Description of problem: When you configure an engine without a local DWH and then setup a remote DWH with Grafana on another host, the Grafana Monitoring Portal link returns code 503: Service Unavailable due to SELinux policies blocking port 3000 on the DWH host. Version-Release number of selected component (if applicable): ovirt-engine-dwh.noarch 4.5.5-1.el8ev @rhv-4.5.2 ovirt-engine-dwh-grafana-integration-setup.noarch 4.5.5-1.el8ev @rhv-4.5.2 ovirt-engine-dwh-setup.noarch 4.5.5-1.el8ev @rhv-4.5.2 ovirt-engine-setup-base.noarch 4.5.2.5-0.1.el8ev @rhv-4.5.2 How reproducible: Steps to Reproduce: 1. Setup engine without local DWH 2. Setup remote DWH on another host and connect it to the engine 3. Visit the Monitoring Portal page Actual results: Grafana monitoring portal returns 503: Service unavailable. Expected results: Grafana monitoring portal is reachable and working. Additional info: $ sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/httpd from name_connect access on the tcp_socket port 3000. -- rest ommited --
This bug has low overall severity and is not going to be further verified by QE. If you believe special care is required, feel free to properly align relevant severity, flags and keywords to raise PM_Score or use one of the Bumps ('PrioBumpField', 'PrioBumpGSS', 'PrioBumpPM', 'PrioBumpQA') in Keywords to raise it's PM_Score above verification threashold (1000).
Thanks, Tadeas, for providing access to a machine reproducing this bug. It was caused by the fix to bug 1903052 (4.4.5). That bug was just an optimization enhancement - even if not marked so - requested by me, and I reviewed the patch and didn't realize it is causing current. Sorry for that. The bug is that the code that handles this (sets httpd_can_network_connect to on) is part of the package ovirt-engine-setup-plugin-ovirt-engine. In my custom OST patch I made the dwh machine use the same image as the engine machine, thus already had it. Perhaps I should update the patch (if we ever want to have it) to not include it. Installing this package requires (currently) the entire engine (and jboss, etc.) - on your dwh machine, this is: Total download size: 895 M Installed size: 2.2 G Possible options: 1. Do not fix, but just document to install ovirt-engine-setup-plugin-ovirt-engine, despite the drawback of filling up the disk with garbage. If we go this way, we should also add another step to the engine-setup procedure, to reply 'No' to the question 'Configure Engine on this host'. 2. Fix by patching only the respective spec files - make ovirt-engine-setup-plugin-ovirt-engine not require the engine, and make ovirt-engine-dwh-setup require ovirt-engine-setup-plugin-ovirt-engine. This is a rather simple fix, and rather simple to verify the simple/positive flows. Main drawback is that if someone then takes a clean machine and installs only 'ovirt-engine-setup-plugin-ovirt-engine', and runs 'engine-setup', it will not work well. 3. Fix by reverting bug 1903052's fix (and perhaps provide some other, somewhat more complex fix, or just give up on it - it was just an optimization). Michal, what do you think?
OK, seems like a revert is enough and bug 1903052 does not apply anymore, because we removed ansible-runner-service.
Fix for this bug verified in version 4.5.3.5. Grafana is running and reachable as it should be. ovirt-engine-dwh.noarch 4.5.7-1.el8ev @rhv-4.5-nightly ovirt-engine-dwh-grafana-integration-setup.noarch 4.5.7-1.el8ev @rhv-4.5-nightly ovirt-engine-dwh-setup.noarch 4.5.7-1.el8ev @rhv-4.5-nightly # curl -skLo /dev/null -w '%{http_code}' REMOTE_DWH_ADDRESS/ovirt-engine-grafana/ > 200 # sealert -a /var/log/audit/audit.log > 100% done > found 0 alerts in /var/log/audit/audit.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: RHV 4.4 SP1 [ovirt-4.5.3-3] security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0074