Hello, as per the discussion here https://lists.fedoraproject.org/pipermail/devel/2013-July/186952.html we have found that cloud-init executes everything without PATH set properly. This is an issue mainly for RPM package installation, because scriplets rely on PATH set properly. In this case, some packages which are being installed in user scripts (using yum command) are failing with installation. I am not sure if this implies another bug - packages in cloud-init YAML file are totally ignored and never installed. If you try this: packages: - vim - emacs they never get installed. No error or warning is issued in logs. Might be related to the PATH. I was testing this with Fedora 19, but it is likely the same in Rawhide at this moment.
Systemd sets a default PATH for the programs it runs. The reason %post scripts are failing seems to be cloud-init's SELinux policy. For example, here is what I get on a F20 alpha RC3 instance: time->Tue Sep 24 02:06:29 2013 type=SYSCALL msg=audit(1379988389.628:35): arch=c000003e syscall=59 success=no exit=-13 a0=36680b0 a1=2fe3cf0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=651 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1379988389.628:35): avc: denied { transition } for pid=651 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4312 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process ---- time->Tue Sep 24 02:06:36 2013 type=SYSCALL msg=audit(1379988396.967:37): arch=c000003e syscall=59 success=no exit=-13 a0=38797b0 a1=3c00cb0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=653 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1379988396.967:37): avc: denied { transition } for pid=653 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4640 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process ---- time->Tue Sep 24 02:06:36 2013 type=SYSCALL msg=audit(1379988396.789:36): arch=c000003e syscall=59 success=no exit=-13 a0=29e5070 a1=2df06b0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=652 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1379988396.789:36): avc: denied { transition } for pid=652 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4312 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process ---- time->Tue Sep 24 02:06:38 2013 type=SYSCALL msg=audit(1379988398.438:38): arch=c000003e syscall=59 success=no exit=-13 a0=2ed9f60 a1=3ba6fa0 a2=7fffdfcd9978 a3=733a745f74706972 items=0 ppid=627 pid=654 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1379988398.438:38): avc: denied { transition } for pid=654 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4640 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process
Clound init needs to be able to install random packages? This will make it basically an unconfined domain.
Dan, we already have optional_policy(` unconfined_domain(cloud_init_t) ') cloud-init does "everything".
Ok in that case add rpm_domtrans(cloud_init_t) to the same optional_block We might want to allow unconfined domains to always transition to rpm_t, or at least transition to rpm_script_t.
commit 1222926ca204115e744deac77e5afd16d9b03982 Author: Miroslav Grepl <mgrepl> Date: Thu Sep 26 08:08:38 2013 +0200 Allow cloud-init to domtrans to rpm
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19
*** Bug 1010335 has been marked as a duplicate of this bug. ***
Package selinux-policy-3.12.1-74.8.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This is still happening in F20 beta. type=AVC msg=audit(1385569399.106:57): avc: denied { transition } for pid=580 comm="yum" path="/usr/sbin/ldconfig" dev="xvda1" ino=4269 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process type=SYSCALL msg=audit(1385569399.106:57): arch=c000003e syscall=59 success=no exit=-13 a0=3ea0ef0 a1=366d580 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=580 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1385569404.009:58): avc: denied { transition } for pid=582 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process type=SYSCALL msg=audit(1385569404.009:58): arch=c000003e syscall=59 success=no exit=-13 a0=3066050 a1=3a949f0 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=582 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) type=AVC msg=audit(1385569404.054:59): avc: denied { transition } for pid=583 comm="yum" path="/usr/bin/bash" dev="xvda1" ino=4597 scontext=system_u:system_r:cloud_init_t:s0 tcontext=system_u:system_r:rpm_script_t:s0 tclass=process type=SYSCALL msg=audit(1385569404.054:59): arch=c000003e syscall=59 success=no exit=-13 a0=30942e0 a1=344dde0 a2=7fffcc0d1d58 a3=733a745f74706972 items=0 ppid=561 pid=583 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="yum" exe="/usr/bin/python2.7" subj=system_u:system_r:cloud_init_t:s0 key=(null) Also note that since selinux-policy-targetted has RPM scriptlets, this CANNOT be fixed with an update unless that update is applied by hand.
I'm marking this as a Freeze Exception. I'd make it a blocker, except we haven't defined release criteria for cloud-init.
Discussed at 2013-11-27 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2013-11-27/f20-blocker-review-3.2013-11-27-17.01.log.txt . Accepted as a freeze excpetion issue, this is a significant problem for cloud deployments and can't be fixed post-release.
a3007fcf054427b3e4f2c06c77ad783551aae67f fixes this in git.
Fixed in selinux-policy-3.12.1-106.fc20
if you could edit -106 into https://admin.fedoraproject.org/updates/FEDORA-2013-22285/selinux-policy-3.12.1-105.fc20 and mark that update as fixing this bug, it'll make it easier to pull the fix into TC4 and track it - thanks!
Could you check if 105 fixes the issue first. My fix might be irrelevant.
it's not super easy from a process point of view, because we're post freeze and this is the only blocker or freeze exception bug to justify pulling an selinux-policy build through the freeze. if you're willing to Officially Declare that -105 may fix this issue, that's probably good enough to pull it into TC4 and see how things go. TC4 will likely be built later today.
Dan, this seems to work with 3.12.1-106
matt: he wanted to know if it works with *105*, so we don't have to take 106.
Taking 106 is fine. It was only a minor change, with no security ramifications. If this helps move things along.
We can take either 105 or 106 for TC4, but: * to take 105 we'd need an Official Dwalsh Statement that it has a reasonable chance of fixing the bug OR * to take 106 it'd be best to have a Bodhi update for it (either edit the 105 update or just make a new one, editing the 105 update would avoid any Bodhi problems where the old update sticks around and we end up with them fighting to go stable)
selinux-policy-3.12.1-106.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-106.fc20
Package selinux-policy-3.12.1-106.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-106.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-22646/selinux-policy-3.12.1-106.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-106.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.