Ah. Silly me - it was an SELinux problem. I was fooled by the fact that
the traceback and 'Permission denied' error occurred in kojid.log into
thinking that the problem was on the kojid side. After attempting to trace
the code
repo_id, event_id = self.session.host.repoInit(tinfo['id'], **kwargs)
and finding that session doesn't have a host method or attribute and
repoInit doesn't exist anywhere in kojid, I searched every file on both
systems for repoInit and found it in /usr/share/koji-hub/kojihub.py - with
corresponding error messages in /var/log/httpd/error_log. I also discovered
the hub option KojiTraceback = extended, which helped.
The problem code was
File "/usr/share/koji-hub/kojihub.py", line 2060, in repo_init
os.makedirs(repodir) #should not already exist
and after a setenforce 0 on the hub it started to work. I was sure I had
checked the AVC log, but perhaps that was before I had nfs working. Now it
shows:
[root@kojihub ~] # aureport --avc -ts recent
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u:object_r:nfs_t:s0 denied 494
2. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search
system_u:object_r:nfs_t:s0 denied 493
3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir write
system_u:object_r:nfs_t:s0 denied 495
4. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir
add_name system_u:object_r:nfs_t:s0 denied 495
5. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir create
unconfined_u:object_r:nfs_t:s0 denied 495
6. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file create
unconfined_u:object_r:nfs_t:s0 denied 496
7. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file open
system_u:object_r:nfs_t:s0 denied 496
Perhaps Koji/ServerHowTo could have a note for beginners that if the hub's
/mnt/koji is on nfs you need to beat SELinux into submission. Unfortunately
my current nfs server doesn't have proper SELinux support. I may have to
rearrange some disk space.
Moray.
"To err is human; to purr, feline."
From: Andreas Mack [mailto:[email protected]]
Sent: 13 April 2012 12:19
To: Discussion of Fedora build system
Subject: Re: newRepo Permission denied: '/mnt/koji/repos'
Hey,
just my two cents: It's possible to run the builders completely without NFS.
I use "topurl=" instead of "topdir=" in kojid.conf. The URL is
http://kojihub.domain.tld/kojimnt where kojimnt is apache aliased to the
/mnt/koji on kojihub. Regen repos has to be run on kojihub in thatcase. It's
the only one in the createrepo channel.
As for the NFS problem: Smells so much like Selinux. Maybe on the
server-side? Do you use NFS4 ?
HTH
Andreas
On Thu, Apr 12, 2012 at 17:40, Moray Henderson
<[email protected]> wrote:
Is this the right place for questions on local koji installations?
Fresh setup of koji on CentOS 6.2. I've got hub, web and builder all
talking to each other, external repositories defined for the build tag and
build groups set up.
/mnt/koji is an nfs mount with root squashed to uid 48 (apache). I've
tested that I can write to the subdirectories as root and the owner comes
out as apache. The directory looks like
# ll -R koji
koji:
total 16
drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 packages
drwxr-xr-x 3 apache apache 4096 Apr 12 15:20 repos
drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 scratch
drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 work
koji/packages:
total 0
koji/repos:
total 0
koji/scratch:
total 0
koji/work:
total 0
The Koji/ExternalRepoServerBootstrap document says "Wait for the repo to
regenerate, and you should now be able to run a build successfully."
However, Koji-web lists the newRepo task as failed with result "<type
'exceptions.OSError'>: [Errno 13] Permission denied: '/mnt/koji/repos'". On
the builder, kojid.log reports:
2012-04-12 14:20:31,067 [INFO] koji.build: Starting up
2012-04-12 14:20:34,363 [INFO] koji.TaskManager: Attempting to take task
176
2012-04-12 14:20:36,275 [INFO] koji.TaskManager: pids: {176: 17925}
2012-04-12 14:20:36,855 [WARNING] koji.TaskManager: FAULT:
Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/koji/daemon.py", line 1114, in
runTask
response = (handler.run(),)
File "/usr/lib/python2.6/site-packages/koji/tasks.py", line 146, in run
return self.handler(*self.params,**self.opts)
File "/usr/sbin/kojid", line 2491, in handler
repo_id, event_id = self.session.host.repoInit(tinfo['id'], **kwargs)
File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1510, in
__call__
return self.__func(self.__name,args,opts)
File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1760, in
_callMethod
raise err
Fault: <Fault 1: "<type 'exceptions.OSError'>: [Errno 13] Permission
denied: '/mnt/koji/repos'">
2012-04-12 14:20:37,110 [INFO] koji.TaskManager: open task: {'waiting':
None, 'id': 176, 'weight': 0.10000000000000001}
I've looked into the code, but my python is not up to debugging that. It's
not an SELinux problem (I tried permissive mode) and /mnt/koji is mounted
read-write on the builder even though the documentation says that's not
necessary. Can someone point me in the right direction?
Moray.
"To err is human; to purr, feline."
--
buildsys mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/buildsys
--
buildsys mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/buildsys
