At the moment, when openstack-selinux fails to install for any reason (e.g. dependency on container-selinux that failed to build (bug 2039910), incompatibility with a new libselinux version (https://bugs.launchpad.net/tripleo/+bug/1977873), there are more), the dnf install still completes "successfully" and so it's very easy to miss that no rules were installed and nothing will work. Actually failing when the rules are not installed would help with debugging these issues at a much earlier stage, during the package installation. After discussing with cjeanner and lhh, the ideal solution would check if the system is RHEL or CentOS, *and* if the system is in enforcing mode, and in that case fails early at package install time. If the system is permissive, the failure should continue to be quiet.
Unfortunately, it seems that failing the %post scriptlet will not cause the RPM transaction to fail - the RPM will still be installed, and 'rpm' and 'dnf' still return 0. However, it will still raise visibility.
Example of what a silent failure looks like today: [...] Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 Running scriptlet: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). os-neutron: libsepol.sepol_module_package_read: invalid module in module package (at section 0) os-neutron: Failed to read policy package libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). FileNotFoundError: [Errno 2] No such file or directory ValueError: Boolean os_nova_use_execmem is not defined Verifying : openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch 1/1 Installed: openstack-selinux-0.8.29-0.20211110070709.7211283.el9.noarch Complete! "ValueError: Boolean os_nova_use_execmem is not defined" is usually consistent in the output, since that's the first of the openstack-specific booleans we try to set in local_settings.sh.
Proposal: 1- modify the local_settings.sh; add a "-V" option to it, that will loop on the MODULES and ensure they are present 2- modify the RPM spec: add a %verify that will call that local_settings.sh -V 2- create a validation (tripleo-validations, or the like) that will just call `rpm -V openstack-selinux' Notes: - local_settings.sh -V should check the selinux state of the host - if permissive/disabled, don't bother, exit 0 - if enforcing, exit 0 IFF all modules are present, else exit 1 (with a mention of the failed modules) The %verify will look like that, more or less: %verify BINDIR=%{_bindir} \ SBINDIR=%{_sbindir} \ LOCALSTATEDIR=%{_localstatedir} \ DATADIR=%{_datadir} \ SHAREDSTATEDIR=%{_sharedstatedir} \ %{_datadir}/%{name}/%{version}/local_settings.sh -V (thanks Lon :)
Adding the new -V option to the local_settings.sh: https://github.com/redhat-openstack/openstack-selinux/pull/93 Spec modification: https://review.rdoproject.org/r/c/openstack/openstack-selinux-distgit/+/43578
tripleo-ansible patch: will allow to fail early, namely once the deploy installs the needed deps: a new step is now running `rpm -V' against the listed packages, and will crash if, for instance, openstack-selinux isn't well installed. RDO merged today, I thought it was already in for ages now :(.
In order to verify this, you can: 1. Quick check - deploy the UC as usual, connect to it, and run `sudo rpm -vV openstack-selinux'. It should output a message like this: [file listing] Found 0 missing module(s). 2. Deeper verification: - Get the UC ready for deploy, with all packages installed - run the `sudo rpm -V openstack-selinux' - should be fine - run `sudo semodule -r os-barbican' - run `sudo rpm -V openstack-selinux' This time, it should show "Found 1 missing module(s)". Going further, you can start to deploy the UC, it should fail pretty early with the verification and the same message content. Lemme know if you need more directions. Cheers, C.
[root@localhost ~]# dnf install -y openstack-selinux Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Last metadata expiration check: 0:16:09 ago on Wed 03 Aug 2022 12:59:57 PM EDT. Dependencies resolved. ================================================================================================================== Package Architecture Version Repository Size ================================================================================================================== Installing: openstack-selinux noarch 0.8.34-0.20220711150341.a82a63a.el9ost rhelosp-17.0 225 k Transaction Summary ================================================================================================================== Install 1 Package Total download size: 225 k Installed size: 304 k Downloading Packages: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch.rpm 446 kB/s | 225 kB 00:00 ------------------------------------------------------------------------------------------------------------------ Total 444 kB/s | 225 kB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Running scriptlet: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Verifying : openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch 1/1 Installed products updated. Installed: openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch Complete! [root@localhost ~]# rpm -vV openstack-selinux ......... /usr/share/licenses/openstack-selinux ......... l /usr/share/licenses/openstack-selinux/COPYING ......... /usr/share/openstack-selinux ......... /usr/share/openstack-selinux/0.8.34 ......... /usr/share/openstack-selinux/0.8.34/local_settings.sh ......... /usr/share/selinux/packages/os-barbican.pp.bz2 ......... /usr/share/selinux/packages/os-certmonger.pp.bz2 ......... /usr/share/selinux/packages/os-cinder.pp.bz2 ......... /usr/share/selinux/packages/os-collectd.pp.bz2 ......... /usr/share/selinux/packages/os-dnsmasq.pp.bz2 ......... /usr/share/selinux/packages/os-glance.pp.bz2 ......... /usr/share/selinux/packages/os-gnocchi.pp.bz2 ......... /usr/share/selinux/packages/os-haproxy.pp.bz2 ......... /usr/share/selinux/packages/os-httpd.pp.bz2 ......... /usr/share/selinux/packages/os-ipxe.pp.bz2 ......... /usr/share/selinux/packages/os-keepalived.pp.bz2 ......... /usr/share/selinux/packages/os-keystone.pp.bz2 ......... /usr/share/selinux/packages/os-logrotate.pp.bz2 ......... /usr/share/selinux/packages/os-mongodb.pp.bz2 ......... /usr/share/selinux/packages/os-mysql.pp.bz2 ......... /usr/share/selinux/packages/os-neutron.pp.bz2 ......... /usr/share/selinux/packages/os-nova.pp.bz2 ......... /usr/share/selinux/packages/os-octavia.pp.bz2 ......... /usr/share/selinux/packages/os-ovs.pp.bz2 ......... /usr/share/selinux/packages/os-pbis.pp.bz2 ......... /usr/share/selinux/packages/os-podman.pp.bz2 ......... /usr/share/selinux/packages/os-rabbitmq.pp.bz2 ......... /usr/share/selinux/packages/os-redis.pp.bz2 ......... /usr/share/selinux/packages/os-rsync.pp.bz2 ......... /usr/share/selinux/packages/os-rsyslog.pp.bz2 ......... /usr/share/selinux/packages/os-swift.pp.bz2 ......... /usr/share/selinux/packages/os-timemaster.pp.bz2 ......... /usr/share/selinux/packages/os-virt.pp.bz2 Found 0 missing module(s). [root@localhost ~]# semodule -r os-nova libsemanage.semanage_direct_remove_key: Removing last os-nova module (no other os-nova module exists at another priority). [root@localhost ~]# rpm -vV openstack-selinux ......... /usr/share/licenses/openstack-selinux ......... l /usr/share/licenses/openstack-selinux/COPYING ......... /usr/share/openstack-selinux ......... /usr/share/openstack-selinux/0.8.34 ......... /usr/share/openstack-selinux/0.8.34/local_settings.sh ......... /usr/share/selinux/packages/os-barbican.pp.bz2 ......... /usr/share/selinux/packages/os-certmonger.pp.bz2 ......... /usr/share/selinux/packages/os-cinder.pp.bz2 ......... /usr/share/selinux/packages/os-collectd.pp.bz2 ......... /usr/share/selinux/packages/os-dnsmasq.pp.bz2 ......... /usr/share/selinux/packages/os-glance.pp.bz2 ......... /usr/share/selinux/packages/os-gnocchi.pp.bz2 ......... /usr/share/selinux/packages/os-haproxy.pp.bz2 ......... /usr/share/selinux/packages/os-httpd.pp.bz2 ......... /usr/share/selinux/packages/os-ipxe.pp.bz2 ......... /usr/share/selinux/packages/os-keepalived.pp.bz2 ......... /usr/share/selinux/packages/os-keystone.pp.bz2 ......... /usr/share/selinux/packages/os-logrotate.pp.bz2 ......... /usr/share/selinux/packages/os-mongodb.pp.bz2 ......... /usr/share/selinux/packages/os-mysql.pp.bz2 ......... /usr/share/selinux/packages/os-neutron.pp.bz2 ......... /usr/share/selinux/packages/os-nova.pp.bz2 ......... /usr/share/selinux/packages/os-octavia.pp.bz2 ......... /usr/share/selinux/packages/os-ovs.pp.bz2 ......... /usr/share/selinux/packages/os-pbis.pp.bz2 ......... /usr/share/selinux/packages/os-podman.pp.bz2 ......... /usr/share/selinux/packages/os-rabbitmq.pp.bz2 ......... /usr/share/selinux/packages/os-redis.pp.bz2 ......... /usr/share/selinux/packages/os-rsync.pp.bz2 ......... /usr/share/selinux/packages/os-rsyslog.pp.bz2 ......... /usr/share/selinux/packages/os-swift.pp.bz2 ......... /usr/share/selinux/packages/os-timemaster.pp.bz2 ......... /usr/share/selinux/packages/os-virt.pp.bz2 Missing os-nova! Found 1 missing module(s). error: %verify(openstack-selinux-0.8.34-0.20220711150341.a82a63a.el9ost.noarch) scriptlet failed, exit status 1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543