Re: cobbler 2.0 workaround for SELinux and misc issues
2009/9/29 Philippe Eveque philippe.eve...@gmail.com 2009/9/29 Michael DeHaan mdeh...@redhat.com On 09/29/2009 03:24 AM, Philippe Eveque wrote: 2009/9/28 Michael DeHaan mdeh...@redhat.com I noticed the following: - on server2 set up from scratch cobbler import was complaining that the issued rsync command was failing I had to disable selinux for rsync to make cobbler import working with the following command. root# setsebool -P rsync_disable_trans=1 What OS were you running from? RHEL 5 (I should have mentioned it). Were you doing an import from an rsync mirror (as in rsync protocol, rsync://) or just a DVD or filesystem path?I'm suprised we didn't hit that in SELinux testing on previous releases as that hasn't really changed. I forgot to mention - this is a 2.0.x specific issue and 1.6.x does not expose it. - if you run as root the rsync command reported by cobbler import you do not hit the Pb either. I guess this is because with 2.0 the rsync command is run in the context of the cobblerd daemon (after the cmd has been submitted via the xmlrpc layer) does this make sense ? [...] Anyway, let's get a ticket for this one too and we'll check it out. Ok sure. done (this is ticket 503.) --Phil. ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler
Re: cobbler 2.0 workaround for SELinux and misc issues
2009/9/28 Michael DeHaan mdeh...@redhat.com I noticed the following: - on server2 set up from scratch cobbler import was complaining that the issued rsync command was failing I had to disable selinux for rsync to make cobbler import working with the following command. root# setsebool -P rsync_disable_trans=1 What OS were you running from? RHEL 5 (I should have mentioned it). (General note -- Cobbler+SELinux is not supported on RHEL 4 (it is too primitive to share content between Apache and TFTP) but RHEL 5 and on it is) This may be a rule we want to indicate in cobbler check alongside the httpd_can_network_connect item it already reports about today. Let's make sure there's a Trac open on this one. Done. This iis tract ticket 500. - on server1 (migrated from 1.6.x) and after migration: - Had to removed the omapi section from the /etc/cobbler/dhcp.template file a task for cobbler check ? (not sure but that helps dumb guy like myself not reading the docs... :-( ) OMAPI is no longer supported in 2.0, so I am not sure what the problem is or why you would have to remove it. Can you explain further what the problem was? Despite we were not using OMAPI our 1.6.x /etc/cobbler/dhcp.template was having the declaration below. After migrating to2.0, the /etc/cobbler/dhcp.template was still having this declaration (my fault I should have removed it): #if $omapi_enabled omapi-port $omapi_port; #end if Then cobbler sync failed with a cheetah template instantiation error. Tue Sep 29 08:10:51 2009 - INFO | Exception occured: cexceptions.CX Tue Sep 29 08:10:51 2009 - INFO | Exception value: 'Error templating file: /etc/dhcpd.conf' Tue Sep 29 08:10:51 2009 - INFO | Exception Info: File /usr/lib/python2.4/site-packages/cobbler/remote.py, line 92, in run rc = self._run(self) File /usr/lib/python2.4/site-packages/cobbler/remote.py, line 181, in runner return self.remote.api.sync(self.options.get(verbose,False),logger=self.logger) File /usr/lib/python2.4/site-packages/cobbler/api.py, line 599, in sync return sync.run() File /usr/lib/python2.4/site-packages/cobbler/action_sync.py, line 124, in run self.dhcp.write_dhcp_file() File /usr/lib/python2.4/site-packages/cobbler/modules/manage_isc.py, line 193, in write_dhcp_file self.templar.render(template_data, metadata, self.settings_file, None) File /usr/lib/python2.4/site-packages/cobbler/templar.py, line 129, in render raise CX(Error templating file: %s % out_path) Tue Sep 29 08:10:51 2009 - ERROR | ### TASK FAILED ### - Some text comments attached with the systems had accents/diacritics char. I had to removed them (from jason files) to avoid a python stack trace in the new WEB interface (1.6.x was not having issue there - may be due to the move to django) Hmm, interesting.Please make sure there is a Trac item for this one. See my earlier note about how to get an account and file a bug. Done (Ticket 501) - In the new WEB interface, I got python stack trace when trying to sort the Systems view on a per profile basis The pb was with the /usr/share/cobbler/session/sessionid. file the following solved the issue: root# chcon -t httpd_sys_content_t /usr/share/cobbler/web/sessions and to be sure it will be persistent: root # /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /usr/share/cobbler/web(/.*)? Ah, nice find.It is true we haven't done much SELinux testing with cobbler_web.This should be added to the rules that cobbler check reports that the user should set. Let's make sure we have a record of this bug in Trac. Done. (Ticket 502) - The owners field is not displayed anymore in the web interface. That was very usefull to figure out who to contact. Any easy way to make it visible again ? I've just fixed that, it appears we had two objects that had this still marked as a hidden field. Thanks! (no need for a Trac item on this one). Cool, thanks. Apart the small annoyance sabove, cobbler2.0 on server1 (the migrated one) works very well and I continue testing and experimenting with it. Much appreciated! Again, if you can make sure the two bugs noted above have Trac items we'll make sure they are fixed. Done (3 tickets entered). thanks, Phil. ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler
Re: cobbler 2.0 workaround for SELinux and misc issues
On 09/29/2009 03:24 AM, Philippe Eveque wrote: 2009/9/28 Michael DeHaan mdeh...@redhat.com mailto:mdeh...@redhat.com I noticed the following: - on server2 set up from scratch cobbler import was complaining that the issued rsync command was failing I had to disable selinux for rsync to make cobbler import working with the following command. root# setsebool -P rsync_disable_trans=1 What OS were you running from? RHEL 5 (I should have mentioned it). Were you doing an import from an rsync mirror (as in rsync protocol, rsync://) or just a DVD or filesystem path?I'm suprised we didn't hit that in SELinux testing on previous releases as that hasn't really changed. Anyway, let's get a ticket for this one too and we'll check it out. Despite we were not using OMAPI our 1.6.x /etc/cobbler/dhcp.template was having the declaration below. After migrating to2.0, the /etc/cobbler/dhcp.template was still having this declaration (my fault I should have removed it): #if $omapi_enabled omapi-port $omapi_port; #end if Then cobbler sync failed with a cheetah template instantiation error. Ah, yes, that's one of the .rpmnew files you have to pay attention to on upgrades. This one is not a bug. Thanks very much for filing the others! --Michael ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler
Re: cobbler 2.0 workaround for SELinux and misc issues
2009/9/29 Michael DeHaan mdeh...@redhat.com On 09/29/2009 03:24 AM, Philippe Eveque wrote: 2009/9/28 Michael DeHaan mdeh...@redhat.com I noticed the following: - on server2 set up from scratch cobbler import was complaining that the issued rsync command was failing I had to disable selinux for rsync to make cobbler import working with the following command. root# setsebool -P rsync_disable_trans=1 What OS were you running from? RHEL 5 (I should have mentioned it). Were you doing an import from an rsync mirror (as in rsync protocol, rsync://) or just a DVD or filesystem path?I'm suprised we didn't hit that in SELinux testing on previous releases as that hasn't really changed. Here is the sequence I used with the results [root]# getsebool -a | grep rsync allow_rsync_anon_write -- off rsync_disable_trans -- off rsync_export_all_ro -- off Now try to import an iso image something that is locally loop back mounted via mount /var/rhel-server-5.3-i386-dvd.iso /mnt/RHEL5.3 -o loop [root]# cobbler import --name=philtrial --arch=x86 --path=/mnt/RHEL5.3 task started: 2009-09-29_162939_import task started (id=Media import, time=Tue Sep 29 16:29:39 2009) running: rsync -a '/mnt/RHEL5.3/' /var/www/cobbler/ks_mirror/philtrial-i386 --exclude-from=/etc/cobbler/rsync.exclude --progress returned: 12 Exception occured: cobbler.cexceptions.CX Exception value: 'Command failed' Exception Info: File /usr/lib/python2.4/site-packages/cobbler/utils.py, line 108, in die raise CX(msg) Exception occured: cobbler.cexceptions.CX Exception value: 'Command failed' Exception Info: File /usr/lib/python2.4/site-packages/cobbler/remote.py, line 94, in run rc = self._run(self) File /usr/lib/python2.4/site-packages/cobbler/remote.py, line 223, in runner self.logger File /usr/lib/python2.4/site-packages/cobbler/api.py, line 647, in import_tree return importer.run() File /usr/lib/python2.4/site-packages/cobbler/action_import.py, line 181, in run self.run_this(rsync_cmd, (spacer, self.mirror, self.settings.webdir, self.mirror_name)) File /usr/lib/python2.4/site-packages/cobbler/action_import.py, line 262, in run_this utils.die(self.logger,Command failed) File /usr/lib/python2.4/site-packages/cobbler/utils.py, line 116, in die raise CX(msg) !!! TASK FAILED !!! then switch off the SELinux rsync and retry (as it was already done it is fast :-) ) [root]# setsebool -P rsync_disable_trans=1 [root]# cobbler import --name=philtrial --arch=x86 --path=/mnt/RHEL5.3 task started: 2009-09-29_163011_import task started (id=Media import, time=Tue Sep 29 16:30:11 2009) running: rsync -a '/mnt/RHEL5.3/' /var/www/cobbler/ks_mirror/philtrial-i386 --exclude-from=/etc/cobbler/rsync.exclude --progress building file list ... 2516 files to consider sent 89541 bytes received 20 bytes 179122.00 bytes/sec total size is 2729915423 speedup is 30481.07 returned: 0 adding distros scanning /var/www/cobbler/ks_mirror/philtrial-i386/images/pxeboot for distro signature scanning /var/www/cobbler/ks_mirror/philtrial-i386/images for distro signature scanning /var/www/cobbler/ks_mirror/philtrial-i386 for distro signature found content (breed=redhat) at /v skipping import, as distro name already exists: philtrial-i386 scanning /var/www/cobbler/ks_mirror/philtrial-i386/images/xen for distro signature scanning /var/www/cobbler/ks_mirror/philtrial-i386/images for distro signature scanning /var/www/cobbler/ks_mirror/philtrial-i386 for distro signature found content (breed=redhat) at /v skipping import, as distro name already exists: philtrial-xen-i386 associating repos associating kickstarts *** TASK COMPLETE *** and IIRC, the result was the same when rsyncing from a remote location. Anyway, let's get a ticket for this one too and we'll check it out. Ok sure. Despite we were not using OMAPI our 1.6.x /etc/cobbler/dhcp.template was having the declaration below. After migrating to2.0, the /etc/cobbler/dhcp.template was still having this declaration (my fault I should have removed it): #if $omapi_enabled omapi-port $omapi_port; #end if Then cobbler sync failed with a cheetah template instantiation error. Ah, yes, that's one of the .rpmnew files you have to pay attention to on upgrades. This one is not a bug. Thanks very much for filing the others! --Michael ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler
Re: cobbler 2.0 workaround for SELinux and misc issues
I noticed the following: - on server2 set up from scratch cobbler import was complaining that the issued rsync command was failing I had to disable selinux for rsync to make cobbler import working with the following command. root# setsebool -P rsync_disable_trans=1 What OS were you running from? (General note -- Cobbler+SELinux is not supported on RHEL 4 (it is too primitive to share content between Apache and TFTP) but RHEL 5 and on it is) This may be a rule we want to indicate in cobbler check alongside the httpd_can_network_connect item it already reports about today. Let's make sure there's a Trac open on this one. - on server1 (migrated from 1.6.x) and after migration: - Had to removed the omapi section from the /etc/cobbler/dhcp.template file a task for cobbler check ? (not sure but that helps dumb guy like myself not reading the docs... :-( ) OMAPI is no longer supported in 2.0, so I am not sure what the problem is or why you would have to remove it. Can you explain further what the problem was? - Some text comments attached with the systems had accents/diacritics char. I had to removed them (from jason files) to avoid a python stack trace in the new WEB interface (1.6.x was not having issue there - may be due to the move to django) Hmm, interesting.Please make sure there is a Trac item for this one. See my earlier note about how to get an account and file a bug. - In the new WEB interface, I got python stack trace when trying to sort the Systems view on a per profile basis The pb was with the /usr/share/cobbler/session/sessionid. file the following solved the issue: root# chcon -t httpd_sys_content_t /usr/share/cobbler/web/sessions and to be sure it will be persistent: root # /usr/sbin/semanage fcontext -a -t httpd_sys_content_t /usr/share/cobbler/web(/.*)? Ah, nice find.It is true we haven't done much SELinux testing with cobbler_web.This should be added to the rules that cobbler check reports that the user should set. Let's make sure we have a record of this bug in Trac. - The owners field is not displayed anymore in the web interface. That was very usefull to figure out who to contact. Any easy way to make it visible again ? I've just fixed that, it appears we had two objects that had this still marked as a hidden field. Thanks! (no need for a Trac item on this one). Apart the small annoyance sabove, cobbler2.0 on server1 (the migrated one) works very well and I continue testing and experimenting with it. Much appreciated! Again, if you can make sure the two bugs noted above have Trac items we'll make sure they are fixed. Thanks! --Michael ___ cobbler mailing list cobbler@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/cobbler
