Project

General

Profile

Support #24616

Updated by Alex Kinneer about 6 years ago

Steps: 
 1. Minimal install of CentOs 7.4, with SELinux enabled 
 2. <pre>sudo sudo yum -y install https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm</pre> https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm 
 3. <pre>sudo sudo yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm</pre> http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 
 4. <pre>sudo sudo yum -y install https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm</pre> https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm 
 5. <pre>sudo sudo yum -y install foreman-installer</pre> foreman-installer 
 6. Place foreman-answers.yaml file -- foreman-selinux param is left as default (undef), database parameters are configured to point to an external host with postgresql already installed and running. 
 7. <pre>foreman-installer</pre> foreman-installer 
 Among the output will be the following, but the installer *does not fail* and reports everything is ready upon completion: 
 <pre> 
 libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). 
 foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17 
 foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0) 
 foreman: Failed to read policy package 
 libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. 
  (No such file or directory). 
 OSError: No such file or directory 
 ValueError: Type foreman_container_port_t is invalid, must be a port type 
 </pre> 
 8. Attempt to connect to web UI, receive the following error dump: 
 <pre> 
 could not connect to server: Permission denied 
	 Is the server running on host "<HOST>" (<IP>) and accepting 
	 TCP/IP connections on port 5432? 
  (PG::ConnectionBad) 
   /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize' 
   /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `new' 
   /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `connect' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:697:in `connect' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:221:in `initialize' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `new' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `postgresql_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:759:in `new_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:803:in `checkout_new_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:782:in `try_to_checkout_new_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:743:in `acquire_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:500:in `checkout' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:374:in `connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:931:in `retrieve_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:116:in `retrieve_connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:88:in `connection' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:20:in `table_exists?' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:24:in `create_table' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/migration.rb:1125:in `initialize' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `new' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `pending_migrations' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:265:in `permission' 
   /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:50:in `block (3 levels) in <class:Engine>' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `instance_eval' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `security_block' 
   /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:49:in `block (2 levels) in <class:Engine>' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `instance_eval' 
   /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `register' 
   /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:45:in `block in <class:Engine>' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `instance_exec' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `run' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:59:in `block in run_initializers' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:228:in `block in tsort_each' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `call' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:226:in `tsort_each' 
   /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:205:in `tsort_each' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:58:in `run_initializers' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/application.rb:353:in `initialize!' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `public_send' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `method_missing' 
   /usr/share/foreman/config/environment.rb:5:in `<top (required)>' 
   /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' 
   /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' 
   config.ru:5:in `block in <main>' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `instance_eval' 
   /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `initialize' 
   config.ru:1:in `new' 
   config.ru:1:in `<main>' 
   /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval' 
   /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app' 
   /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>' 
   /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>' 
   /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>' 
 </pre> 
 9. Install postgresql client and test same connection parameters manually: database connect is successful. 

 Workaround: 
 1. setenforce 0 
 2. Reload web UI page -- now loads successfully. 

 audit.log shows numerous errors, of the following three types: 
 <pre> 
 type=AVC msg=audit(1534268634.110:304): avc:    denied    { name_connect } for    pid=1848 comm="ruby" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket 
 type=SYSCALL msg=audit(1534268634.110:304): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7620c90 a2=10 a3=7ffd64da5198 items=0 ppid=1847 pid=1848 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby24/root/usr/bin/ruby" subj=system_u:system_r:httpd_t:s0 key=(null) 
 type=PROCTITLE msg=audit(1534268634.110:304): proctitle=72756279002F7573722F73686172652F70617373656E6765722F68656C7065722D736372697074732F7261636B2D7072656C6F616465722E7262 
 type=AVC msg=audit(1534268634.245:305): avc:    denied    { fowner } for    pid=1858 comm="chmod" capability=3    scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability 
 type=SYSCALL msg=audit(1534268634.245:305): arch=c000003e syscall=268 success=no exit=-1 a0=ffffffffffffff9c a1=1309120 a2=1c0 a3=7ffeca864ba0 items=0 ppid=903 pid=1858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:httpd_t:s0 key=(null) 
 type=AVC msg=audit(1534268634.348:315): avc:    denied    { block_suspend } for    pid=903 comm="PassengerHelper" capability=36    scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 
 type=SYSCALL msg=audit(1534268634.348:315): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=500000014 a3=12dc440 items=0 ppid=899 pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/libexec/passenger/PassengerHelperAgent" subj=system_u:system_r:httpd_t:s0 key=(null) 
 </pre> 

 I believe this is a recent regression, as it was working as recently as last Friday with 1.17 (a current install of 1.17 following exact same previously successful steps now fails). 

Back