1542833 – oVirt Node upgrade fails if SELINUX is disabled

Bug 1542833 - oVirt Node upgrade fails if SELINUX is disabled

Summary: oVirt Node upgrade fails if SELINUX is disabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	imgbased
Sub Component:
Version:	4.1.9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	ovirt-4.2.1
Target Release:	4.2.0
Assignee:	Yuval Turgeman
QA Contact:	Huijuan Zhao
Docs Contact:
URL:
Whiteboard:
Depends On:	1519784
Blocks:
TreeView+	depends on / blocked

Reported:	2018-02-07 06:19 UTC by Germano Veit Michel
Modified:	2021-06-10 14:30 UTC (History)
CC List:	10 users (show)
Fixed In Version:	imgbased-1.0.11
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1519784
Environment:
Last Closed:	2018-05-15 17:57:44 UTC
oVirt Team:	Node
Target Upstream Version:
Embargoed:
Flags:	lsvaty: testing_plan_complete-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3346371	None	None	None	2018-02-07 06:20:16 UTC
Red Hat Product Errata	RHSA-2018:1524	None	None	None	2018-05-15 17:58:49 UTC
oVirt gerrit	84957	None	MERGED	Avoid running semanage when selinux is disabled	2020-10-08 12:29:15 UTC
oVirt gerrit	85604	None	MERGED	Avoid running semanage when selinux is disabled	2020-10-08 12:29:16 UTC

Description Germano Veit Michel 2018-02-07 06:19:42 UTC

+++ This bug was initially created as a clone of Bug #1519784 +++

Description of problem:

If SELINUX is disabled, upgrade of node fails.

Version-Release number of selected component (if applicable):

4.1.1.1

How reproducible:

Always

Steps to Reproduce:
1. Install oVirt Node
2. Disable SELINUX
3. Try to upgrade oVirt Node

Actual results:

Upgrade fails

###

2017-11-28 17:25:28,372 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Creating /home as {'attach': True, 'size': '1G'}
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Calling binary: (['vgs', '--noheadings', '@imgbased:volume', '-o', 'lv_full_name'],) {'stderr': <open file '/dev/null', mode 'w' at 0x7fa2d1ad8ed0>}
2017-11-28 17:25:28,434 [DEBUG] (MainThread) Calling: (['vgs', '--noheadings', '@imgbased:volume', '-o', 'lv_full_name'],) {'close_fds': True, 'stderr': <open file '/dev/null', mode 'w' at 0x7fa2d1ad8ed0>}
2017-11-28 17:25:28,533 [DEBUG] (MainThread) Returned: onn/home         
  onn/tmp          
  onn/var_log      
  onn/var_log_audit
2017-11-28 17:25:28,533 [DEBUG] (MainThread) Calling binary: (['umount', '-l', '/etc'],) {}
2017-11-28 17:25:28,534 [DEBUG] (MainThread) Calling: (['umount', '-l', '/etc'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,539 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,540 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.tuHU8'],) {}
2017-11-28 17:25:28,540 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.tuHU8'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.tuHU8'],) {}
2017-11-28 17:25:28,635 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.tuHU8'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:28,640 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:28,641 [ERROR] (MainThread) Failed to migrate etc
Traceback (most recent call last):
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 109, in on_new_layer
    check_nist_layout(imgbase, new_lv)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 179, in check_nist_layout
    v.create(t, paths[t]["size"], paths[t]["attach"])
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/volume.py", line 48, in create
    "Path is already a volume: %s" % where
AssertionError: Path is already a volume: /home
2017-11-28 17:25:28,642 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.bEW2k'],) {}
2017-11-28 17:25:28,642 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.bEW2k'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.bEW2k'],) {}
2017-11-28 17:25:29,061 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.bEW2k'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Calling binary: (['umount', '-l', u'/tmp/mnt.UB5Yg'],) {}
2017-11-28 17:25:29,067 [DEBUG] (MainThread) Calling: (['umount', '-l', u'/tmp/mnt.UB5Yg'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,625 [DEBUG] (MainThread) Returned: 
2017-11-28 17:25:29,625 [DEBUG] (MainThread) Calling binary: (['rmdir', u'/tmp/mnt.UB5Yg'],) {}
2017-11-28 17:25:29,626 [DEBUG] (MainThread) Calling: (['rmdir', u'/tmp/mnt.UB5Yg'],) {'close_fds': True, 'stderr': -2}
2017-11-28 17:25:29,631 [DEBUG] (MainThread) Returned: 
Traceback (most recent call last):
  File "/usr/lib64/python2.7/runpy.py", line 162, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/__main__.py", line 53, in <module>
    CliApplication()
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/__init__.py", line 82, in CliApplication
    app.hooks.emit("post-arg-parse", args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/hooks.py", line 120, in emit
    cb(self.context, *args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 56, in post_argparse
    base_lv, _ = LiveimgExtractor(app.imgbase).extract(args.FILENAME)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 118, in extract
    "%s" % size, nvr)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/update.py", line 99, in add_base_with_tree
    new_layer_lv = self.imgbase.add_layer(new_base)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/imgbase.py", line 191, in add_layer
    self.hooks.emit("new-layer-added", prev_lv, new_lv)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/hooks.py", line 120, in emit
    cb(self.context, *args)
  File "/tmp/tmp.ipxGZrbQEi/usr/lib/python2.7/site-packages/imgbased/plugins/osupdater.py", line 123, in on_new_layer
    raise ConfigMigrationError()
imgbased.plugins.osupdater.ConfigMigrationError



$semanage permissive -a setfiles_t
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.30:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.30, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.30:  No such file or directory
/sbin/load_policy:  Can't load policy:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2. (No such file or directory).
OSError: No such file or directory

###


Expected results:

Upgrade / Update should work


Additional info:

--- Additional comment from Ryan Barry on 2017-12-01 08:14:27 EST ---

The traceback here is misleading. Please remove the NIST LVs before attempting to upgrade again.

Why is selinux disabled? We can patch around this by checking in SELinuxContext, but oVirt Node runs without problems with SELinux enabled.

--- Additional comment from Kilian Ries on 2017-12-01 09:58:26 EST ---

Yes that is right, it was not the right imgbased-log. I have another one where i removed the LVs before upgrade.

SELINUX is disabled because of a third party package which i installed via yum (wich is not compatible with SELINUX) ...

--- Additional comment from Huijuan Zhao on 2017-12-04 03:37:59 EST ---

QE can reproduce this issue.

Test version:
From: ovovirt-node-ng-installer-ovirt-4.1-pre-2017101110.iso
To:   ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm

Test steps:
1. Install ovovirt-node-ng-installer-ovirt-4.1-pre-2017101110.iso
2. Disable selinux
# getenforce 
Disabled
3. Upgrade ovirt-node to ovovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm

Actual results:
After step3, upgrade failed.

# yum install ovirt-node to ovovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch.rpm
...
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch                                          1/2 
warning: %post(ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch) scriptlet failed, exit status 1
Non-fatal POSTIN scriptlet failure in rpm package ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch
  Erasing    : ovirt-node-ng-image-update-placeholder-4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos.noarch                               2/2 
  Verifying  : ovirt-node-ng-image-update-4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos.noarch                                          1/2 
  Verifying  : ovirt-node-ng-image-update-placeholder-4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos.noarch                               2/2 

Installed:
  ovirt-node-ng-image-update.noarch 0:4.2.0-0.3.beta.20171115142956.gitba54278.el7.centos                                                         

Replaced:
  ovirt-node-ng-image-update-placeholder.noarch 0:4.1.7-0.3.rc3.20171010112718.git2411e97.el7.centos                                              

Complete!


Expected results:
After step3, can upgrade successful.

--- Additional comment from Huijuan Zhao on 2018-01-30 02:46:47 EST ---

Test version:
From: rhvh-4.1-0.20171101.0
To:   rhvh-4.2.1.2-0.20180126.0
      imgbased-1.0.8-0.1.el7ev.noarch

Test steps:
Same as Comment 3

Test results:
After Step3, can upgrade successful.

So this bug is fixed in rhvh-4.2.1.2-0.20180126.0, change the status to VERIFIED.

Comment 7 Huijuan Zhao 2018-02-08 08:34:01 UTC

According to comment 0, this bug is fixed in rhvh-4.2.1.2-0.20180126.0, change the status to VERIFIED.

Comment 14 errata-xmlrpc 2018-05-15 17:57:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:1524

Comment 15 Franta Kust 2019-05-16 13:08:04 UTC

BZ<2>Jira Resync

Comment 16 Daniel Gur 2019-08-28 13:14:25 UTC

sync2jira

Comment 17 Daniel Gur 2019-08-28 13:19:27 UTC

sync2jira

Note You need to log in before you can comment on or make changes to this bug.