Actions
Issue #2199
closedThe RPM rsync distributor breaks when SELinux is enabled
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
2.10.0
Platform Release:
2.10.0
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
The RPM rsync distributor makes a call to the system's rsync
executable when performing a publish. Unfortunately, SELinux denies access to this executable, thus breaking publishes. Here's an example of a task report returned by Pulp, as JSON:
{
"result": null,
"traceback": "Traceback (most recent call last):\n File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 240, in trace_task\n R = retval = fun(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 488, in __call__\n return super(Task, self).__call__(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 103, in __call__\n return super(PulpTask, self).__call__(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/celery/app/trace.py\", line 437, in __protected_call__\n return self.run(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 971, in publish\n result = check_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1058, in check_publish\n result = _do_publish(repo_obj, dist_id, dist_inst, transfer_repo, conduit, call_config)\n File \"/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py\", line 1110, in _do_publish\n publish_report = publish_repo(transfer_repo, conduit, call_config)\n File \"/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py\", line 673, in wrap_f\n return f(*args, **kwargs)\n File \"/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py\", line 103, in publish_repo\n return self._publisher.publish()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 706, in publish\n return self.process_lifecycle()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 565, in process_lifecycle\n super(PluginStep, self).process_lifecycle()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 162, in process_lifecycle\n step.process()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n self._process_block()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n self.process_main()\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n raise PulpCodedException(message=output)\nPulpCodedException: A general pulp exception occurred\n",
"task_id": "cee65454-678d-4373-99a9-27e697cea085",
"queue": "reserved_resource_worker-1@example.com.dq",
"spawned_tasks": [
],
"_ns": "task_status",
"error": {
"code": "PLP0001",
"data": {
"message": "['rsync', '-avr', '-f+ */', '-e', u'ssh -l 8bd20361-e96 -i /tmp/tmp.6gOrR10gV2 -o \"StrictHostKeyChecking no\" -o \"UserKnownHostsFile /dev/null\" -S /tmp/rsync_distributor-%r@%h:%p -o \"ControlMaster auto\" -o \"ControlPersist 10\"', u'/var/cache/pulp/reserved_resource_worker-1@example.com/cee65454-678d-4373-99a9-27e697cea085/.tmp/', u'8bd20361-e96@example.com:/home/8bd20361-e96/']\n/bin/sh: rsync: command not found\n"
},
"sub_errors": [
],
"description": "A general pulp exception occurred"
},
"exception": null,
"id": "57bb36d5973880727d8938fb",
"tags": [
"pulp:repository:31f091e3-a637-4bd3-9e35-46569a77c8a2",
"pulp:action:publish"
],
"finish_time": "2016-08-22T17:31:02Z",
"start_time": "2016-08-22T17:31:01Z",
"worker_name": "reserved_resource_worker-1@example.com",
"task_type": "pulp.server.managers.repo.publish.publish",
"_id": {
"$oid": "57bb36d5973880727d8938fb"
},
"progress_report": {
"38b1659d-6c6e-451e-8a1f-5f3b51c5a497": [
{
"items_total": 32,
"description": "",
"num_failures": 0,
"num_processed": 32,
"details": "",
"error_details": [
],
"num_success": 32,
"step_type": "Unit query step (rpm, drpm, srpm)",
"state": "FINISHED",
"step_id": "5635cf7c-1af3-40ea-a0a1-4fecb08dbfda"
},
{
"items_total": 1,
"description": "Rsync files to remote destination",
"num_failures": 1,
"num_processed": 1,
"details": "",
"error_details": [
{
"traceback": " File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 252, in process\n self._process_block()\n\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py\", line 296, in _process_block\n self.process_main()\n\n File \"/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py\", line 258, in process_main\n raise PulpCodedException(message=output)\n",
"error": "A general pulp exception occurred"
}
],
"num_success": 0,
"step_type": "Rsync step (origin)",
"state": "FAILED",
"step_id": "d7962956-a7d8-4bcc-848a-cc8311f01103"
},
{
"items_total": 1,
"description": "Rsync files to remote destination",
"num_failures": 0,
"num_processed": 0,
"details": "",
"error_details": [
],
"num_success": 0,
"step_type": "Rsync step (content)",
"state": "NOT_STARTED",
"step_id": "c9510095-f5b2-4b3c-95e1-60aae2dfba2a"
},
{
"items_total": 1,
"description": "Rsync files to remote destination",
"num_failures": 0,
"num_processed": 0,
"details": "",
"error_details": [
],
"num_success": 0,
"step_type": "Rsync step (repodata)",
"state": "NOT_STARTED",
"step_id": "3b5aa0ab-e046-4639-ae81-ed938f2b6d84"
}
]
},
"_href": "/pulp/api/v2/tasks/cee65454-678d-4373-99a9-27e697cea085/",
"state": "error"
}
Here's a snippet from journalctl
:
Aug 23 13:27:33 example.com audit[15241]: AVC avc: denied { getattr } for pid=15241 comm="sh" path="/usr/bin/rsync" dev="dm-0" ino=8463536 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:rsync_exec_t:s0 tclass=file permissive=0
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144) Cannot create directory content/units: ['rsync', '-avr', '-f+ */', '-e', u'ssh -l 9a36508d-b5b -i /tmp/tmp.PVTsry5iU7 -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -S /tmp/rsync_distributor-%r@%h:%p -o "ControlMaster auto" -o "ControlPersist 10"', u'/var/cache/pulp/reserved_resource_worker-1@example.com/ea1743f9-bc09-4610-a01a-f9091df971e9/.tmp/', u'9a36508d-b5b@example.com:/home/9a36508d-b5b/']
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144) /bin/sh: rsync: command not found
Aug 23 13:27:33 example.com pulp[14570]: pulp.plugins.rsync.publish:ERROR: (14570-58144)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) Exception caught from plugin during publish for repo [4306bd6f-4735-452e-af73-3060a202d16e]
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) Traceback (most recent call last):
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/server/controllers/repository.py", line 1110, in _do_publish
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) publish_report = publish_repo(transfer_repo, conduit, call_config)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/server/async/tasks.py", line 673, in wrap_f
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) return f(*args, **kwargs)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp_rpm/plugins/distributors/rsync/distributor.py", line 103, in publish_repo
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) return self._publisher.publish()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 706, in publish
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) return self.process_lifecycle()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 565, in process_lifecycle
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) super(PluginStep, self).process_lifecycle()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 162, in process_lifecycle
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) step.process()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 252, in process
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) self._process_block()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/util/publish_step.py", line 296, in _process_block
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) self.process_main()
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) File "/usr/lib/python2.7/site-packages/pulp/plugins/rsync/publish.py", line 258, in process_main
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) raise PulpCodedException(message=output)
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.controllers.repository:ERROR: (14570-58144) PulpCodedException: A general pulp exception occurred
Aug 23 13:27:33 example.com pulp[14570]: pulp.server.async.tasks:INFO: Task failed : [ea1743f9-bc09-4610-a01a-f9091df971e9] : A general pulp exception occurred
Aug 23 13:27:33 example.com pulp[14224]: celery.worker.job:INFO: Task pulp.server.managers.repo.publish.publish[ea1743f9-bc09-4610-a01a-f9091df971e9] raised expected: PulpCodedException()
Aug 23 13:27:33 example.com pulp[14224]: celery.worker.job:INFO: Task pulp.server.async.tasks._release_resource[632cb720-76ab-4ea1-ad7d-ffd04e099008] succeeded in 0.00821788801113s: None
Here's the Pulp Smash test for this issue: http://pulp-smash.readthedocs.io/en/latest/api/pulp_smash.tests.rpm.api_v2.test_rsync_distributor.html#pulp_smash.tests.rpm.api_v2.test_rsync_distributor.PublishTestCase
Actions
celery_t can now exec rsync_exec_t
The rsync distributors needs to execute the rsync binary. The call to rsync_exec allows the celery_t security context to make that call.
https://pulp.plan.io/issues/2196 closes #2196