CentOS 7.2 with SELinux
62 views
Skip to first unread message
Danny Thompson
Aug 3, 2016, 10:25:17 AM8/3/16
to Warewulf
Hello everyone,
I'm prototyping Warewulf version 3.7-0.r1993 on CentOS 7.2. The master node has SELinux enabled, and I have no issues provisioning stateless nodes where the nodes have SELinux disabled. To try and enable SELinux, I installed the targeted policies on the VNFS and set the selinux provision parameter to ENFORCED for the node.
I'm encountering two issues:
1) The bootstrap gets past the SELinux phase but I get ERROR on the "unmount".
2) After the unmount error, I'm given the option for a debug shell, but when I try to get to that I get a quick error about cttyhack and the node reboots.
I would like to help troubleshoot this and contribute but at this point I'm not sure how to get insight on what's causing the error.
Thanks!
-Danny
I'm prototyping Warewulf version 3.7-0.r1993 on CentOS 7.2. The master node has SELinux enabled, and I have no issues provisioning stateless nodes where the nodes have SELinux disabled. To try and enable SELinux, I installed the targeted policies on the VNFS and set the selinux provision parameter to ENFORCED for the node.
I'm encountering two issues:
1) The bootstrap gets past the SELinux phase but I get ERROR on the "unmount".
2) After the unmount error, I'm given the option for a debug shell, but when I try to get to that I get a quick error about cttyhack and the node reboots.
I would like to help troubleshoot this and contribute but at this point I'm not sure how to get insight on what's causing the error.
Thanks!
-Danny
Jason Stover
Aug 3, 2016, 11:26:14 AM8/3/16
to ware...@lbl.gov
Hrmm... the cttyhack error _should_ be fixed. The init file should contain:
setsid /bin/cttyhack /bin/sh
Instead of:
setsid cttyhack /bin/sh
I know nothing about SELinux except how to disable it. Soo... I can't
help on that part.
-J
> --
> You received this message because you are subscribed to the Google Groups
> "Warewulf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to warewulf+u...@lbl.gov.
> To post to this group, send email to ware...@lbl.gov.
> To view this discussion on the web visit
> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/25b2375d-325f-4645-bf03-f374fb4106f8%40lbl.gov.
> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
setsid /bin/cttyhack /bin/sh
Instead of:
setsid cttyhack /bin/sh
I know nothing about SELinux except how to disable it. Soo... I can't
help on that part.
-J
> You received this message because you are subscribed to the Google Groups
> "Warewulf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to warewulf+u...@lbl.gov.
> To post to this group, send email to ware...@lbl.gov.
> To view this discussion on the web visit
> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/25b2375d-325f-4645-bf03-f374fb4106f8%40lbl.gov.
> For more options, visit https://groups.google.com/a/lbl.gov/d/optout.
Danny Thompson
Aug 3, 2016, 5:01:46 PM8/3/16
to Warewulf
Jason,
In my case, the post shell works only when SELinux is disabled in Warewulf provision. The pre shell works fine no matter what. Is there a way I can step through the boot process in the pre shell to see why umount fails?
In my case, the post shell works only when SELinux is disabled in Warewulf provision. The pre shell works fine no matter what. Is there a way I can step through the boot process in the pre shell to see why umount fails?
Jason Stover
Aug 3, 2016, 5:11:38 PM8/3/16
to ware...@lbl.gov
Hi Danny,
You can run the command: provisionhandler
Should hopefully be in the path. I think it's location is in:
/warewulf/bin/ (or /warewulf/transports/http/)
It's going to run through all of the provision scripts. Output from
the scripts should be saved under: /var/log/warewulf/
-J
> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/e7771a1f-2e30-4142-b050-47fc3feed19e%40lbl.gov.
You can run the command: provisionhandler
Should hopefully be in the path. I think it's location is in:
/warewulf/bin/ (or /warewulf/transports/http/)
It's going to run through all of the provision scripts. Output from
the scripts should be saved under: /var/log/warewulf/
-J
Danny Thompson
Aug 3, 2016, 7:26:52 PM8/3/16
to Warewulf
Hi Jason,
Here is what I found with 95-umount:
In CentOS 7, /etc/mtab is a symlink to /proc/self/mounts which is read only, so the first line that tries to clear it doesn't. I removed the mtab link in my VNFS knowing that 95-umount will recreate it.
At the bottom of the file there are 3 chroot mount commands. IIRC the bottom two were throwing code 32 (busy or already mounted). As a quick hack I put return 0 at the end of 95-umount and the system booted, with SELinux enabled :)
I'll patch my RPM's to include this for the short-term. How would you approach error handling for 95-umount?
Here is what I found with 95-umount:
In CentOS 7, /etc/mtab is a symlink to /proc/self/mounts which is read only, so the first line that tries to clear it doesn't. I removed the mtab link in my VNFS knowing that 95-umount will recreate it.
At the bottom of the file there are 3 chroot mount commands. IIRC the bottom two were throwing code 32 (busy or already mounted). As a quick hack I put return 0 at the end of 95-umount and the system booted, with SELinux enabled :)
I'll patch my RPM's to include this for the short-term. How would you approach error handling for 95-umount?
Jason Stover
Aug 3, 2016, 9:18:23 PM8/3/16
to ware...@lbl.gov, warewul...@lbl.gov
Hrmm... We'll probably need to end up doing a check on
$NEWROOT/etc/redhat-release to check the version, and do custom
handling on the 7.x series.
Thanks,
-J
$NEWROOT/etc/redhat-release to check the version, and do custom
handling on the 7.x series.
Thanks,
-J
> --
> You received this message because you are subscribed to the Google Groups
> "Warewulf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to warewulf+u...@lbl.gov.
> To post to this group, send email to ware...@lbl.gov.
> To view this discussion on the web visit
> https://groups.google.com/a/lbl.gov/d/msgid/warewulf/6f96caae-5339-489a-9d69-356396109e18%40lbl.gov.
> You received this message because you are subscribed to the Google Groups
> "Warewulf" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to warewulf+u...@lbl.gov.
> To post to this group, send email to ware...@lbl.gov.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages