Closed rptaylor closed 3 years ago
Thanks! Mainly interested in just servermon for now.
cvmfs-servermon is now in cvmfs-contrib-testing. I had to convert it to python3 for el8, so I may have missed something or possibly broken something on el7 which is still using python2. Please test it and make sure it's working for you, and let me know.
On EL7 I updated to cvmfs-servermon-1.13-1.17.obs.el7.noarch and it seems okay; does that have the change you mentioned? http://cvmfs-s1-east.computecanada.ca:8000/cvmfsmon/api/v1.0/all&format=details I couldn't find any log messages produced by servermon; not sure what would happen if e.g. it throws a python exception.
On EL8 I installed cvmfs-servermon-1.14-1.0.16.obs.el8.noarch.rpm , but not sure if it is working as expected yet. There is some other problem on the EL8 stratum server.
The new version on EL7 would be 1.14-1.0.16 just like on EL8. It is in the el7 cvmfs-contrib-testing repo.
Log messages go to /var/log/httpd/error_log.
On EL8 it did not work at first:. The URL http://206.12.94.34:8000/cvmfsmon/api/v1.0/all&format=details showed a permission denied error:
http://127.0.0.1/cvmfs/info/v1/repositories.json error: <urlopen error [Errno 13] Permission denied>
And there was an SELinux error that started when I started to use servermon:
SELinux is preventing httpd from name_connect access on the tcp_socket port 80
The full report is
$ sudo sealert -l 4f2e65bd-27f7-49f3-af11-5568393197f0
SELinux is preventing httpd from name_connect access on the tcp_socket port 80.
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to graceful shutdown
Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean.
Do
setsebool -P httpd_graceful_shutdown 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can network relay
Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.
Do
setsebool -P httpd_can_network_relay 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (3.53 confidence) suggests **************************
If you believe that httpd should be allowed name_connect access on the port 80 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:http_port_t:s0
Target Objects port 80 [ tcp_socket ]
Source httpd
Source Path httpd
Port 80
Host cvmfs-s1-galaxyproject.novalocal
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8_2.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cvmfs-s1-galaxyproject.novalocal
Platform Linux cvmfs-s1-galaxyproject.novalocal
4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14
14:37:00 UTC 2020 x86_64 x86_64
Alert Count 5
First Seen 2020-10-23 21:04:12 UTC
Last Seen 2020-10-23 21:50:33 UTC
Local ID 4f2e65bd-27f7-49f3-af11-5568393197f0
Raw Audit Messages
type=AVC msg=audit(1603489833.666:234270): avc: denied { name_connect } for pid=204589 comm="httpd" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
Hash: httpd,httpd_t,http_port_t,tcp_socket,name_connect
But after doing sudo setsebool -P httpd_can_network_connect 1
it started to work. So I suppose the servermon package should include that SELinux rule?
I confirmed that httpd runs and is accessible on port 80 without this rule. e.g. http://206.12.94.34/cvmfs/info/v1/repositories.json
So httpd_can_network_connect is only required for servermon to work. The description of this SELinux bool is "Allow HTTPD scripts and modules to connect to the network." https://wiki.centos.org/TipsAndTricks/SelinuxBooleans
I never use SELinux so I depend on the people that want it to tell me how to enable it in packages I maintain. Can you confirm that all I need to do is put setsebool -P httpd_can_network_connect 1
in the rpm postinstall section?
I don't use SELinux much either, but yes that seems right.
@rptaylor Please test cvmfs-servermon version 1.14-2.0.17 on an el8 selinux system that doesn't previously have the setsebool parameter enabled.
I did
sudo yum erase cvmfs-servermon
sudo setsebool -P httpd_can_network_connect 0
sudo yum install cvmfs-servermon --enablerepo=cvmfs-contrib-testing
Oct 30 20:17:26 cvmfs-s1-galaxyproject.novalocal setsebool[878744]: The httpd_can_network_connect policy boolean was changed to 1 by root
and it works: http://cvmfs-s1-galaxy.computecanada.ca:8000/cvmfsmon/api/v1.0/all&format=details
The new cvmfs-servermon is now also in the main cvmfs-contrib yum repo.
Hi @DrDaveD
On CentOS 8:
But the yum repo is a broken link:
And there is no EL8 file:
Will the servermon, etc. packages be available for EL8 soon?
Thanks!