DrDaveD
commented
3 years ago Closed rptaylor closed 3 years ago
DrDaveD
commented
3 years ago 
rptaylor
commented
3 years ago Thanks! Mainly interested in just servermon for now.
DrDaveD
commented
3 years ago cvmfs-servermon is now in cvmfs-contrib-testing. I had to convert it to python3 for el8, so I may have missed something or possibly broken something on el7 which is still using python2. Please test it and make sure it's working for you, and let me know.
rptaylor
commented
3 years ago On EL7 I updated to cvmfs-servermon-1.13-1.17.obs.el7.noarch and it seems okay; does that have the change you mentioned? http://cvmfs-s1-east.computecanada.ca:8000/cvmfsmon/api/v1.0/all&format=details I couldn't find any log messages produced by servermon; not sure what would happen if e.g. it throws a python exception.
On EL8 I installed cvmfs-servermon-1.14-1.0.16.obs.el8.noarch.rpm , but not sure if it is working as expected yet. There is some other problem on the EL8 stratum server.
DrDaveD
commented
3 years ago The new version on EL7 would be 1.14-1.0.16 just like on EL8. It is in the el7 cvmfs-contrib-testing repo.
Log messages go to /var/log/httpd/error_log.
rptaylor
commented
3 years ago On EL8 it did not work at first:. The URL http://206.12.94.34:8000/cvmfsmon/api/v1.0/all&format=details showed a permission denied error:
http://127.0.0.1/cvmfs/info/v1/repositories.json error: <urlopen error [Errno 13] Permission denied>
And there was an SELinux error that started when I started to use servermon:
SELinux is preventing httpd from name_connect access on the tcp_socket port 80
The full report is
$ sudo sealert -l 4f2e65bd-27f7-49f3-af11-5568393197f0
SELinux is preventing httpd from name_connect access on the tcp_socket port 80.
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.
Do
setsebool -P httpd_can_network_connect 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to graceful shutdown
Then you must tell SELinux about this by enabling the 'httpd_graceful_shutdown' boolean.
Do
setsebool -P httpd_graceful_shutdown 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow httpd to can network relay
Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.
Do
setsebool -P httpd_can_network_relay 1
***** Plugin catchall_boolean (24.7 confidence) suggests ******************
If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (3.53 confidence) suggests **************************
If you believe that httpd should be allowed name_connect access on the port 80 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:http_port_t:s0
Target Objects port 80 [ tcp_socket ]
Source httpd
Source Path httpd
Port 80
Host cvmfs-s1-galaxyproject.novalocal
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-41.el8_2.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name cvmfs-s1-galaxyproject.novalocal
Platform Linux cvmfs-s1-galaxyproject.novalocal
4.18.0-193.19.1.el8_2.x86_64 #1 SMP Mon Sep 14
14:37:00 UTC 2020 x86_64 x86_64
Alert Count 5
First Seen 2020-10-23 21:04:12 UTC
Last Seen 2020-10-23 21:50:33 UTC
Local ID 4f2e65bd-27f7-49f3-af11-5568393197f0
Raw Audit Messages
type=AVC msg=audit(1603489833.666:234270): avc: denied { name_connect } for pid=204589 comm="httpd" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
Hash: httpd,httpd_t,http_port_t,tcp_socket,name_connectBut after doing sudo setsebool -P httpd_can_network_connect 1 it started to work. So I suppose the servermon package should include that SELinux rule?
rptaylor
commented
3 years ago I confirmed that httpd runs and is accessible on port 80 without this rule. e.g. http://206.12.94.34/cvmfs/info/v1/repositories.json
So httpd_can_network_connect is only required for servermon to work. The description of this SELinux bool is "Allow HTTPD scripts and modules to connect to the network." https://wiki.centos.org/TipsAndTricks/SelinuxBooleans
DrDaveD
commented
3 years ago I never use SELinux so I depend on the people that want it to tell me how to enable it in packages I maintain. Can you confirm that all I need to do is put setsebool -P httpd_can_network_connect 1 in the rpm postinstall section?
rptaylor
commented
3 years ago I don't use SELinux much either, but yes that seems right.
DrDaveD
commented
3 years ago @rptaylor Please test cvmfs-servermon version 1.14-2.0.17 on an el8 selinux system that doesn't previously have the setsebool parameter enabled.
rptaylor
commented
3 years ago I did
sudo yum erase cvmfs-servermon
sudo setsebool -P httpd_can_network_connect 0
sudo yum install cvmfs-servermon --enablerepo=cvmfs-contrib-testingOct 30 20:17:26 cvmfs-s1-galaxyproject.novalocal setsebool[878744]: The httpd_can_network_connect policy boolean was changed to 1 by root
and it works: http://cvmfs-s1-galaxy.computecanada.ca:8000/cvmfsmon/api/v1.0/all&format=details
DrDaveD
commented
3 years ago The new cvmfs-servermon is now also in the main cvmfs-contrib yum repo.
Hi @DrDaveD
On CentOS 8:
But the yum repo is a broken link:
And there is no EL8 file:
Will the servermon, etc. packages be available for EL8 soon?
Thanks!