Description of problem: Start fdo-aio service failed when the "files:" section configured, like sudo /usr/local/bin/yq -iy '.service_info.files |= [{path: "/etc/sudoers.d/fdouser", source_path: "/tmp/fdouser"}]' /etc/fdo/aio/configs/serviceinfo_api_server.yml If removed files section configuration and set to "files: null", service fdo-aio can get started. I also tried "service_info.diskencryption_clevis" and "service_info.initial_user", service can get started. This issue does not exist on CS9 repo CentOS-Stream-9-20230626.0 Version-Release number of selected component (if applicable): fdo-admin-cli-0.4.7-3.el9.x86_64 fdo-client-0.4.7-3.el9.x86_64 fdo-init-0.4.7-3.el9.x86_64 fdo-manufacturing-server-0.4.7-3.el9.x86_64 fdo-owner-cli-0.4.7-3.el9.x86_64 fdo-owner-onboarding-server-0.4.7-3.el9.x86_64 fdo-rendezvous-server-0.4.7-3.el9.x86_64 How reproducible: Steps to Reproduce: 1. Deploy a CS9 instance from GCP 2. git clone https://github.com/virt-s1/rhel-edge.git 3. cd rhel-edge && ./ostree-simplified-installer.sh Actual results: Service fdo-aio should get started Expected results: Failed to start fdo-aio service Additional info:
this is the concrete error: systemd[1]: Started FDO service info API server. fdo-serviceinfo-api-server[75684]: Error: Error preparing ServiceInfo configuration fdo-serviceinfo-api-server[75684]: Caused by: fdo-serviceinfo-api-server[75684]: 0: Failed to read file /tmp/fdouser fdo-serviceinfo-api-server[75684]: 1: Permission denied (os error 13) fdo-serviceinfo-api-server.service: Main process exited, code=exited, status=1/FAILURE fdo-serviceinfo-api-server.service: Failed with result 'exit-code'.
Still have selniux issue on FDO packages: fdo-rendezvous-server-0.4.12-1.el9_2.x86_64 fdo-owner-onboarding-server-0.4.12-1.el9_2.x86_64 fdo-owner-cli-0.4.12-1.el9_2.x86_64 fdo-manufacturing-server-0.4.12-1.el9_2.x86_64 fdo-admin-cli-0.4.12-1.el9_2.x86_64 The manufacturing-server error log: fdo-manufacturing-server[22613]: 2023-08-03T03:35:41.627Z WARN fdo_http_wrapper::server > Error processing request: Rejection([Error(ErrorMessage { error_code: InternalServerError, previous_message_type: DIUNConnect, error_string: "Error storing session", error_timestamp: None, error_uuid: 17963275242146807119 }), MethodNotAllowed]) fdo-manufacturing-server[22613]: 2023-08-03T03:35:41.628Z INFO manufacturing-server > 192.168.100.50:41750 "POST /fdo/101/msg/210 HTTP/1.1" 500 "-" "-" 10.0919ms So the manufacturing-server reply with error code 500 (internal error) to 192.168.100.50 (edge vm) I disabled selinux with `setenforce 0` and run again. Didn't catch this kind of error in manufacturing-server log. Every manufacturing-server log looks reasonable.
So I think if we run all the services in permssive mode and gather the AVC logs for all the services, looks like it's manufacturing and service-info-api at the moment but I bet they'll all have issues, we should be able to come up with a set of rules for this. Xiaofeng are you able to do this? Maybe one comment for each of the services?
*** This bug has been marked as a duplicate of bug 2026795 ***