Issue #2199: The RPM rsync distributor breaks when SELinux is enabled - RPM Support - Pulp

Actions

Send by e-mail Copy link

Issue #2199

closed

The RPM rsync distributor breaks when SELinux is enabled

Added by Ichimonji10 over 7 years ago. Updated about 5 years ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

bmbouter

Sprint/Milestone:

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

2.10.0

Platform Release:

2.10.0

OS:

Triaged:

Groomed:

Sprint Candidate:

Tags:

Pulp 2

Sprint:

Quarter:

Description

The RPM rsync distributor makes a call to the system's rsync executable when performing a publish. Unfortunately, SELinux denies access to this executable, thus breaking publishes. Here's an example of a task report returned by Pulp, as JSON:

{
    "result": null,
    "traceback": "Traceback (most recent call last):\n  File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 240, in trace_task\n    R = retval = fun(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 488, in __call__\n    return super(Task, self).__call__(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 103, in __call__\n    return super(PulpTask, self).__call__(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 437, in __protected_call__\n    return self.run(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 971, in publish\n    result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1058, in check_publish\n    result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1110, in _do_publish\n    publish_report = publish_repo(transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 673, in wrap_f\n    return f(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py\", line 103, in publish_repo\n    return self._publisher.publish()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 706, in publish\n    return self.process_lifecycle()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 565, in process_lifecycle\n    super(PluginStep, self).process_lifecycle()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 162, in process_lifecycle\n    step.process()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n    self._process_block()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n    self.process_main()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n    raise PulpCodedException(message=output)\nPulpCodedException: A general pulp exception occurred\n",
    "task_id": "cee65454-678d-4373-99a9-27e697cea085",
    "queue": "reserved_resource_worker-1@example.com.dq",
    "spawned_tasks": [

    ],
    "_ns": "task_status",
    "error": {
        "code": "PLP0001",
        "data": {
            "message": "['rsync', '-avr', '-f+ */', '-e', u'ssh -l 8bd20361-e96 -i /tmp/tmp.6gOrR10gV2 -o \"StrictHostKeyChecking no\" -o \"UserKnownHostsFile /dev/null\" -S /tmp/rsync_distributor-%r@%h:%p -o \"ControlMaster auto\" -o \"ControlPersist 10\"', u'/var/cache/pulp/reserved_resource_worker-1@example.com/cee65454-678d-4373-99a9-27e697cea085/.tmp/', u'8bd20361-e96@example.com:/home/8bd20361-e96/']\n/bin/sh: rsync: command not found\n"
        },
        "sub_errors": [

        ],
        "description": "A general pulp exception occurred"
    },
    "exception": null,
    "id": "57bb36d5973880727d8938fb",
    "tags": [
        "pulp:repository:31f091e3-a637-4bd3-9e35-46569a77c8a2",
        "pulp:action:publish"
    ],
    "finish_time": "2016-08-22T17:31:02Z",
    "start_time": "2016-08-22T17:31:01Z",
    "worker_name": "reserved_resource_worker-1@example.com",
    "task_type": "pulp.server.managers.repo.publish.publish",
    "_id": {
        "$oid": "57bb36d5973880727d8938fb"
    },
    "progress_report": {
        "38b1659d-6c6e-451e-8a1f-5f3b51c5a497": [
            {
                "items_total": 32,
                "description": "",
                "num_failures": 0,
                "num_processed": 32,
                "details": "",
                "error_details": [

                ],
                "num_success": 32,
                "step_type": "Unit query step (rpm, drpm, srpm)",
                "state": "FINISHED",
                "step_id": "5635cf7c-1af3-40ea-a0a1-4fecb08dbfda"
            },
            {
                "items_total": 1,
                "description": "Rsync files to remote destination",
                "num_failures": 1,
                "num_processed": 1,
                "details": "",
                "error_details": [
                    {
                        "traceback": "  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n    self._process_block()\n\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n    self.process_main()\n\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n    raise PulpCodedException(message=output)\n",
                        "error": "A general pulp exception occurred"
                    }
                ],
                "num_success": 0,
                "step_type": "Rsync step (origin)",
                "state": "FAILED",
                "step_id": "d7962956-a7d8-4bcc-848a-cc8311f01103"
            },
            {
                "items_total": 1,
                "description": "Rsync files to remote destination",
                "num_failures": 0,
                "num_processed": 0,
                "details": "",
                "error_details": [

                ],
                "num_success": 0,
                "step_type": "Rsync step (content)",
                "state": "NOT_STARTED",
                "step_id": "c9510095-f5b2-4b3c-95e1-60aae2dfba2a"
            },
            {
                "items_total": 1,
                "description": "Rsync files to remote destination",
                "num_failures": 0,
                "num_processed": 0,
                "details": "",
                "error_details": [

                ],
                "num_success": 0,
                "step_type": "Rsync step (repodata)",
                "state": "NOT_STARTED",
                "step_id": "3b5aa0ab-e046-4639-ae81-ed938f2b6d84"
            }
        ]
    },
    "_href": "/pulp/api/v2/tasks/cee65454-678d-4373-99a9-27e697cea085/",
    "state": "error"
}

Here's a snippet from journalctl:

Aug 23 13:27:33 example.com audit[15241]: AVC avc:  denied  { getattr } for  pid=15241 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=8463536 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=0
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144) Cannot create directory content/units: ['rsync', '-avr', '-f+ */', '-e', u'ssh -l 9a36508d-b5b -i /tmp/tmp.PVTsry5iU7 -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -S /tmp/rsync_distributor-%r@%h:%p -o "ControlMaster auto" -o "ControlPersist 10"', u'/var/cache/pulp/reserved_resource_worker-1@example.com/ea1743f9-bc09-4610-a01a-f9091df971e9/.tmp/', u'9a36508d-b5b@example.com:/home/9a36508d-b5b/']
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144) /bin/sh: rsync: command not found
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) Exception caught from plugin during publish for repo [4306bd6f-4735-452e-af73-3060a202d16e]
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) Traceback (most recent call last):
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1110, in _do_publish
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     publish_report = publish_repo(transfer_repo, conduit, call_config)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 673, in wrap_f
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     return f(*args, **kwargs)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py", line 103, in publish_repo
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     return self._publisher.publish()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 706, in publish
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     return self.process_lifecycle()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 565, in process_lifecycle
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     super(PluginStep, self).process_lifecycle()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 162, in process_lifecycle
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     step.process()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 252, in process
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     self._process_block()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 296, in _process_block
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     self.process_main()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)   File "/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py", line 258, in process_main
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144)     raise PulpCodedException(message=output)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) PulpCodedException: A general pulp exception occurred
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.async.tasks:INFO: Task failed : [ea1743f9-bc09-4610-a01a-f9091df971e9] : A general pulp exception occurred
Aug 23 13:27:33 example.com pulp[14224]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[ea1743f9-bc09-4610-a01a-f9091df971e9] raised expected: PulpCodedException()
Aug 23 13:27:33 example.com pulp[14224]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[632cb720-76ab-4ea1-ad7d-ffd04e099008] succeeded in 0.00821788801113s: None

Here's the Pulp Smash test for this issue: http://pulp-smash.readthedocs.io/en/latest/api/pulp_smash.tests.rpm.api_v2.test_rsync_distributor.html#pulp_smash.tests.rpm.api_v2.test_rsync_distributor.PublishTestCase

Added by bmbouter over 7 years ago

Revision e2db5a97 | View on GitHub

celery_t can now exec rsync_exec_t

The rsync distributors needs to execute the rsync binary. The call to rsync_exec allows the celery_t security context to make that call.

https://pulp.plan.io/issues/2196 closes #2196

Actions

Copy link

Updated by Ichimonji10 over 7 years ago

Here's the packages on the system:

$ ssh $hostname rpm -qa | grep -i pulp
python-pulp-puppet-common-2.10.0-0.1.beta.fc24.noarch
python-pulp-client-lib-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
python-pulp-oid_validation-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
pulp-docker-plugins-2.1.0-0.1.beta.fc24.noarch
pulp-docker-admin-extensions-2.1.0-0.1.beta.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-selinux-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
pulp-admin-client-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
python-pulp-ostree-common-1.1.3-1.fc24.noarch
pulp-ostree-admin-extensions-1.1.3-1.fc24.noarch
python-pulp-streamer-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-rpm-common-2.10.0-0.3.beta.git.22.93a4ca1.fc24.noarch
pulp-server-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
pulp-rpm-plugins-2.10.0-0.3.beta.git.22.93a4ca1.fc24.noarch
pulp-rpm-admin-extensions-2.10.0-0.3.beta.git.22.93a4ca1.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-common-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
python-pulp-repoauth-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
pulp-puppet-plugins-2.10.0-0.1.beta.fc24.noarch
pulp-puppet-admin-extensions-2.10.0-0.1.beta.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
python-pulp-docker-common-2.1.0-0.1.beta.fc24.noarch
python-pulp-bindings-2.10.0-0.3.beta.git.82.2ca6d5a.fc24.noarch
pulp-ostree-plugins-1.1.3-1.fc24.noarch

Actions

Copy link

Updated by bmbouter over 7 years ago

Status changed from NEW to MODIFIED
Assignee set to bmbouter
Platform Release set to 2.10.0

Actions

Copy link

Updated by Ichimonji10 over 7 years ago

Status changed from MODIFIED to ASSIGNED

Publishes with the RPM rsync distributor are failing due to a new SELinux denial error. Here's the packages installed:

$ ssh $hostname rpm -qa | sort | grep -i pulp
pulp-admin-client-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
pulp-docker-admin-extensions-2.1.1-0.1.alpha.git.7.a146374.fc23.noarch
pulp-docker-plugins-2.1.1-0.1.alpha.git.7.a146374.fc23.noarch
pulp-ostree-admin-extensions-1.1.4-0.1.alpha.git.14.5cef550.fc23.noarch
pulp-ostree-plugins-1.1.4-0.1.alpha.git.14.5cef550.fc23.noarch
pulp-puppet-admin-extensions-2.10.1-0.1.alpha.git.22.d5b5727.fc23.noarch
pulp-puppet-plugins-2.10.1-0.1.alpha.git.22.d5b5727.fc23.noarch
pulp-python-admin-extensions-1.1.4-0.1.alpha.git.28.9880cce.fc23.noarch
pulp-python-plugins-1.1.4-0.1.alpha.git.28.9880cce.fc23.noarch
pulp-rpm-admin-extensions-2.10.1-0.1.alpha.git.14.4e22aba.fc23.noarch
pulp-rpm-plugins-2.10.1-0.1.alpha.git.14.4e22aba.fc23.noarch
pulp-selinux-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
pulp-server-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-kombu-3.0.33-6.pulp.fc23.noarch
python-pulp-bindings-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-pulp-client-lib-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-pulp-common-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-pulp-docker-common-2.1.1-0.1.alpha.git.7.a146374.fc23.noarch
python-pulp-oid_validation-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-pulp-ostree-common-1.1.4-0.1.alpha.git.14.5cef550.fc23.noarch
python-pulp-puppet-common-2.10.1-0.1.alpha.git.22.d5b5727.fc23.noarch
python-pulp-python-common-1.1.4-0.1.alpha.git.28.9880cce.fc23.noarch
python-pulp-repoauth-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch
python-pulp-rpm-common-2.10.1-0.1.alpha.git.14.4e22aba.fc23.noarch
python-pulp-streamer-2.10.1-0.1.alpha.git.14.5edefcc.fc23.noarch

Here's the task report, as a JSON object:

{
    "id": "57bda9aaa08d37f219e616d9",
    "state": "error",
    "progress_report": {
        "c6bff33c-09c8-479f-b2aa-8e9496cd32e4": [
            {
                "state": "FINISHED",
                "num_success": 32,
                "num_failures": 0,
                "num_processed": 32,
                "items_total": 32,
                "step_type": "Unit query step (rpm, drpm, srpm)",
                "error_details": [

                ],
                "description": "",
                "step_id": "704b1392-116d-4e9f-9f86-f33fb33e98d7",
                "details": ""
            },
            {
                "state": "FAILED",
                "num_success": 0,
                "num_failures": 1,
                "num_processed": 1,
                "items_total": 1,
                "step_type": "Rsync step (origin)",
                "error_details": [
                    {
                        "traceback": "  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n    self._process_block()\n\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n    self.process_main()\n\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n    raise PulpCodedException(message=output)\n",
                        "error": "A general pulp exception occurred"
                    }
                ],
                "description": "Rsync files to remote destination",
                "step_id": "e637c9dd-929f-4c51-87ce-44424c24d685",
                "details": ""
            },
            {
                "state": "NOT_STARTED",
                "num_success": 0,
                "num_failures": 0,
                "num_processed": 0,
                "items_total": 1,
                "step_type": "Rsync step (content)",
                "error_details": [

                ],
                "description": "Rsync files to remote destination",
                "step_id": "f34e1c91-f92b-4181-b639-e588085ad285",
                "details": ""
            },
            {
                "state": "NOT_STARTED",
                "num_success": 0,
                "num_failures": 0,
                "num_processed": 0,
                "items_total": 1,
                "step_type": "Rsync step (repodata)",
                "error_details": [

                ],
                "description": "Rsync files to remote destination",
                "step_id": "0fca2887-2df9-41aa-8eca-40552ce62071",
                "details": ""
            }
        ]
    },
    "tags": [
        "pulp:repository:8dc1bce0-e718-44a7-807b-f82918859466",
        "pulp:action:publish"
    ],
    "queue": "reserved_resource_worker-0@pulp.example.com.dq",
    "task_type": "pulp.server.managers.repo.publish.publish",
    "finish_time": "2016-08-24T14:05:30Z",
    "worker_name": "reserved_resource_worker-0@pulp.example.com",
    "spawned_tasks": [

    ],
    "traceback": "Traceback (most recent call last):\n  File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 240, in trace_task\n    R = retval = fun(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 488, in __call__\n    return super(Task, self).__call__(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 103, in __call__\n    return super(PulpTask, self).__call__(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 437, in __protected_call__\n    return self.run(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 971, in publish\n    result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1058, in check_publish\n    result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1110, in _do_publish\n    publish_report = publish_repo(transfer_repo, conduit, call_config)\n  File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 673, in wrap_f\n    return f(*args, **kwargs)\n  File \"/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py\", line 103, in publish_repo\n    return self._publisher.publish()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 706, in publish\n    return self.process_lifecycle()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 565, in process_lifecycle\n    super(PluginStep, self).process_lifecycle()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 162, in process_lifecycle\n    step.process()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n    self._process_block()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n    self.process_main()\n  File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n    raise PulpCodedException(message=output)\nPulpCodedException: A general pulp exception occurred\n",
    "_id": {
        "$oid": "57bda9aaa08d37f219e616d9"
    },
    "start_time": "2016-08-24T14:05:30Z",
    "exception": null,
    "_href": "/pulp/api/v2/tasks/539f276e-f09c-41be-9995-3f0a55d904e3/",
    "error": {
        "data": {
            "message": "['rsync', '-avr', '-f+ */', '-e', u'ssh -l 4d7ca319-653 -i /tmp/tmp.S1kwTrndcn -o \"StrictHostKeyChecking no\" -o \"UserKnownHostsFile /dev/null\" -S /tmp/rsync_distributor-%r@%h:%p -o \"ControlMaster auto\" -o \"ControlPersist 10\"', u'/var/cache/pulp/reserved_resource_worker-0@pulp.example.com/539f276e-f09c-41be-9995-3f0a55d904e3/.tmp/', u'4d7ca319-653@pulp.example.com:/home/4d7ca319-653/']\nrsync: Failed to exec ssh: Permission denied (13)\nrsync error: error in IPC code (code 14) at pipe.c(85) [sender=3.1.1]\nrsync: connection unexpectedly closed (0 bytes received so far) [sender]\nrsync error: error in rsync protocol data stream (code 12) at io.c(226) [sender=3.1.1]\n"
        },
        "description": "A general pulp exception occurred",
        "code": "PLP0001",
        "sub_errors": [

        ]
    },
    "result": null,
    "task_id": "539f276e-f09c-41be-9995-3f0a55d904e3",
    "_ns": "task_status"
}

Here's lines from the system's journalctl:

Aug 24 10:05:30 pulp.example.com audit[7375]: AVC avc:  denied  { execute } for  pid=7375 comm="rsync" name="ssh" dev="dm-0" ino=542019 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656) Cannot create directory content/units: ['rsync', '-avr', '-f+ */', '-e', u'ssh -l 4d7ca319-653 -i /tmp/tmp.S1kwTrndcn -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -S /tmp/rsync_distributor-%r@%h:%p -o "ControlMaster auto" -o "ControlPersist 10"', u'/var/cache/pulp/reserved_resource_worker-0@pulp.example.com/539f276e-f09c-41be-9995-3f0a55d904e3/.tmp/', u'4d7ca319-653@pulp.example.com:/home/4d7ca319-653/']
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656) rsync: Failed to exec ssh: Permission denied (13)
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656) rsync error: error in IPC code (code 14) at pipe.c(85) [sender=3.1.1]
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656) rsync: connection unexpectedly closed (0 bytes received so far) [sender]
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656) rsync error: error in rsync protocol data stream (code 12) at io.c(226) [sender=3.1.1]
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.plugins.rsync.publish:ERROR: (6512-54656)
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656) Exception caught from plugin during publish for repo [8dc1bce0-e718-44a7-807b-f82918859466]
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656) Traceback (most recent call last):
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1110, in _do_publish
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     publish_report = publish_repo(transfer_repo, conduit, call_config)
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 673, in wrap_f
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     return f(*args, **kwargs)
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py", line 103, in publish_repo
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     return self._publisher.publish()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 706, in publish
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     return self.process_lifecycle()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 565, in process_lifecycle
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     super(PluginStep, self).process_lifecycle()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 162, in process_lifecycle
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     step.process()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 252, in process
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     self._process_block()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 296, in _process_block
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     self.process_main()
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)   File "/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py", line 258, in process_main
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656)     raise PulpCodedException(message=output)
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.controllers.repository:ERROR: (6512-54656) PulpCodedException: A general pulp exception occurred
Aug 24 10:05:30 pulp.example.com pulp[6512]: pulp.server.async.tasks:INFO: Task failed : [539f276e-f09c-41be-9995-3f0a55d904e3] : A general pulp exception occurred
Aug 24 10:05:30 pulp.example.com pulp[6216]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[539f276e-f09c-41be-9995-3f0a55d904e3] raised expected: PulpCodedException()
Aug 24 10:05:30 pulp.example.com pulp[6216]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[5c7b5c36-e5b8-46a3-a5af-499a8bd8322a] succeeded in 0.00824501999978s: None

Actions

Copy link

Updated by bmbouter over 7 years ago

The original SELinux failure was a denial when accessing rsync_exec_t. Now the failure is denied due to ssh_exec_t. So the fix given was right but it wasn't enough. In addition to the rsync_exec(celery_t) statement which was added we also need these:

auth_login_pgm_domain(celery_t)
files_write_var_dirs(celery_t)
ssh_exec(celery_t)

These Refpol statements allow a pretty broad set of SELinux permissions. @dkliban and I talked about it. We would be most comfortable making this an SELinux option that users could enable to have their system allow Pulp to do all of the things the rsync distributor needs. This option would default to false. Pulp already has an option like this for pulp_puppet for example [0]. It would also come with docs [1].

[0]: https://github.com/pulp/pulp/blob/e2db5a97fcc04e939af644050869451413053123/server/selinux/server/pulp-celery.te#L147-L157
[1]: http://docs.pulpproject.org/plugins/pulp_puppet/tech-reference/plugin_conf.html?highlight=pulp_manage_puppet#install-distributor

Actions

Copy link

Updated by Ichimonji10 over 7 years ago

The linked-to documentation explains that two SELinux-related steps must be taken to use the puppet_install_distributor:

The pulp_manage_puppet policy must be enabled with # semanage boolean --modify --on pulp_manage_puppet.
The directories which are targeted by the puppet_install_distributor must have the puppet_etc_t label.

For the RPM rsync distributor, is it correct to say that the following steps must be taken?

The $policy_name policy must be enabled with # semanage boolean --modify --on "$policy_name".
If files are being written to a local directory, that directory must have the $label_name label.

Added by dkliban@redhat.com over 7 years ago

Revision 9ee26441 | View on GitHub

Adds an optional selinux boolean needed for using the rsync distributor

closes #2199 https://pulp.plan.io/issues/2199

Added by dkliban@redhat.com over 7 years ago

Revision 9ee26441 | View on GitHub

Adds an optional selinux boolean needed for using the rsync distributor

closes #2199 https://pulp.plan.io/issues/2199

Actions

Copy link

Updated by dkliban@redhat.com over 7 years ago

Status changed from ASSIGNED to MODIFIED
% Done changed from 0 to 100

Applied in changeset pulp:pulp|9ee26441e97ae29d45dc94c52b52cc3a8432566e.

Actions

Copy link

Updated by semyers over 7 years ago

Status changed from MODIFIED to 5

Actions

Copy link

Updated by Ichimonji10 over 7 years ago

Status changed from 5 to 6

Verified against a Pulp 2.10.0 beta system provisioned this morning.

(pulp-smash2) [ichimonji10@beech:pulp-smash]$ python -m unittest2 pulp_smash.tests.rpm.api_v2.test_rsync_distributor
...s..s.
----------------------------------------------------------------------
Ran 8 tests in 476.062s

OK (skipped=2)
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ git grep 2187
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:    This test targets `Pulp #2187 <https://pulp.plan.io/issues/2187>`_.
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:        if selectors.bug_is_untestable(2187, self.cfg.version):
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:            self.skipTest('https://pulp.plan.io/issues/2187')
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ git grep 2199
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:    system if `Pulp #2199`_ is not yet fixed.
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:    .. _Pulp #2199: https://pulp.plan.io/issues/2199
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:        self.maybe_disable_selinux(self.cfg, 2199)
pulp_smash/tests/rpm/api_v2/test_rsync_distributor.py:        self.maybe_disable_selinux(self.cfg, 2199)
(pulp-smash2) [ichimonji10@beech:pulp-smash]$ ssh $hostname rpm -qa | sort | grep -i pulp                              
pulp-admin-client-2.10.0-0.4.beta.fc24.noarch
pulp-docker-admin-extensions-2.1.0-0.2.beta.fc24.noarch
pulp-docker-plugins-2.1.0-0.2.beta.fc24.noarch
pulp-ostree-admin-extensions-1.1.3-1.fc24.noarch
pulp-ostree-plugins-1.1.3-1.fc24.noarch
pulp-puppet-admin-extensions-2.10.0-0.1.beta.fc24.noarch
pulp-puppet-plugins-2.10.0-0.1.beta.fc24.noarch
pulp-python-admin-extensions-1.1.3-1.fc24.noarch
pulp-python-plugins-1.1.3-1.fc24.noarch
pulp-rpm-admin-extensions-2.10.0-0.4.beta.fc24.noarch
pulp-rpm-plugins-2.10.0-0.4.beta.fc24.noarch
pulp-selinux-2.10.0-0.4.beta.fc24.noarch
pulp-server-2.10.0-0.4.beta.fc24.noarch
python-kombu-3.0.33-6.pulp.fc24.noarch
python-pulp-bindings-2.10.0-0.4.beta.fc24.noarch
python-pulp-client-lib-2.10.0-0.4.beta.fc24.noarch
python-pulp-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-docker-common-2.1.0-0.2.beta.fc24.noarch
python-pulp-oid_validation-2.10.0-0.4.beta.fc24.noarch
python-pulp-ostree-common-1.1.3-1.fc24.noarch
python-pulp-puppet-common-2.10.0-0.1.beta.fc24.noarch
python-pulp-python-common-1.1.3-1.fc24.noarch
python-pulp-repoauth-2.10.0-0.4.beta.fc24.noarch
python-pulp-rpm-common-2.10.0-0.4.beta.fc24.noarch
python-pulp-streamer-2.10.0-0.4.beta.fc24.noarch