for  pid=27210 comm="munin-cgi-graph" name="<hostname>" dev="dm-0" ino=24911877 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1482520636.154:15774): avc:  denied  { add_name } for  pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1482520636.154:15775): avc:  denied  { create } for  pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482520636.154:15776): avc:  denied  { write } for  pid=27210 comm="munin-cgi-graph" path="/var/lib/munin/cgi-tmp/munin-cgi-graph/<group>/<hostname>/entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482520636.190:15777): avc:  denied  { setattr } for  pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1482520636.191:15778): avc:  denied  { remove_name } for  pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1482520636.191:15779): avc:  denied  { unlink } for  pid=27210 comm="munin-cgi-graph" name="entropy-pinpoint=1482412210,1482520210.png?&lower_limit=&upper_limit=&size_x=800&size_y=400" dev="dm-0" ino=24903967 scontext=system_u:system_r:munin_script_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=file permissive=1

selinux policy and/or permissions will have to be updated as well to allow this.

Comment 2 d. johnson 2016-12-23 22:49:42 UTC

What did you set your cgitmpdir to ?

This is set in /etc/munin/munin.conf and might be something like /var/tmp/ or other web server writable location.  ("semanage fcontext -l |grep tmp_t" for examples)

Comment 3 Chad Feller 2016-12-23 23:01:00 UTC

(In reply to d. johnson from comment #2)
> What did you set your cgitmpdir to ?
> 
> This is set in /etc/munin/munin.conf and might be something like /var/tmp/
> or other web server writable location.  ("semanage fcontext -l |grep tmp_t"
> for examples)

Nothing, I've always gone with the defaults for things like this.  

In this particular instance, it seems like the defaults changed but the packaging didn't.

Comment 4 Chad Feller 2016-12-23 23:08:11 UTC

Futhermore, the munin.conf for 2.0.28 shows:

# temporary cgi files are here. note that it has to be writable by 
# the cgi user (usually nobody or httpd).
#
# cgitmpdir /var/lib/munin/cgi-tmp

Comment 5 marianne@tuxette.fr 2016-12-29 13:49:59 UTC

Same bug in epel 6. 
Chad, thanks for the workaround

Comment 6 Fedora Update System 2017-01-03 05:44:49 UTC

munin-2.0.29-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-2e436bf718

Comment 7 Fedora Update System 2017-01-03 05:45:43 UTC

munin-2.0.29-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc24f72215

Comment 8 Fedora Update System 2017-01-03 05:46:07 UTC

munin-2.0.29-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-98c134f556

Comment 9 Fedora Update System 2017-01-03 05:46:35 UTC

munin-2.0.29-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-309a41ab53

Comment 10 Fedora Update System 2017-01-03 21:48:30 UTC

munin-2.0.29-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-98c134f556

Comment 11 Fedora Update System 2017-01-03 22:21:00 UTC

munin-2.0.29-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-2e436bf718

Comment 12 Fedora Update System 2017-01-03 23:17:59 UTC

munin-2.0.29-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-309a41ab53

Comment 13 Fedora Update System 2017-01-03 23:50:35 UTC

munin-2.0.29-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cc24f72215

Comment 14 Chad Feller 2017-01-07 17:42:30 UTC

All looks good.  I verified on EL7 and Fedora 25 (I upgraded my workstation from 24 -> 25 since opening this ticket).

I left appropriate feedback on bodhi.

Comment 15 Fedora Update System 2017-01-12 05:23:30 UTC

munin-2.0.29-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2017-01-12 06:49:13 UTC

munin-2.0.29-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 Fedora Update System 2017-01-20 15:20:21 UTC

munin-2.0.29-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2017-01-20 20:48:00 UTC

munin-2.0.29-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.