Support #24616
Updated by Alex Kinneer over 6 years ago
Steps: 1. Minimal install of CentOs 7.4, with SELinux enabled 2. <pre>sudo sudo yum -y install https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm</pre> https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm 3. <pre>sudo sudo yum -y install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm</pre> http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 4. <pre>sudo sudo yum -y install https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm</pre> https://yum.theforeman.org/releases/1.18/el7/x86_64/foreman-release.rpm 5. <pre>sudo sudo yum -y install foreman-installer</pre> foreman-installer 6. Place foreman-answers.yaml file -- foreman-selinux param is left as default (undef), database parameters are configured to point to an external host with postgresql already installed and running. 7. <pre>foreman-installer</pre> foreman-installer Among the output will be the following, but the installer *does not fail* and reports everything is ready upon completion: <pre> libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17 foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0) foreman: Failed to read policy package libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). OSError: No such file or directory ValueError: Type foreman_container_port_t is invalid, must be a port type </pre> 8. Attempt to connect to web UI, receive the following error dump: <pre> could not connect to server: Permission denied Is the server running on host "<HOST>" (<IP>) and accepting TCP/IP connections on port 5432? (PG::ConnectionBad) /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize' /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `new' /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `connect' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:697:in `connect' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:221:in `initialize' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `new' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/postgresql_adapter.rb:38:in `postgresql_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:759:in `new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:803:in `checkout_new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:782:in `try_to_checkout_new_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:743:in `acquire_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:500:in `checkout' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:374:in `connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_adapters/abstract/connection_pool.rb:931:in `retrieve_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:116:in `retrieve_connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/connection_handling.rb:88:in `connection' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:20:in `table_exists?' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/schema_migration.rb:24:in `create_table' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/activerecord-5.1.6/lib/active_record/migration.rb:1125:in `initialize' /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `new' /usr/share/foreman/app/registries/foreman/plugin.rb:321:in `pending_migrations' /usr/share/foreman/app/registries/foreman/plugin.rb:265:in `permission' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:50:in `block (3 levels) in <class:Engine>' /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `instance_eval' /usr/share/foreman/app/registries/foreman/plugin.rb:249:in `security_block' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:49:in `block (2 levels) in <class:Engine>' /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `instance_eval' /usr/share/foreman/app/registries/foreman/plugin.rb:72:in `register' /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-12.0.2/lib/foreman_discovery/engine.rb:45:in `block in <class:Engine>' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `instance_exec' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:30:in `run' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:59:in `block in run_initializers' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:228:in `block in tsort_each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:350:in `block (2 levels) in each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:431:in `each_strongly_connected_component_from' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:349:in `block in each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `call' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:347:in `each_strongly_connected_component' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:226:in `tsort_each' /opt/rh/rh-ruby24/root/usr/share/ruby/tsort.rb:205:in `tsort_each' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/initializable.rb:58:in `run_initializers' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/application.rb:353:in `initialize!' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `public_send' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/railties-5.1.6/lib/rails/railtie.rb:185:in `method_missing' /usr/share/foreman/config/environment.rb:5:in `<top (required)>' /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' /opt/rh/rh-ruby24/root/usr/share/rubygems/rubygems/core_ext/kernel_require.rb:55:in `require' config.ru:5:in `block in <main>' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `instance_eval' /opt/theforeman/tfm-ror51/root/usr/share/gems/gems/rack-2.0.3/lib/rack/builder.rb:55:in `initialize' config.ru:1:in `new' config.ru:1:in `<main>' /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval' /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app' /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>' /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>' /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>' </pre> 9. Install postgresql client and test same connection parameters manually: database connect is successful. Workaround: 1. setenforce 0 2. Reload web UI page -- now loads successfully. audit.log shows numerous errors, of the following three types: <pre> type=AVC msg=audit(1534268634.110:304): avc: denied { name_connect } for pid=1848 comm="ruby" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1534268634.110:304): arch=c000003e syscall=42 success=no exit=-13 a0=7 a1=7620c90 a2=10 a3=7ffd64da5198 items=0 ppid=1847 pid=1848 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm="ruby" exe="/opt/rh/rh-ruby24/root/usr/bin/ruby" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1534268634.110:304): proctitle=72756279002F7573722F73686172652F70617373656E6765722F68656C7065722D736372697074732F7261636B2D7072656C6F616465722E7262 type=AVC msg=audit(1534268634.245:305): avc: denied { fowner } for pid=1858 comm="chmod" capability=3 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability type=SYSCALL msg=audit(1534268634.245:305): arch=c000003e syscall=268 success=no exit=-1 a0=ffffffffffffff9c a1=1309120 a2=1c0 a3=7ffeca864ba0 items=0 ppid=903 pid=1858 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="chmod" exe="/usr/bin/chmod" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1534268634.348:315): avc: denied { block_suspend } for pid=903 comm="PassengerHelper" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 type=SYSCALL msg=audit(1534268634.348:315): arch=c000003e syscall=233 success=yes exit=0 a0=9 a1=2 a2=500000014 a3=12dc440 items=0 ppid=899 pid=903 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="PassengerHelper" exe="/usr/libexec/passenger/PassengerHelperAgent" subj=system_u:system_r:httpd_t:s0 key=(null) </pre> I believe this is a recent regression, as it was working as recently as last Friday with 1.17 (a current install of 1.17 following exact same previously successful steps now fails).