706523 – Image Factory fails with non-descriptive errors if SELinux be enabled

Bug 706523 - Image Factory fails with non-descriptive errors if SELinux be enabled

Summary: Image Factory fails with non-descriptive errors if SELinux be enabled

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	CloudForms Cloud Engine
Classification:	Retired
Component:	aeolus-conductor
Sub Component:
Version:	1.0.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	alpha
Assignee:	Ian McLeod
QA Contact:	wes hayutin
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-05-20 19:41 UTC by Joe Vlcek
Modified:	2012-05-15 21:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-15 21:41:44 UTC

Attachments	(Terms of Use)
The log file produced by Image Factory (16.08 KB, application/octet-stream) 2011-06-20 19:06 UTC, Joe Vlcek	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2012:0583	0	normal	SHIPPED_LIVE	new packages: aeolus-conductor	2012-05-15 22:31:59 UTC

Description Joe Vlcek 2011-05-20 19:41:51 UTC

Description of problem:

Image Factory fails when SELinux is enabled with a message that
may not direct the user to the source of the problem. 

I believe  SE Linux policy need to be developed for Image Factory.

The error reported is:

2011-05-20 15:34:49,468 DEBUG imagefactory.builders.BaseBuilder.FedoraBuilder pid(30834) Message:              value: (child process died unexpectedly)
2011-05-20 15:34:49,468 DEBUG imagefactory.builders.BaseBuilder.FedoraBuilder pid(30834) Message:          traceback: ['  File "/usr/lib/python2.7/site-packages/imagefactory/builders/FedoraBuilder.py", line 111, in build_image\n    self.build_upload()\n', '  File "/usr/lib/python2.7/site-packages/imagefactory/builders/FedoraBuilder.py", line 166, in build_upload\n    self.guest.customize(libvirt_xml)\n', '  File "/usr/lib/python2.7/site-packages/oz/RedHat.py", line 506, in customize\n    self.collect_setup(libvirt_xml)\n', '  File "/usr/lib/python2.7/site-packages/oz/RedHat.py", line 260, in collect_setup\n    g_handle = self.guestfs_handle_setup(libvirt_xml)\n', '  File "/usr/lib/python2.7/site-packages/oz/Guest.py", line 602, in guestfs_handle_setup\n    g.launch()\n', '  File "/usr/lib/python2.7/site-packages/guestfs.py", line 152, in launch\n    return libguestfsmod.launch (self._o)\n']
2011-05-20 15:34:49,468 DEBUG imagefactory.qmfagent.BuildAdaptor.BuildAdaptor pid(30834) Message: Raising event with agent handler (<ImageFactoryAgent(Thread-1, initial)>), changed status from FAILED to FAILED


Version-Release number of selected component (if applicable):


How reproducible:

Prior to running image factory issue: "setenforce 1"


  
Actual results:

Image Factory reports being 30% complete then fails.
e.g.:
BUILDING 10 ba3311dc-24fc-4da2-a71e-446baff05905
BUILDING 30 ba3311dc-24fc-4da2-a71e-446baff05905
FAILED 30 ba3311dc-24fc-4da2-a71e-446baff05905

Expected results:

The image factory built image.

Additional info:

I believe  SE Linux policy need to be developed for Image Factory.

Comment 1 wes hayutin 2011-05-20 20:23:44 UTC

correct.. fyi.. selinux has not yet been supported in factory and conductor.  Can you please update the version of factory and conductor (if you are using it) to the bug.. 

Thanks

Comment 2 Joe Vlcek 2011-05-21 00:33:15 UTC

I'm using the latest development version of Image Factory from the developers, Ian McLeod's,
working gate but I don't think that is relevant.

The point I am attempting to make is that Image Factory needs to support SELinux. 
I  believe  SE Linux policies need to be developed for Image Factory.

Sorry if that wasn't clear. Thanks, Joe

Comment 3 Jim Meyering 2011-05-23 16:28:02 UTC

Thanks, Joe.

Good to see this on the radar.
Can someone attach the associated AVC (from /var/log/audit/audit.log)?

Comment 4 wes hayutin 2011-06-15 12:12:42 UTC

moving bugs to cloud engine project

Comment 5 wes hayutin 2011-06-16 18:38:58 UTC

can you provide the required selinux failure from /var/log/audit/audit.log

Comment 6 Ian McLeod 2011-06-17 20:08:44 UTC

This originally happened as a result of Oz attempting to run "ssh-keygen" from within the factory daemon context.

Chris has since re-worked Oz to create the key pair during RPM install, rather than at runtime.  So, this bug is probably no longer relevant.

Comment 7 wes hayutin 2011-06-17 20:17:23 UTC

k.. we'll revisit selinux once dev decides to build policies for CE and components.. 

closing this bug..

Comment 8 Joe Vlcek 2011-06-20 19:06:35 UTC

Created attachment 505673 [details]
The log file produced by Image Factory

Comment 9 Joe Vlcek 2011-06-20 19:09:57 UTC

This issues still exists. Although it is manifesting itself as a different
error message in the Image Factory log file.

I have confirmed that Image Factory still fails with SELinux in enforcing mode.

/var/log/audit/audit.log is empty

I have attached the Image Factory log file.

Comment 10 wes hayutin 2011-09-28 16:37:10 UTC

making sure all the bugs are at the right version for future queries

Comment 12 Ian McLeod 2011-10-07 16:07:46 UTC

Believe this to be addressed here:

https://github.com/aeolusproject/imagefactory/commit/c2bebbb81d859354df941f4d995d3cdede675344

This change is available in our 0.7.0 RPM release here:

http://repos.fedorapeople.org/repos/aeolus/imagefactory/0.7.0/

Comment 13 Aziza Karol 2011-10-24 09:32:39 UTC

Image Factory starts successfully with SELinux in enforcing mode.

Building image is successful.

imagefactory log :
2011-10-24 02:34:25,300 INFO imgfac.builders.BaseBuilder.Fedora_rhevm_Builder pid(4081) Message: Creating cloud-info file indicating target (rhevm)
2011-10-24 02:34:25,341 INFO imgfac.builders.BaseBuilder.Fedora_rhevm_Builder pid(4081) Message: Updating rc.local with Audrey conditional
2011-10-24 02:34:27,167 DEBUG imgfac.builders.BaseBuilder.Fedora_rhevm_Builder pid(4081) Message: Removed HWADDR from image's /etc/sysconfig/network-scripts/ifcfg-eth0
2011-10-24 02:34:27,681 DEBUG imgfac.builders.BaseBuilder.Fedora_rhevm_Builder pid(4081) Message: Storing Fedora image at http://localhost:9090/...
2011-10-24 02:34:28,159 INFO imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Creating a bucket returned status 401.
2011-10-24 02:34:28,166 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Setting metadata ({'object_type': 'template', 'uuid': '86df8ae0-deef-4523-9397-1661590d2212'}) for http://localhost:9090/templates/86df8ae0-deef-4523-9397-1661590d2212
2011-10-24 02:34:28,171 INFO imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Creating a bucket returned status 401.
2011-10-24 02:34:28,205 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Setting metadata ({'object_type': 'icicle', 'uuid': '17c1d9f1-c014-4578-83f9-2a9ca6e58931'}) for http://localhost:9090/icicles/17c1d9f1-c014-4578-83f9-2a9ca6e58931
2011-10-24 02:34:28,215 INFO imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Creating a bucket returned status 401.
2011-10-24 02:34:28,275 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: 0kB of 10485760kB
2011-10-24 02:34:28,275 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Setting metadata ({'icicle': '17c1d9f1-c014-4578-83f9-2a9ca6e58931', 'uuid': '89f84eb4-23ad-4a3a-b804-608c175250f0', 'template': '86df8ae0-deef-4523-9397-1661590d2212', 'target_parameters': '<?xml version="1.0"?>\n<domain type="kvm">\n  <name>Fedora 15-89f84eb4-23ad-4a3a-b804-608c175250f0</name>\n  <memory>1048576</memory>\n  <currentMemory>1048576</currentMemory>\n  <uuid>4b677299-59ec-421e-9c94-11178451a052</uuid>\n  <clock offset="utc"/>\n  <vcpu>1</vcpu>\n  <features>\n    <acpi/>\n    <apic/>\n    <pae/>\n  </features>\n  <os>\n    <type>hvm</type>\n    <boot dev="hd"/>\n  </os>\n  <on_poweroff>destroy</on_poweroff>\n  <on_reboot>destroy</on_reboot>\n  <on_crash>destroy</on_crash>\n  <devices>\n    <console device="pty"/>\n    <graphics port="-1" type="vnc"/>\n    <interface type="bridge">\n      <source bridge="virbr0"/>\n      <mac address="52:54:00:4f:49:a2"/>\n      <model type="virtio"/>\n    </interface>\n    <input bus="ps2" type="mouse"/>\n    <console type="pty">\n      <target port="0"/>\n    </console>\n    <serial type="tcp">\n      <source mode="bind" host="127.0.0.1" service="21172"/>\n      <protocol type="raw"/>\n      <target port="1"/>\n    </serial>\n    <disk device="disk" type="file">\n      <target dev="vda" bus="virtio"/>\n      <source file="/var/lib/imagefactory/images/rhevm-image-89f84eb4-23ad-4a3a-b804-608c175250f0.dsk"/>\n    </disk>\n  </devices>\n</domain>\n', 'object_type': 'target_image', 'target': 'rhevm', 'build': '52421814-2cd1-4618-81a0-f110b998e582'}) for http://localhost:9090/target_images/89f84eb4-23ad-4a3a-b804-608c175250f0
2011-10-24 02:34:28,285 DEBUG imgfac.builders.BaseBuilder.Fedora_rhevm_Builder pid(4081) Message: Image warehouse storage complete
2011-10-24 02:34:28,285 DEBUG imgfac.BuildJob.BuildAdaptor pid(4081) Message: Raising event with agent handler (<ImageFactoryAgent(Thread-1, initial)>), changed percent complete from 50 to 100
2011-10-24 02:34:28,339 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Getting metadata (['latest_unpushed']) from http://localhost:9090/images/1b4ea683-1e4c-486a-86e9-64697fcbe082
2011-10-24 02:34:28,341 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Getting metadata (['latest_build']) from http://localhost:9090/images/1b4ea683-1e4c-486a-86e9-64697fcbe082
2011-10-24 02:34:28,343 DEBUG imgfac.ImageWarehouse.ImageWarehouse pid(4081) Message: Setting metadata ({'latest_unpushed': '52421814-2cd1-4618-81a0-f110b998e582'}) for http://localhost:9090/images/1b4ea683-1e4c-486a-86e9-64697fcbe082
2011-10-24 02:34:28,344 DEBUG imgfac.BuildJob.BuildAdaptor pid(4081) Message: Raising event with agent handler (<ImageFactoryAgent(Thread-1, initial)>), changed status from BUILDING to COMPLETED



[root@dell-pe1950-01 templates]# rpm -qa | egrep 'imagefactory|selinux-policy'
selinux-policy-targeted-3.7.19-93.el6.noarch
imagefactory-0.7.0-1.el6.noarch
selinux-policy-3.7.19-93.el6.noarch
imagefactory-jeosconf-ec2-rhel-0.1.0-1.el6.noarch
imagefactory-jeosconf-ec2-fedora-0.1.0-1.el6.noarch
rubygem-imagefactory-console-0.5.0-4.20110824113238gitd9debef.el6.noarch

Comment 16 errata-xmlrpc 2012-05-15 21:41:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html

Note You need to log in before you can comment on or make changes to this bug.