search

ome / ansible-role-omero-web

Installs and configures OMERO.web and Nginx
BSD 2-Clause "Simplified" License
1 stars 14 forks source link

Become root #50

Closed dominikl closed 5 months ago

dominikl commented 6 months ago

Fixes the issue on rocky9: 

TASK [ome.omero_web : omero web | delete mod file] *********************************************************************************************************************************
fatal: [2f5d1f82-2aad-433b-ab9f-98c5fe25ffa5]: FAILED! => {"changed": false, "gid": 0, "group": "root", "mode": "0644", "msg": "unlinking failed: [Errno 1] Operation not permitted: b'/tmp/django.mod' ", "owner": "root", "path": "/tmp/django.mod", "secontext": "unconfined_u:object_r:user_tmp_t:s0", "size": 1104, "state": "file", "uid": 0}

Also added selinux command to allow nginx to serve omero.web, based on https://github.com/openmicroscopy/management_tools/pull/1710/files#r1516332291 (thanks @pwalczysko !) There was a comment saying "SELinux should be handled by openmicroscopy.omero-web-runtime" but omero-web-runtime: "This repository has been archived by the owner on Jan 8, 2021. It is now read-only. ", so maybe shouldn't rely on that.

sbesson commented 6 months ago

As an update on this front, using the latest commit on this role for the deployment of prod121, Nginx was returning 502 Bad gateway on all OMERO VMs. Setting httpd_can_network_relay using

 for i in omeroreadwrite omeroreadonly-1 omeroreadonly-2 omeroreadonly-3 omeroreadonly-4; do ssh $i sudo setsebool -P httpd_can_network_relay 1; done

was sufficient to fix the proxying of the OMERO.web application through Nginx

khaledk2 commented 6 months ago

I have checked the issue of having the 502error after the deployment, I found out that the port 4080 is already opened so the selinux ports task has run.

When turning on httpd_can_network_connect, it works fine and this will fix the 502error. But it will work even after deleting the 4080open port rule, so I think it will work for any port even if it does not have a rule.

Turning on httpd_can_network_relay works fine and fix the issue only if port 4080 is opened. I think it will work only with the opened ports, so I think we should use httpd_can_network_relay.

I think the only change needed is adding a new item, i.e. httpd_can_network_relay to the omero web | selinux booleans task inside the web-dependencies.yml file.

I think we should keep using the selinux_enabled variable until I check the ome.selinux_utils role as I have found comments inside the role about a bug that leads to the use of this logic to determine the selinux_enabled variable value.

khaledk2 commented 6 months ago

I have tested adding httpd_can_network_relay to the omero web | selinux booleans task items and copied it to an ansible-book. I have tested on pilot-rocky9-omeroreadwrite and it seems working fine and fixed the issue.

sbesson commented 6 months ago

I agree with the discussion and the proposal above. In the typical deployment scenario where OMERO.web is served via Nginx, my understanding is that httpd_can_network_relay should be sufficient. For more advanced scenarios where OMERO.web is under multiple proxy layers like IDR, the other proxies should be responsible for setting httpd_can_network_connect accordingly as in https://github.com/ome/ansible-role-nginx-proxy/blob/58be997c4a68674187e91a6359d42bbc75b53888/tasks/nginx-selinux.yml#L4-L9

@pwalczysko it is probably worth testing that setting this SELinux boolean is sufficient to fix the OMERO.web issues in the context of th UoD RHEL9 OMERO systems by running

sudo setsebool -P httpd_can_network_connect 0
sudo setsebool -P httpd_can_network_relay 1
pwalczysko commented 6 months ago

sudo setsebool -P httpd_can_network_network 0

@sbesson - is it a typo ? See below please 

[pwalczysko@ome-ci-upgrade ~]$ sudo setsebool -P httpd_can_network_network 0
[sudo] password for pwalczysko: 
Boolean httpd_can_network_network is not defined
sbesson commented 6 months ago

Yes, it was a typo. Updated my comment

pwalczysko commented 6 months ago

I agree with the discussion and the proposal above. In the typical deployment scenario where OMERO.web is served via Nginx, my understanding is that httpd_can_network_relay should be sufficient. For more advanced scenarios where OMERO.web is under multiple proxy layers like IDR, the other proxies should be responsible for setting httpd_can_network_connect accordingly as in https://github.com/ome/ansible-role-nginx-proxy/blob/58be997c4a68674187e91a6359d42bbc75b53888/tasks/nginx-selinux.yml#L4-L9

@pwalczysko it is probably worth testing that setting this SELinux boolean is sufficient to fix the OMERO.web issues in the context of th UoD RHEL9 OMERO systems by running

sudo setsebool -P httpd_can_network_network 0
sudo setsebool -P httpd_can_network_relay 1

@sbesson Yes, after I have adjusted your two suggested cmds as

sudo setsebool -P httpd_can_network_connect 0
sudo setsebool -P httpd_can_network_relay 1

Then I have a Bad Gateway after running the first cmd (....can_network_connect 0) where there was functional webclient previously. This is fixed by the second cmd as (I hope) the test was expecting.

khaledk2 commented 5 months ago

We should revert the change and keep using the selinux_enabled variable from the ome.selinux_utils role as PR 15 uses ansible facts to check the Selinuxstatus.