Bug 1594615 - Unable to perform upgrade from 4.1 to 4.2 due to selinux related errors.
Summary: Unable to perform upgrade from 4.1 to 4.2 due to selinux related errors.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 4.1.11
Hardware: x86_64
OS: Linux
high
high
Target Milestone: ovirt-4.3.0
: 4.3.0
Assignee: Yedidyah Bar David
QA Contact: meital avital
URL:
Whiteboard:
Depends On:
Blocks: 1608828
TreeView+ depends on / blocked
 
Reported: 2018-06-25 01:17 UTC by Ribu Tho
Modified: 2019-05-08 12:38 UTC (History)
10 users (show)

Fixed In Version: ovirt-engine-4.3.0_alpha
Doc Type: Bug Fix
Doc Text:
The release improves upon the fix in BZ#1518253 to allow for a faster abort process and a more easily understood error message.
Clone Of:
: 1608828 (view as bug list)
Environment:
Last Closed: 2019-05-08 12:37:41 UTC
oVirt Team: Integration
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1518253 0 unspecified CLOSED engine-setup upgrade to postgresql 9.5 sometimes fails due to missing selinux policy 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHEA-2019:1085 0 None None None 2019-05-08 12:38:00 UTC
oVirt gerrit 93147 0 master MERGED packaging: setup: postgres95: Verify selinux file contexts 2020-05-11 08:22:20 UTC
oVirt gerrit 93313 0 ovirt-engine-4.2 MERGED packaging: setup: postgres95: Verify selinux file contexts 2020-05-11 08:22:20 UTC

Internal Links: 1518253

Description Ribu Tho 2018-06-25 01:17:41 UTC
Description of problem:

Trying to perform an upgrade from RHV 4.1.11 to RHV 4.2.3 which fails due to rh-postgresql95-postgresql unable to create pid file reporting permission denied errors. The RHV manager server runs with selinux in enforcing mode. 

Version-Release number of selected component (if applicable):

ovirt-engine-4.1.11.2-0.1.el7.noarch
ovirt-engine-setup-4.2.3.8-0.1.el7.noarch
rh-postgresql95-postgresql-server-9.5.9-1.el7.x86_64


How reproducible:

Always 

Steps to Reproduce:

1. yum update  ovirt\*setup\*

2. engine-setup fails with below error

[ INFO  ] Upgrading PostgreSQL
[ INFO  ] PostgreSQL has been successfully upgraded, starting the new instance (rh-postgresql95-postgresql).
[ ERROR ] Failed to execute stage 'Misc configuration': Failed to start service 'rh-postgresql95-postgresql'
[ INFO  ] Yum Performing yum transaction rollback
[ INFO  ] Rolling back to the previous PostgreSQL instance (postgresql).
[ INFO  ] Stage: Clean up
          Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20180625105843-tdlb6n.log
[ INFO  ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20180625110214-setup.conf'
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[ ERROR ] Execution of setup failed


3. selinux errors reported due to [2]  (check audit.log attachment)

4. Try to add the exception using 

ausearch -c 'postgres' --raw | audit2allow -M my-postgres
semodule -i my-postgres.pp



Actual results:

Fails with permission denied errors. 

Expected results:

To complete the update to RHV 4.2 

Additional info:

Comment 5 Ondra Machacek 2018-06-26 11:17:36 UTC
This seems similar to bug 1518253. Can you try if running 'yum reinstall rh-postgresql95-runtime' resolves the issue?

Comment 6 Ribu Tho 2018-06-27 06:39:58 UTC
(In reply to Ondra Machacek from comment #5)
> This seems similar to bug 1518253. Can you try if running 'yum reinstall
> rh-postgresql95-runtime' resolves the issue?

Hi ,

It worked for me after doing a reinstall of the package again.

Ribu

Comment 7 Yedidyah Bar David 2018-06-27 07:56:12 UTC
If it's indeed fully reproducible, might try again to debug this - and open a bug on selinux policy and/or postgresql.

At the time, we didn't manage to reproduce, thus made bug 1518253 a known issue.

If we fail to reproduce, but still want a workaround, that's an option too.

Please see the discussion on bug 1518253 and try to provide as many relevant details as possible, including:

What state did you start from? Is this a new system, or upgraded from older ones (seems like < 7.3 seems to be relevant)?

Was it rebooted, or not, during an upgrade process?

Etc.

Comment 8 Ribu Tho 2018-06-28 03:27:05 UTC
(In reply to Yedidyah Bar David from comment #7)
> If it's indeed fully reproducible, might try again to debug this - and open
> a bug on selinux policy and/or postgresql.
> 
> At the time, we didn't manage to reproduce, thus made bug 1518253 a known
> issue.
> 
> If we fail to reproduce, but still want a workaround, that's an option too.
> 
> Please see the discussion on bug 1518253 and try to provide as many relevant
> details as possible, including:
> 
> What state did you start from? Is this a new system, or upgraded from older
> ones (seems like < 7.3 seems to be relevant)?
> 
> Was it rebooted, or not, during an upgrade process?
> 
> Etc.

Based on the requested information. This is a fresh 4.1 install on RHEL 7.4 . The machine didn't require a reboot as there was no kernel update. The error on first try received for selinux has been attached for your information.

Comment 10 Yedidyah Bar David 2018-07-09 06:15:17 UTC
Ribu, thanks for the update, but this isn't enough - we already have this information in bug 1518253. "Reproducible" means you can provide this:

1. Cleanly install a machine with RHEL
2. ?
3. ?
4. ?
5. Get this error

If you can't, I will sadly have to close this as a duplicate.

If you can attach a sosreport, it might help too - although, as I said, we already spent quite some time on a real machine demonstrating this behavior but still failed to reproduce. Thanks.

Comment 11 Ribu Tho 2018-07-19 06:49:19 UTC
(In reply to Yedidyah Bar David from comment #10)
> Ribu, thanks for the update, but this isn't enough - we already have this
> information in bug 1518253. "Reproducible" means you can provide this:
> 
> 1. Cleanly install a machine with RHEL
> 2. ?
> 3. ?
> 4. ?
> 5. Get this error
> 
> If you can't, I will sadly have to close this as a duplicate.
> 
> If you can attach a sosreport, it might help too - although, as I said, we
> already spent quite some time on a real machine demonstrating this behavior
> but still failed to reproduce. Thanks.

I have tried to recreate the issue for which it works for me at the moment based on a fresh install of RHEL 7 followed by RHV 4.1 setup and upgrade to 4.2. The issue for Postgres SELinux related errors no longer shows up 

Ribu

Comment 13 Yedidyah Bar David 2018-07-19 09:27:36 UTC
Decided to "fix" by making engine-setup check this and fail, with a message suggesting a workaround.

Still not sure how to reproduce. For how I "reproduced" and verified, see my comment starting with "Verified by:" in gerrit:

https://gerrit.ovirt.org/93147

If someone does manage to come up with a real reproducer, not involving zeroing out file_contexts.subs , I suggest to reopen bug 1518599, if you want.

Comment 16 Sandro Bonazzola 2018-07-26 11:34:02 UTC
Merged on master

Comment 17 Jiri Belka 2018-08-29 15:22:05 UTC
ok, ovirt-engine-4.3.0-0.0.master.20180828114844.git0bc18b1.el7.noarch

upgraded from ovirt-engine-4.2.5.3-1.el7.noarch to ovirt-engine-4.3.0-0.0.master.20180828114844.git0bc18b1.el7.noarch

Comment 20 errata-xmlrpc 2019-05-08 12:37:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085


Note You need to log in before you can comment on or make changes to this bug.