Bug 1575335 - munin-node does not start or restart correctly on f28
Summary: munin-node does not start or restart correctly on f28
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: munin
Version: 28
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Kim B. Heino
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-06 03:56 UTC by Martin Jackson
Modified: 2018-09-11 14:44 UTC (History)
10 users (show)

Fixed In Version: munin-2.0.40-2.fc28 munin-2.0.40-2.el6 munin-2.0.40-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-09-06 03:09:07 UTC
Type: Bug


Attachments (Terms of Use)

Description Martin Jackson 2018-05-06 03:56:07 UTC
Description of problem:
munin-node.service does not start on f28

Version-Release number of selected component (if applicable):
munin-node-2.0.33-5.fc27.noarch

How reproducible:
always

Steps to Reproduce:
1. Install package munin-node
2. Try to restart it
3. Unit will hang and then report it failed because it couldn't find the pidfile

Actual results:
Unit enters failed state and does not start

Expected results:
service starts

Additional info:
Starting munin from the terminal works in that it creates the pidfile.

systemd seems to be blocking on some sort of input:

root     11070 10946  0 22:52 pts/0    00:00:00 systemctl restart munin-node.service
root     11071 11070  0 22:52 pts/0    00:00:00 /usr/bin/systemd-tty-ask-password-agent --watch

f27 did not have this behavior, but I can't tell if this is a systemd regression, a munin regression, or something else.

Comment 1 Peter "Pessoft" Kolínek 2018-05-10 17:34:00 UTC
I can see also SELinux message immediately when munin-node start is requested:

type=AVC msg=audit(05/10/2018 19:30:35.222:63751) : avc:  denied  { dac_override } for  pid=545556 comm=munin-node capability=dac_override  scontext=system_u:system_r:munin_t:s0 tcontext=system_u:system_r:munin_t:s0 tclass=capability permissive=0

Comment 2 Peter "Pessoft" Kolínek 2018-05-23 19:43:50 UTC
Workaround is to move pid file one level up:

In /etc/munin/munin-node.conf set:
pid_file /var/run/munin-node.pid

And in [service] section of /usr/lib/systemd/system/munin-node.service set:
PIDFile=/var/run/munin-node.pid

Comment 3 Enrico Tagliavini 2018-06-26 14:51:55 UTC
Another workaround is:

# cat /etc/tmpfiles.d/munin.conf 
D /var/run/munin 0775 root munin -

The problem is the root user has no permission to write inside /var/run/munin in the provided configuration:

# getfacl /var/run/munin/
getfacl: Removing leading '/' from absolute path names
# file: var/run/munin/
# owner: munin
# group: munin
user::rwx
group::r-x
other::r-x


but user root normally has dac_override capability, which, as the name implies, simply bypass DAC (discretionary access control, aka file permissions). However the service removes such capability, triggering a permission denied error to create the PID file. Giving explicit permission to the root user to write inside the directory solve the issue as write permission is granted without the use of dac_override.

Comment 4 M. Scherer 2018-06-28 22:08:36 UTC
Another option is to drop that file:

# cat /etc/tmpfiles.d/fix_munin.conf 
a+ /var/run/munin/ - - - - user:root:rwx

This is similar to the fix on Enrico, but work also if munin is run as non root.

Comment 5 M. Scherer 2018-07-26 09:44:20 UTC
Ok so seems my fix do not work:

# LC_ALL=C getfacl /var/run/munin/
getfacl: Removing leading '/' from absolute path names
# file: var/run/munin/
# owner: munin
# group: munin
user::rwx
user:root:rwx			#effective:r-x
group::r-x
mask::r-x
other::r-x

Seems the right tmpfiles snippet should be:

a+ /var/run/munin/ - - - - user:root:rwx
a+ /var/run/munin/ - - - - mask:rwx

Comment 6 Juan Orti Alcaine 2018-08-20 16:13:45 UTC
Making /var/run/munin with permissions munin:root 0775 fixes the issue for me.

Comment 7 Fedora Update System 2018-08-25 08:36:17 UTC
munin-2.0.40-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-60e7ab00eb

Comment 8 Fedora Update System 2018-08-25 08:37:05 UTC
munin-2.0.40-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e42294dd9f

Comment 9 Fedora Update System 2018-08-25 08:37:40 UTC
munin-2.0.40-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d7fccd52d3

Comment 10 Fedora Update System 2018-08-25 22:37:20 UTC
munin-2.0.40-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-60e7ab00eb

Comment 11 Fedora Update System 2018-08-25 23:05:10 UTC
munin-2.0.40-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-d7fccd52d3

Comment 12 Fedora Update System 2018-08-25 23:06:10 UTC
munin-2.0.40-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-e42294dd9f

Comment 13 Fedora Update System 2018-09-06 03:09:07 UTC
munin-2.0.40-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2018-09-11 13:47:46 UTC
munin-2.0.40-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2018-09-11 14:44:36 UTC
munin-2.0.40-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.