Project

General

Profile

Actions

Bug #9523

closed

Puppet master crashes on AVC when blocking setattr after logrotate

Added by Gerwin Krist over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
General Foreman
Target version:
Difficulty:
easy
Triaged:
Fixed in Releases:
Found in Releases:

Description

Problem description
Once a week our puppet master stops working and the puppet clients are spitting out errors. We are seeing this on a freshly installed 1.7.2 on RHEL 7 (Selinux enabled).

Observations

It seems the problems starts when the weekly logrotate is done:

Feb 23 03:22:19 i-foreman puppet-master[92076]: failed to set mode 644 on /var/log/puppet/http.log: Permission denied - /var/log/puppet/http.log
Feb 23 03:22:19 i-foreman puppet-master[92076]: (/File[/var/log/puppet/http.log]/mode) change from 0644 to 0640 failed: failed to set mode 644 on /var/log/puppet/http.log: Permission denied - /var/log/puppet/http.log
Feb 23 03:22:19 i-foreman puppet-master[92076]: Could not prepare for execution: Got 1 failure(s) while initializing: File[/var/log/puppet/http.log]: change from 0644 to 0640 failed: failed to set mode 644 on /var/log/puppet/http.log: Pe
rmission denied - /var/log/puppet/http.log

I also get an AVC at the same time:

type=AVC msg=audit(1424658139.219:23310): avc:  denied  { setattr } for  pid=92076 comm="ruby" name="http.log" dev="vda2" ino=131193 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:puppet_log_t:s0 tclass=file

So my guess it's a bug in the selinux policy.

Agent log output

Feb 23 10:09:04 d-hpwtest start-puppet-agent: /usr/share/ruby/vendor_ruby/puppet/agent.rb:87:in `exit': no implicit conversion from nil to integer (TypeError)                                                                               
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:87:in `block in run_in_fork'                                                                                                                  
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:84:in `fork'                                                                                                                                  
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:84:in `run_in_fork'                                                                                                                           
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:43:in `block in run'                                                                                                                          
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:179:in `call'                                                                                                                           
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:179:in `controlled_run'                                                                                                                 
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/agent.rb:41:in `run'                                                                                                                                   
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:163:in `block in run_event_loop'                                                                                                             
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/job.rb:49:in `call'                                                                                                                          
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/job.rb:49:in `run'                                                                                                                           
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:39:in `block in run_ready'                                                                                                      
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:34:in `each'                                                                                                                    
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:34:in `run_ready'                                                                                                               
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/scheduler/scheduler.rb:11:in `run_loop'                                                                                                                
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:179:in `run_event_loop'                                                                                                                      
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/daemon.rb:142:in `start'                                                                                                                               
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:377:in `main'                                                                                                                     
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application/agent.rb:323:in `run_command'                                                                                                              
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block (2 levels) in run'                                                                                                        
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:477:in `plugin_hook'                                                                                                                    
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `block in run'                                                                                                                   
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/util.rb:479:in `exit_on_fail'                                                                                                                          
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/application.rb:371:in `run'                                                                                                                            
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:137:in `run'                                                                                                                      
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/share/ruby/vendor_ruby/puppet/util/command_line.rb:91:in `execute'                                                                                                                   
Feb 23 10:09:04 d-hpwtest start-puppet-agent: from /usr/bin/puppet:8:in `<main>'
Actions

Also available in: Atom PDF