Project

General

Profile

Bug #14789

puppetlabs-apache 1.9.0 adds phusionpassenger yum repo

Added by Michael Moll about 3 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
External (Puppet Labs) modules
Target version:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

See https://github.com/puppetlabs/puppetlabs-apache/commit/9996cb23

The result:

mmoll@ice:/tmp/sosreport-foreman-el7.example.com-20160422074236/etc/yum.repos.d$ cat passenger.repo 
[passenger]
name=passenger
baseurl=https://oss-binaries.phusionpassenger.com/yum/passenger/el/$releasever/$basearch
enabled=1
gpgcheck=0
repo_gpgcheck=1
gpgkey=https://packagecloud.io/gpg.key
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
sslverify=1

I guess it is a problem to have this repo, even if no packages are pulled from it(?), as for sites that have thier own mirrored repos and no internet access, the repo update will fail.


Related issues

Related to Packaging - Feature #14788: Ubuntu/xenial tracker issueClosed2016-04-22
Related to Katello - Bug #15393: katello install failing due to passenger errorClosed2016-06-13
Blocked by Kafo - Feature #14945: Add support for configuring HieraClosed2016-05-06

Associated revisions

Revision e5dce673 (diff)
Added by Dominic Cleal almost 3 years ago

fixes #14789 - disable apache::mod::passenger::manage_repo (#185)

Add Hiera configuration using Kafo 0.9.0's hiera_config option to set
the Passenger class' manage_repo parameter to false on "RedHat" OSes,
preferring the EPEL or Foreman packages.

Hiera data files are installed as data files rather than configuration
files, as they're shipped by the installer only to configure modules
rather than for the user to configure the installer.

History

#1 Updated by Michael Moll about 3 years ago

#2 Updated by Dominic Cleal about 3 years ago

It might not be our preferred setup, but with the exception of some SELinux issues, the packages should be installed from this repo and work OK.

#3 Updated by Dominic Cleal about 3 years ago

  • Legacy Backlogs Release (now unused) set to 136

A downside of these packages is that they're not compatible with EL6 when SELinux is enforcing - they actually fail to install:

 Execution of '/usr/bin/yum -d 0 -e 0 -y install mod_passenger' returned 1: Error in PREIN scriptlet in rpm package passenger-5.0.27-8.el6.x86_64
 %pre(passenger-5.0.27-8.el6.x86_64) scriptlet failed, exit status 1
   install: %pre scriptlet failed (2), skipping passenger-5.0.27-8.el6
 /Stage[main]/Apache::Mod::Passenger/Apache::Mod[passenger]/Package[mod_passenger]/ensure: change from absent to present failed: Execution of '/usr/bin/yum -d 0 -e 0 -y install mod_passenger' returned 1: Error in PREIN scriptlet in rpm package passenger-5.0.27-8.el6.x86_
64
 %pre(passenger-5.0.27-8.el6.x86_64) scriptlet failed, exit status 1
   install: %pre scriptlet failed (2), skipping passenger-5.0.27-8.el6
# rpm -ivh passenger-5.0.27-8.el6.x86_64.rpm
Preparing...                ########################################### [100%]

   !!!! PASSENGER CANNOT BE INSTALLED: KERNEL TOO OLD !!!!

   You are currently running kernel 2.6.32-358.el6.x86_64, with SELinux policy
   version 24. However, Passenger's SELinux policy requires kernel >= 2.6.39,
   with support for policy version >= 25.

   There are two ways to solve this problem:

   Alternative 1: upgrade your kernel to at least 2.6.39, then reinstall
   Passenger.

   -OR-

   Alternative 2: disable SELinux.
   Edit /etc/selinux/config, set SELINUX=disabled, reboot, then
   reinstall Passenger.

error: %pre(passenger-5.0.27-8.el6.x86_64) scriptlet failed, exit status 1
error:   install: %pre scriptlet failed (2), skipping passenger-5.0.27-8.el6

#4 Updated by Dominic Cleal about 3 years ago

#5 Updated by Dominic Cleal about 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

#6 Updated by Lukas Zapletal about 3 years ago

For the record, I believe these are denials caused by this:

llow httpd_t foreman_enc_t:file { ioctl execute read open getattr execute_no_trans };
allow httpd_t foreman_log_t:file { write open };
allow httpd_t foreman_var_run_t:dir { write rmdir read remove_name create add_name };
allow httpd_t foreman_var_run_t:file { rename setattr read create write ioctl unlink open append };
allow httpd_t puppet_etc_t:dir read;
allow httpd_t puppet_log_t:dir { write add_name };
allow httpd_t puppet_log_t:file { write create open };
allow httpd_t puppet_var_lib_t:dir { write rmdir relabelto relabelfrom remove_name create add_name };
allow httpd_t puppet_var_lib_t:file { rename write setattr relabelfrom relabelto create };
allow httpd_t self:capability sys_ptrace;

#!!!! This avc can be allowed using the boolean 'httpd_run_stickshift'
allow httpd_t self:capability { fowner fsetid };
allow httpd_t self:capability2 block_suspend;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow httpd_t unreserved_port_t:udp_socket name_bind;

*******************************************************************

type=AVC msg=audit(1462976395.638:1831): avc:  denied  { write } for  pid=24541 comm="diagnostic_con*" name="cache" dev="tmpfs" ino=118682 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:foreman_var_run_t:s0 tclass=dir
type=AVC msg=audit(1462976395.655:1832): avc:  denied  { block_suspend } for  pid=1914 comm="PassengerAgent" capability=36  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1462976400.005:1833): avc:  denied  { sys_ptrace } for  pid=1903 comm="PassengerAgent" capability=19  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

type=AVC msg=audit(1462974941.898:1711): avc:  denied  { create } for  pid=24900 comm="ruby" name="centos7-bats.example.com-push-facts.yaml" scontext
=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1462974941.898:1711): avc:  denied  { write } for  pid=24900 comm="ruby" path="/var/lib/puppet/yaml/foreman/centos7-bats.example.c
om-push-facts.yaml" dev="vda3" ino=532212 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=AVC msg=audit(1462974942.124:1712): avc:  denied  { setattr } for  pid=24723 comm="ruby" name="centos7-bats.example.com.yaml20160511-24718-m7oeo
1" dev="vda3" ino=403081 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file

#7 Updated by Dominic Cleal about 3 years ago

  • Related to deleted (Feature #14945: Add support for configuring Hiera)

#8 Updated by Dominic Cleal about 3 years ago

#9 Updated by The Foreman Bot almost 3 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-installer/pull/185 added

#10 Updated by The Foreman Bot almost 3 years ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/1166 added

#11 Updated by Dominic Cleal almost 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#12 Updated by Stephen Benjamin almost 3 years ago

  • Related to Bug #15393: katello install failing due to passenger error added

Also available in: Atom PDF