-
-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add info for systemd based distros #583
Conversation
Note I have just removed the Netlify integration, since we're using readthedocs preview build now. |
buildworker.rst
Outdated
where the enforcing mode is enabled, usually related to the twistd.pid file. | ||
If the service fails to start, you should check the output of | ||
``systemctl status buildbot-worker.service`` as well as the | ||
``/var/log/audit/audit.log`` file for potential issues and remedies. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ausearch -m AVC
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I usually use sealert -a /var/log/audit/audit.log
which provides messages with the warning and how to fix them, but I thought it could be too specific for the devguide.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this really going to be an issue? Unless you define a policy the buildbot daemon should run in unconfined_t
and not be affected by SELinux policy restrictions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was always affected on all the buildbots I've set up (Fedora and RHEL). Basically selinux prevents systemd's open and read access for the twistd.pid file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So after following the instructions on the buildbot worker page to set it up and creating the systemd unit files, when trying to start the service, initially this error message is show (date/time is trimmed out):
`
Following twistd.log until startup finished..
AVC avc: denied { read } for pid=1 comm="systemd" name="twistd.pid" dev="dm-0" ino=25387713 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
AVC avc: denied { read } for pid=1 comm="systemd" name="twistd.pid" dev="dm-0" ino=25387713 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
AVC avc: denied { read } for pid=1 comm="systemd" name="twistd.pid" dev="dm-0" ino=25387713 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
localhost systemd[1]: buildbot-worker.service: Can't convert PID files /home/buildbot/buildarea/twistd.pid O_PATH file descriptor to proper file descriptor: Permission denied
localhost systemd[1]: buildbot-worker.service: Can't convert PID files /home/buildbot/buildarea/twistd.pid O_PATH file descriptor to proper file descriptor: Permission denied
localhost setroubleshoot[1489084]: SELinux is preventing systemd from read access on the file twistd.pid. For complete SELinux messages run: sealert -l 57d3c874-be75-46f6-82c9-3680ac54002c
localhost python3[1489084]: SELinux is preventing systemd from read access on the file twistd.pid.#12#012***** Plugin catchall (100. confidence) suggests **************************#12#012
If you believe that systemd should be allowed read access on the twistd.pid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'systemd' --raw | audit2allow -M my-systemd#012# semodule -X 300 -i my-systemd.pp#012
localhost setroubleshoot[1489084]: SELinux is preventing systemd from read access on the file twistd.pid. For complete SELinux messages run: sealert -l 57d3c874-be75-46f6-82c9-3680ac54002c
localhost python3[1489084]: SELinux is preventing systemd from read access on the file twistd.pid.#12#012***** Plugin catchall (100. confidence) suggests **************************#12#012If you believe that systemd should be allowed read access on the twistd.pid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'systemd' --raw | audit2allow -M my-systemd#012# semodule -X 300 -i my-systemd.pp#012
`
After adjusting the policy, another error comes up:
`
Following twistd.log until startup finished..
localhost audit[1]: AVC avc: denied { open } for pid=1 comm="systemd" path="/home/buildbot/buildarea/twistd.pid" dev="dm-0" ino=25387713 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
localhost systemd[1]: buildbot-worker.service: Can't convert PID files /home/buildbot/buildarea/twistd.pid O_PATH file descriptor to proper file descriptor: Permission denied
localhost systemd[1]: buildbot-worker.service: Can't convert PID files /home/buildbot/buildarea/twistd.pid O_PATH file descriptor to proper file descriptor: Permission denied
localhost audit[1]: AVC avc: denied { open } for pid=1 comm="systemd" path="/home/buildbot/buildarea/twistd.pid" dev="dm-0" ino=25387713 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0
localhost setroubleshoot[8714]: SELinux is preventing systemd from open access on the file /home/buildbot/buildarea/twistd.pid. For complete SELinux messages run: sealert -l 3d54c639-fea4-4a18-be47-c5fe1d57a02a
localhost python3[8714]: SELinux is preventing systemd from open access on the file /home/buildbot/buildarea/twistd.pid.#012#012***** Plugin catchall (100. confidence) suggests **************************#12#012If you believe that systemd should be allowed open access on the twistd.pid file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#12# ausearch -c 'systemd' --raw | audit2allow -M my-systemd#012# semodule -X 300 -i my-systemd.pp#012`
After allowing that as well, the service starts normally.
I see. SELinux and systemd both treat I know of four options to deal with this problem
|
That would go against the current guidelines of setting up a buildbot worker (or requiring a bigger overhaul) so I wouldn't go with that option.
This solution I liked the most, however the
Maybe that would be the best way then. Any pointers on how to work with that?
Not sure I would like to change init_t |
If this PR is still relevant, it should be updated after the devguide reorganization, reviewed, and merged. |
Thanks for the reminder. Is there an ETA for the devguide reorganization? |
The devguide reorganization is done already, and there is now a conflict on the PR that must be resolved. |
@stratakis can you merge |
be6a64f
to
1b64a98
Compare
Rebased. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This dropped off my radar and I forgot about it for two years :(. I'm good with merging this as is after conflicts are fixed, and we can iterate on it after merge if needed.
I'll take another look as well, I've completely forgot about it as well. |
Provide examples for managing the buildbot-worker service through systemd unit files for systemd based distributions.
1b64a98
to
ebe06a0
Compare
I've addressed the conflicts and did various corrections. Rendering locally looks fine as well. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
Provide examples for managing the buildbot-worker
service through systemd unit files for systemd based
distributions.