Closed dominikl closed 5 months ago
As an update on this front, using the latest commit on this role for the deployment of prod121
, Nginx was returning 502 Bad gateway on all OMERO VMs. Setting httpd_can_network_relay
using
for i in omeroreadwrite omeroreadonly-1 omeroreadonly-2 omeroreadonly-3 omeroreadonly-4; do ssh $i sudo setsebool -P httpd_can_network_relay 1; done
was sufficient to fix the proxying of the OMERO.web application through Nginx
I have checked the issue of having the 502
error after the deployment, I found out that the port 4080
is already opened so the selinux ports
task has run.
When turning on httpd_can_network_connect
, it works fine and this will fix the 502
error. But it will work even after deleting the 4080
open port rule, so I think it will work for any port even if it does not have a rule.
Turning on httpd_can_network_relay
works fine and fix the issue only if port 4080
is opened. I think it will work only with the opened ports, so I think we should use httpd_can_network_relay.
I think the only change needed is adding a new item, i.e. httpd_can_network_relay
to the omero web | selinux booleans
task inside the web-dependencies.yml
file.
I think we should keep using the selinux_enabled
variable until I check the ome.selinux_utils
role as I have found comments inside the role about a bug that leads to the use of this logic to determine the selinux_enabled
variable value.
I have tested adding httpd_can_network_relay
to the omero web | selinux booleans
task items and copied it to an ansible-book. I have tested on pilot-rocky9-omeroreadwrite
and it seems working fine and fixed the issue.
I agree with the discussion and the proposal above. In the typical deployment scenario where OMERO.web is served via Nginx, my understanding is that httpd_can_network_relay
should be sufficient.
For more advanced scenarios where OMERO.web is under multiple proxy layers like IDR, the other proxies should be responsible for setting httpd_can_network_connect
accordingly as in https://github.com/ome/ansible-role-nginx-proxy/blob/58be997c4a68674187e91a6359d42bbc75b53888/tasks/nginx-selinux.yml#L4-L9
@pwalczysko it is probably worth testing that setting this SELinux boolean is sufficient to fix the OMERO.web issues in the context of th UoD RHEL9 OMERO systems by running
sudo setsebool -P httpd_can_network_connect 0
sudo setsebool -P httpd_can_network_relay 1
sudo setsebool -P httpd_can_network_network 0
@sbesson - is it a typo ? See below please
[pwalczysko@ome-ci-upgrade ~]$ sudo setsebool -P httpd_can_network_network 0
[sudo] password for pwalczysko:
Boolean httpd_can_network_network is not defined
Yes, it was a typo. Updated my comment
I agree with the discussion and the proposal above. In the typical deployment scenario where OMERO.web is served via Nginx, my understanding is that
httpd_can_network_relay
should be sufficient. For more advanced scenarios where OMERO.web is under multiple proxy layers like IDR, the other proxies should be responsible for settinghttpd_can_network_connect
accordingly as in https://github.com/ome/ansible-role-nginx-proxy/blob/58be997c4a68674187e91a6359d42bbc75b53888/tasks/nginx-selinux.yml#L4-L9@pwalczysko it is probably worth testing that setting this SELinux boolean is sufficient to fix the OMERO.web issues in the context of th UoD RHEL9 OMERO systems by running
sudo setsebool -P httpd_can_network_network 0 sudo setsebool -P httpd_can_network_relay 1
@sbesson Yes, after I have adjusted your two suggested cmds as
sudo setsebool -P httpd_can_network_connect 0
sudo setsebool -P httpd_can_network_relay 1
Then I have a Bad Gateway after running the first cmd (....can_network_connect 0
) where there was functional webclient previously.
This is fixed by the second cmd as (I hope) the test was expecting.
Fixes the issue on rocky9:
Also added selinux command to allow nginx to serve omero.web, based on https://github.com/openmicroscopy/management_tools/pull/1710/files#r1516332291 (thanks @pwalczysko !) There was a comment saying "SELinux should be handled by openmicroscopy.omero-web-runtime" but omero-web-runtime: "This repository has been archived by the owner on Jan 8, 2021. It is now read-only. ", so maybe shouldn't rely on that.