This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 983042 - OpenSCAP Error: Can't connect to the probe [oval_probe_ext.c:353] (inside Fedora 19 KVM image deployed on OpenStack)
OpenSCAP Error: Can't connect to the probe [oval_probe_ext.c:353] (inside Fed...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openscap (Show other bugs)
22
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Šimon Lukašík
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-10 07:08 EDT by Dhiru Kholia
Modified: 2015-08-27 03:04 EDT (History)
8 users (show)

See Also:
Fixed In Version: openscap-1.2.5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-27 03:04:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
strace of failing oscap process (58.20 KB, application/gzip)
2013-07-10 07:39 EDT, Dhiru Kholia
no flags Details
better strace of failing oscap process (6.34 MB, application/gzip)
2013-07-11 02:58 EDT, Dhiru Kholia
no flags Details
OpenSCAP AVCs (20.07 KB, text/plain)
2013-07-12 03:55 EDT, Dhiru Kholia
no flags Details

  None (edit)
Description Dhiru Kholia 2013-07-10 07:08:05 EDT
Description of problem:

I am unable to run openscap scanner on the official Fedora 19 KVM images deployed on OpenStack.

$ oscap xccdf eval --profile F14-Default \
                --results /tmp/`hostname`-ssg-results.xml \
                --report /tmp/`hostname`-ssg-results.html \
                --cpe /usr/share/openscap/cpe/openscap-cpe-dict.xml \
                /usr/share/openscap/scap-xccdf.xml
...
Title   Restrict Permissions on /var/spool/cron directory
Rule    rule-3.4.2.4.c
Result  pass

OpenSCAP Error: Can't connect to the probe [oval_probe_ext.c:353]
No definition with ID: oval:org.open-scap.f14:def:20146 in result model. [oval_agent.c:182]
Can't connect to the probe [oval_probe_ext.c:353]
No definition with ID: oval:org.open-scap.f14:def:20147 in result model. [oval_agent.c:182]
Can't connect to the probe [oval_probe_ext.c:353]


Version-Release number of selected component (if applicable):

openscap-0.9.8-1.fc19.x86_64

I have all openscap* packages installed.

How reproducible:

$ oscap xccdf eval --profile F14-Default \
                --results /tmp/`hostname`-ssg-results.xml \
                --report /tmp/`hostname`-ssg-results.html \
                --cpe /usr/share/openscap/cpe/openscap-cpe-dict.xml \
                /usr/share/openscap/scap-xccdf.xml


Additional info:

I can't reproduce this problem on,

1. Fresh Fedora 19 VM created from DVD.
2. Fedora 19 KVM image when deployed locally.

I can reliably (read every time) reproduce this problem by deploying the Fedora 19 KVM image on OpenStack. Pretty weird.
Comment 1 Daniel Kopeček 2013-07-10 07:18:52 EDT
(In reply to Dhiru Kholia from comment #0)
Hello,
 that is weird indeed. Could you please strace the command and attach the output to this BZ? Thanks
Comment 2 Dhiru Kholia 2013-07-10 07:39:53 EDT
Created attachment 771551 [details]
strace of failing oscap process
Comment 3 Daniel Kopeček 2013-07-10 09:31:40 EDT
(In reply to Dhiru Kholia from comment #2)
> Created attachment 771551 [details]
> strace of failing oscap process

Please use the following options to get a more detailed output:

# strace -ff -o oscap.log -s 1048576 ...

Looks like the probe processes don't die immediately so we need to strace them too. The option above should do the job. Thanks
Comment 4 Dhiru Kholia 2013-07-11 02:58:27 EDT
Created attachment 772035 [details]
better strace of failing oscap process
Comment 5 Daniel Kopeček 2013-07-11 08:43:39 EDT
Ok, I've found a hint:

stat("/usr/libexec/openscap/probe_runlevel", {st_mode=S_IFREG|0755, st_size=52936, ...}) = 0
socketpair(PF_LOCAL, SOCK_STREAM, 0, [26, 27]) = 0
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f8e7be7cb10) = -1 ENOMEM (Cannot allocate memory)

Looks like the machine runs out of memory during the evaluation. So in that case the "Can't connect to probe" messages are expected, I think. However, it would be better to have the reason why we can't connect there.
Comment 6 Dhiru Kholia 2013-07-11 13:46:27 EDT
Daneil,

I see the problem now. I will try running the scanner again after giving the guest more RAM.

>> However, it would be better to have the reason why we can't connect there.

That would be great. If possible, can we reduce the memory usage of the openscap scanning system? If not, can we figure out the "tests" which require more RAM?
Comment 7 Daniel Kopeček 2013-07-11 17:41:42 EDT
(In reply to Dhiru Kholia from comment #6)
> Daneil,
> 
> I see the problem now. I will try running the scanner again after giving the
> guest more RAM.
> 
> >> However, it would be better to have the reason why we can't connect there.
> 
> That would be great. If possible, can we reduce the memory usage of the
> openscap scanning system? If not, can we figure out the "tests" which
> require more RAM?

I think there's still room for optimizations. There's also the option to scan an image of the virtual host in the offline mode:

  https://www.redhat.com/archives/open-scap-list/2013-May/msg00007.html

Some optimizations can be done on the side of the content, i.e. some objects in OVAL can be rewritten to require less memory if you know a little bit about how things are implemented in the interpreter.
Comment 8 Dhiru Kholia 2013-07-12 03:55:32 EDT
Created attachment 772569 [details]
OpenSCAP AVCs
Comment 9 Petr Lautrbach 2013-07-18 04:27:51 EDT
So this is most probably an issue of openscap-selinux package. It seems to work in SELinux permissive mode. We will address this in some future release.
Comment 10 Dhiru Kholia 2013-07-18 07:14:37 EDT
Here is my work-around,

1) Keep SELinux in enforcing mode (as it should be).

2) Do *not* install the openscap-selinux package (installing this seems to break stuff).

3) Have >= 1GB of RAM and finally,

4) Run the scanner as usual.
Comment 11 Šimon Lukašík 2013-11-01 13:22:24 EDT
I doubt it the openscap-selinux package and the AVC denials are related.
The oscap_t domain is permissive. It should not break the probes.

Let's keep this bz open and focused on the memory allocation issue.
Comment 13 Fedora End Of Life 2015-01-09 17:11:37 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 14 Jaroslav Reznik 2015-03-03 11:53:52 EST
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 15 Fedora Admin XMLRPC Client 2015-08-13 07:16:49 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 16 Šimon Lukašík 2015-08-27 03:04:55 EDT
OpenSCAP-SELinux package has been dropped in the latest OpenSCAP upstream release.

Note You need to log in before you can comment on or make changes to this bug.