Project

Profile

Help

Issue #2961

closed

Pulp 2.14 broken on Fedora 26

Added by Ichimonji10 over 6 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.14.0
Platform Release:
2.14.1
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Sprint 25
Quarter:

Description

Pulp 2.14 beta 3 cannot successfully be installed and used on Fedora 26 using pulp_packaging. A couple changes have already been made to make Pulp 2.14 beta 3 installable on Fedora 26 using pulp_packaging:

With these changes in place, this error (and many more) are logged when Pulp starts up:

Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: Unhandled Exception
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) error signing cert request: Signature ok
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) subject=CN = admin:admin:5988b93144e534662b1fc1a2
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Getting CA Private Key
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Can't open /etc/pki/pulp/ca.key for reading, Permission denied
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) 139724785673984:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:74:fopen('/etc/pki/pulp/ca.key','r')
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) 139724785673984:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:83:
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) unable to load CA Private Key
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) unable to write 'random state'
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Traceback (most recent call last):
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/django/core/handlers/base.py", line 185, in _get_response
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     response = wrapped_callback(request, *callback_args, **callback_kwargs)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 68, in view
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     return self.dispatch(request, *args, **kwargs)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/django/views/generic/base.py", line 88, in dispatch
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     return handler(request, *args, **kwargs)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 241, in _auth_decorator
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     return _verify_auth(self, operation, super_user_only, method, *args, **kwargs)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/decorators.py", line 195, in _verify_auth
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     value = method(self, *args, **kwargs)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/pulp/server/webservices/views/root_actions.py", line 25, in post
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     key, certificate = factory.cert_generation_manager().make_admin_user_cert(user)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 31, in make_admin_user_cert
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     return self.make_cert(self.encode_admin_user(user), expiration)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)   File "/usr/lib/python2.7/site-packages/pulp/server/managers/auth/cert/cert_generator.py", line 85, in make_cert
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)     raise Exception("error signing cert request: %%s" %% output)
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Exception: error signing cert request: Signature ok
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) subject=CN = admin:admin:5988b93144e534662b1fc1a2
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Getting CA Private Key
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) Can't open /etc/pki/pulp/ca.key for reading, Permission denied
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) 139724785673984:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:74:fopen('/etc/pki/pulp/ca.key','r')
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) 139724785673984:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:83:
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) unable to load CA Private Key
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952) unable to write 'random state'
Aug 07 15:05:38 fedora-26-pulp-2-14-beta pulp[31876]: pulp.server.webservices.middleware.exception:ERROR: (31876-77952)

It looks like /etc/pki/pulp/ca.key is unreadable:

[root@fedora-26-pulp-2-14-beta ~]# ls -laZ /etc/pki/pulp/
total 16
drwxr-xr-x.  3 root   root   system_u:object_r:pulp_cert_t:s0       83 Aug  7 15:02 .
drwxr-xr-x. 10 root   root   system_u:object_r:cert_t:s0           110 Aug  7 15:04 ..
-rw-r-----.  1 root   apache unconfined_u:object_r:pulp_cert_t:s0 1753 Aug  7 15:02 ca.crt
-rw-------.  1 root   apache unconfined_u:object_r:pulp_cert_t:s0 3247 Aug  7 15:02 ca.key
drwxr-xr-x.  2 apache apache system_u:object_r:pulp_cert_t:s0        6 Aug  2 12:44 content
-rw-r-----.  1 root   apache unconfined_u:object_r:pulp_cert_t:s0 1679 Aug  7 15:02 rsa.key
-rw-r--r--.  1 root   apache unconfined_u:object_r:pulp_cert_t:s0  451 Aug  7 15:02 rsa_pub.key

A work-around is to execute the following:

chmod g+r /etc/pki/pulp/ca.key
systemctl restart httpd pulp_{celerybeat,resource_manager,workers}

This done, Pulp will start, but different errors will start being logged. For example:

Aug 07 15:19:06 fedora-26-pulp-2-14-beta audit[954]: AVC avc:  denied  { read } for  pid=954 comm="pulp_streamer" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:streamer_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
Aug 07 15:19:07 fedora-26-pulp-2-14-beta audit[958]: AVC avc:  denied  { read } for  pid=958 comm="celery" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
Aug 07 15:19:07 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { read } for  pid=978 comm="celery" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0
Aug 07 15:19:07 fedora-26-pulp-2-14-beta audit[959]: AVC avc:  denied  { read } for  pid=959 comm="celery" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=0

And:

Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { getattr } for  pid=978 comm="celery" name="/" dev="tmpfs" ino=10791 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { getattr } for  pid=978 comm="celery" name="/" dev="tmpfs" ino=10791 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { getattr } for  pid=978 comm="celery" name="/" dev="tmpfs" ino=10793 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { getattr } for  pid=978 comm="celery" name="/" dev="tmpfs" ino=10794 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[978]: AVC avc:  denied  { getattr } for  pid=978 comm="celery" name="/" dev="tmpfs" ino=18993 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480) Unrecoverable error: OSError(38, 'Function not implemented')
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480) Traceback (most recent call last):
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib/python2.7/site-packages/celery/worker/worker.py", line 203, in start
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     self.blueprint.start(self)
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib/python2.7/site-packages/celery/bootsteps.py", line 119, in start
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     step.start(parent)
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib/python2.7/site-packages/celery/bootsteps.py", line 370, in start
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     return self.obj.start()
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib/python2.7/site-packages/celery/concurrency/base.py", line 131, in start
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     self.on_start()
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib/python2.7/site-packages/celery/concurrency/prefork.py", line 112, in on_start
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     **self.options)
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/pool.py", line 952, in __init__
Aug 07 15:19:09 fedora-26-pulp-2-14-beta audit[958]: AVC avc:  denied  { getattr } for  pid=958 comm="celery" name="/" dev="tmpfs" ino=10791 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     self._setup_queues()
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/pool.py", line 1321, in _setup_queues
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     self._inqueue = self._ctx.SimpleQueue()
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/context.py", line 150, in SimpleQueue
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     return SimpleQueue(ctx=self.get_context())
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/queues.py", line 377, in __init__
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     self._rlock = ctx.Lock()
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/context.py", line 105, in Lock
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     return Lock(ctx=self.get_context())
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/synchronize.py", line 182, in __init__
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)     SemLock.__init__(self, SEMAPHORE, 1, 1, ctx=ctx)
Aug 07 15:19:09 fedora-26-pulp-2-14-beta pulp[978]: celery.worker:CRITICAL: (978-64480)   File "/usr/lib64/python2.7/site-packages/billiard/synchronize.py", line 72, in __init__

...and on it goes. I'm not sure which messages are important. The important bit is that Pulp is still screwed up after making /etc/pki/pulp/ca.key group-readable. One can try to work around this by disabling SELinux:

setenforce 0
echo > /var/log/audit/audit.log
semodule -R
systemctl restart httpd pulp_{celerybeat,resource_manager,workers}

This does produce a glorious amount of output:

[root@fedora-26-pulp-2-14-beta pulp]# audit2allow -al

#============= celery_t ==============
allow celery_t self:process execmem;
allow celery_t sysfs_t:dir read;
allow celery_t tmpfs_t:dir { add_name remove_name write };
allow celery_t tmpfs_t:file { create getattr link open read unlink write };
allow celery_t tmpfs_t:filesystem getattr;
[root@fedora-26-pulp-2-14-beta pulp]# audit2allow -Ral
could not open interface info [/var/lib/sepolgen/interface_info]
[root@fedora-26-pulp-2-14-beta pulp]# cat /var/log/audit/audit.log

type=USER_AVC msg=audit(1502136922.763:275): pid=671 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=MAC_POLICY_LOAD msg=audit(1502136922.771:276): policy loaded auid=0 ses=1
type=USER_AVC msg=audit(1502136924.854:277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=SERVICE_STOP msg=audit(1502136925.402:278): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_celerybeat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502136925.404:279): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_celerybeat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1502136925.816:280): avc:  denied  { read } for  pid=2115 comm="celery" name="cpu" dev="sysfs" ino=33 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=SERVICE_STOP msg=audit(1502136926.651:281): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502136926.702:282): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1502136927.385:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_resource_manager comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502136927.386:284): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_resource_manager comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1502136932.568:285): avc:  denied  { getattr } for  pid=2193 comm="celery" name="/" dev="tmpfs" ino=10791 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=1
type=AVC msg=audit(1502136932.568:286): avc:  denied  { write } for  pid=2193 comm="celery" name="/" dev="tmpfs" ino=10791 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1502136932.568:287): avc:  denied  { add_name } for  pid=2193 comm="celery" name="vcJczy" scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1502136932.568:288): avc:  denied  { create } for  pid=2193 comm="celery" name="vcJczy" scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1502136932.568:289): avc:  denied  { read write open } for  pid=2193 comm="celery" path="/dev/shm/vcJczy" dev="tmpfs" ino=55350 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1502136932.568:290): avc:  denied  { link } for  pid=2193 comm="celery" name="vcJczy" dev="tmpfs" ino=55350 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1502136932.568:291): avc:  denied  { getattr } for  pid=2193 comm="celery" path="/dev/shm/vcJczy" dev="tmpfs" ino=55350 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(1502136932.569:292): avc:  denied  { remove_name } for  pid=2193 comm="celery" name="vcJczy" dev="tmpfs" ino=55350 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1502136932.569:293): avc:  denied  { unlink } for  pid=2193 comm="celery" name="vcJczy" dev="tmpfs" ino=55350 scontext=system_u:system_r:celery_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
type=SERVICE_STOP msg=audit(1502137015.062:294): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_workers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_STOP msg=audit(1502137015.094:295): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_worker-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
type=SERVICE_START msg=audit(1502137015.116:296): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_worker-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502137015.124:297): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=pulp_workers comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1502137057.690:298): avc:  denied  { execmem } for  pid=2447 comm="celery" scontext=system_u:system_r:celery_t:s0 tcontext=system_u:system_r:celery_t:s0 tclass=process permissive=1
type=USER_START msg=audit(1502137067.949:299): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137067.950:300): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2481 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1502137067.969:301): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137067.969:302): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2496 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1502137067.990:303): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137067.991:304): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2516 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1502137067.998:305): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_START msg=audit(1502137068.006:306): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137068.006:307): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2525 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1502137068.026:308): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137068.026:309): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2545 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1502137068.033:310): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_START msg=audit(1502137068.043:311): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137068.043:312): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2559 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1502137069.821:313): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502137069.859:314): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1502137069.861:315): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_END msg=audit(1502137076.379:316): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_END msg=audit(1502137076.379:317): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_END msg=audit(1502137076.379:318): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_START msg=audit(1502137096.412:319): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137096.412:320): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2869 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1502137096.433:321): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137096.434:322): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2884 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1502137096.458:323): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137096.459:324): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2904 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1502137096.471:325): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_START msg=audit(1502137096.483:326): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1502137096.487:327): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:a1:7b:07:ac:67:e9:1f:90:0d:bf:ca:4c:71:e4:10:54:f1:78:be:2e:8a:5a:ed:9d:ab:dc:98:b2:85:6a:a6:30 direction=? spid=2918 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=SERVICE_STOP msg=audit(1502137098.267:328): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=SERVICE_START msg=audit(1502137098.305:329): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=httpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1502137098.307:330): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_END msg=audit(1502137106.448:331): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'
type=USER_END msg=audit(1502137106.448:332): pid=1253 uid=0 auid=0 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.168.100.1 addr=192.168.100.1 terminal=ssh res=success'

Unfortunately, many tests still fail:

python -m unittest pulp_smash.tests.platform.api_v2.test_login  # success
python -m unittest pulp_smash.tests.docker.api_v2.test_sync_publish.V{1,2}RegistryTestCase  # total failure
Actions #1

Updated by Ichimonji10 over 6 years ago

  • Description updated (diff)
Actions #2

Updated by Ichimonji10 over 6 years ago

  • Description updated (diff)
Actions #3

Updated by Ichimonji10 over 6 years ago

  • Description updated (diff)
Actions #4

Updated by Ichimonji10 over 6 years ago

I've marked this issue as blocking 2.14 out of precaution. It may turn out that there's some issue with pulp_packaging that's messing up Pulp 2.14 on Fedora 26, and when installed through other methods, Pulp 2.14 is great on Fedora 26. But I don't know that right now, and as a result of this issue, we have no automated test results for Pulp 2.14 on Fedora 26. Until the validity of Pulp 2.14 on Fedora 26 is proven, I think we should assume that there's a blocking issue here.

Actions #5

Updated by ttereshc over 6 years ago

  • Priority changed from Normal to High
  • Sprint/Milestone set to 42
  • Triaged changed from No to Yes

After more investigation it can be re-considered as a blocker.

Actions #6

Updated by Ichimonji10 over 6 years ago

For what it's worth, Fedora 26 ships with a new major version of Celery.

Fedora 24: python2-celery-3.1.20-2.fc24.noarch
Fedora 25: python2-celery-3.1.20-3.fc25.noarch
Fedora 26: python2-celery-4.0.2-2.fc26.noarch
RHEL 7: python-celery-3.1.17-1.el7.noarch

Actions #7

Updated by pcreech over 6 years ago

W/R to "It looks like /etc/pki/pulp/ca.key is unreadable:", it appears the default permissions for https://github.com/pulp/pulp/blob/master/server/bin/pulp-gen-ca-certificate#L35 result has changed.

On F25:

[root@f25host bob]# openssl genrsa -out test.key 4096 &> /dev/null
[root@f25host bob]# ls -l
total 4
-rw-r--r--. 1 root root 3243 Aug  8 11:16 test.key

On F26:

[root@f26host bob]# openssl genrsa -out test.key 4096 &> /dev/null
[root@f26host bob]# ls -l
total 4
-rw-------. 1 root root 3243 Aug  8 11:17 test.key
Actions #8

Updated by mhrivnak over 6 years ago

I think we should block releasing 2.14.0 on F26, but proceed with releasing on other platforms. pcreech said that would be relatively easy to do from a release engineering perspective.

Depending on what changes are required to get this fixed for F26, we could either make F26 packages available later once non-code issues are resolved (packaging, ansible, selinux, etc), or just wait and add F26 packages with 2.14.1.

Considering how few of our users deploy on Fedora (evidence suggest perhaps zero have tried Pulp on F26), it would be a shame to withhold 2.14 on the working platforms.

Actions #9

Updated by pcreech over 6 years ago

Release Blocker is for Fedora 26 builds only. All other platforms can be released.

Actions #10

Updated by mhrivnak over 6 years ago

  • Sprint/Milestone changed from 42 to 43
Actions #11

Updated by bizhang over 6 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bizhang
Actions #12

Updated by bizhang over 6 years ago

  • Status changed from ASSIGNED to POST

Added by werwty over 6 years ago

Revision 1a13d6de | View on GitHub

Fix SELinux and cert key permissions

closes #2961 https://pulp.plan.io/issues/2961

Actions #13

Updated by jortel@redhat.com over 6 years ago

  • Sprint/Milestone changed from 43 to 44
Actions #14

Updated by werwty over 6 years ago

  • Status changed from POST to MODIFIED
Actions #15

Updated by pcreech over 6 years ago

  • Platform Release set to 2.14.1
Actions #16

Updated by Ichimonji10 over 6 years ago

  • Status changed from MODIFIED to ASSIGNED

Pulp 2.14 is still broken in major ways on F26. As a quick sanity check, I applied the following diff to Pulp Smash:

diff --git a/pulp_smash/tests/docker/api_v2/test_sync_publish.py b/pulp_smash/tests/docker/api_v2/test_sync_publish.py
index ef43fb2..037fcdf 100644
--- a/pulp_smash/tests/docker/api_v2/test_sync_publish.py
+++ b/pulp_smash/tests/docker/api_v2/test_sync_publish.py
@@ -219,9 +219,6 @@ class V1RegistryTestCase(SyncPublishMixin, unittest.TestCase):
         super().setUpClass()
         cls.cfg = config.get_config()
         cls.repo = {}
-        if (utils.os_is_f26(cls.cfg) and
-                selectors.bug_is_untestable(3036, cls.cfg.version)):
-            raise unittest.SkipTest('https://pulp.plan.io/issues/3036')

     @classmethod
     def tearDownClass(cls):
@@ -306,9 +303,6 @@ class V2RegistryTestCase(SyncPublishMixin, unittest.TestCase):
         super().setUpClass()
         cls.cfg = config.get_config()
         cls.repo = {}
-        if (utils.os_is_f26(cls.cfg) and
-                selectors.bug_is_untestable(3036, cls.cfg.version)):
-            raise unittest.SkipTest('https://pulp.plan.io/issues/3036')
         for issue_id in (2287, 2384):
             if selectors.bug_is_untestable(issue_id, cls.cfg.version):
                 raise unittest.SkipTest(

I then executed python -m unittest pulp_smash.tests.docker.api_v2.test_sync_publish.V{1,2}RegistryTestCase. It blew up. The journal didn't reference SELinux, but it did include entries like this:

Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.config:INFO: config loaded from /etc/crane.conf                                                                                                                                     
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.data:INFO: loading metadata from /var/lib/pulp/published/docker                                                                                                                     
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.data:ERROR: aborting metadata load: metadata version 4 not supported
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.search:INFO: no search backend configured                                                                                                                      
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.app:INFO: application initialized                                                                                                                                                   
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.data:INFO: loading metadata from /var/lib/pulp/published/docker                                                                                                                     
Oct 03 16:30:54 fedora-26-pulp-2-14-beta pulp[1524]: crane.data:ERROR: aborting metadata load: metadata version 4 not supported                                                                                                                
Oct 03 16:30:55 fedora-26-pulp-2-14-beta pulp[1523]: crane.config:INFO: config loaded from /etc/crane.conf                                                                                                                                     
Oct 03 16:30:55 fedora-26-pulp-2-14-beta pulp[1523]: crane.data:INFO: loading metadata from /var/lib/pulp/published/docker                                                                                                                     
Oct 03 16:30:55 fedora-26-pulp-2-14-beta pulp[1523]: crane.data:ERROR: aborting metadata load: metadata version 4 not supported

There may be other issues with Pulp 2.14 on Fedora 26. I can't say, though, because the relevant Jenkins runs consistently and catastrophically fail.

I don't think it's acceptable to release the 2.14.1 beta for F26 with Docker being broken and without the reassurance of Jenkins.

Actions #17

Updated by mhrivnak over 6 years ago

It looks like crane is missing from the F26 beta repo. As such, I assume your automation installed the older version of crane that comes with F26, and that is why you see the error ""aborting metadata load: metadata version 4 not supported "

Actions #18

Updated by Ichimonji10 over 6 years ago

Pulp is being installed from the pulp_server.yaml Ansible playbook in pulp_packaging.

Added by pcreech over 6 years ago

Revision 0596a5e4 | View on GitHub

Update dist_list.txt to include fc26

Update dist_list.txt to include fc26

re #2961

Actions #19

Updated by pcreech over 6 years ago

mhrivnak wrote:

It looks like crane is missing from the F26 beta repo. As such, I assume your automation installed the older version of crane that comes with F26, and that is why you see the error ""aborting metadata load: metadata version 4 not supported "

Crane is now showing up in fedora 26 nightly builds

Actions #20

Updated by rchan about 6 years ago

Should this bug be dispositioned? The high priority along with no longer being in the current sprint along with not being fixed by now seems inconsistent.

Actions #21

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 25
Actions #22

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (44)
Actions #23

Updated by bizhang over 5 years ago

  • Assignee deleted (bizhang)
Actions #25

Updated by dalley over 5 years ago

  • Status changed from ASSIGNED to CLOSED - CURRENTRELEASE
Actions #26

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF