Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Idempotence issue for RHEL 7 forwarder install #153

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix Idempotence issue for RHEL 7 forwarder install #153

wants to merge 1 commit into from

Conversation

TraGicCode
Copy link
Contributor

I could really use a second pair of 👀 on this. I was sifting through the issues on github for this module and noticed someone having a problem a RHEL 7. While i was not able to reproduce their issue specifically ( i assume it's fixed ) i did notice the idempotence test for the forwarder is failing when run under beaker. I know pretty much nothing about se_linux on RHEL 7 but what i do know is the following attribute on the file resource solves the forwarder idempotence test. Could anyone verify this fix is indeed valid?

FYI. Here is the failing beaker test without this change.

First Run

  Info: Loading facts
  Info: Loading facts
  Warning: /etc/puppetlabs/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
     (in /etc/puppetlabs/puppet/hiera.yaml)
  Notice: Compiled catalog for rhel-74-x64.attlocal.net in environment production in 0.46 seconds
  Info: Applying configuration version '1507523793'
  Notice: /Stage[main]/Archive::Staging/File[/opt/staging]/ensure: created
  Notice: /Stage[main]/Splunk::Forwarder/Archive[/opt/staging/splunk/splunkforwarder-7.0.0-c8a78efdd40f-linux-2.6-x86_64.rpm]/ensure: download archive from https://download.splunk.com/products/universalforwarder/releases/7.0.0/linux/splunkforwarder-7.0.0-c8a78efdd40f-linux-2.6-x86_64.rpm to /opt/staging/splunk/splunkforwarder-7.0.0-c8a78efdd40f-linux-2.6-x86_64.rpm  with cleanup
  Notice: /Stage[main]/Splunk::Forwarder/Package[splunkforwarder]/ensure: created
  Notice: /Stage[main]/Splunk::Forwarder/Splunkforwarder_input[default_host]/ensure: created
  Info: /Stage[main]/Splunk::Forwarder/Splunkforwarder_input[default_host]: Scheduling refresh of Service[splunk]
  Notice: /Stage[main]/Splunk::Forwarder/Splunkforwarder_output[tcpout_defaultgroup]/ensure: created
  Info: /Stage[main]/Splunk::Forwarder/Splunkforwarder_output[tcpout_defaultgroup]: Scheduling refresh of Service[splunk]
  Notice: /Stage[main]/Splunk::Forwarder/Splunkforwarder_output[defaultgroup_server]/ensure: created
  Info: /Stage[main]/Splunk::Forwarder/Splunkforwarder_output[defaultgroup_server]: Scheduling refresh of Service[splunk]
  Notice: /Stage[main]/Splunk::Forwarder/Splunkforwarder_web[forwarder_splunkd_port]/ensure: created
  Info: /Stage[main]/Splunk::Forwarder/Splunkforwarder_web[forwarder_splunkd_port]: Scheduling refresh of Service[splunk]
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/deploymentclient.conf]/ensure: created
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/inputs.conf]/mode: mode changed '0644' to '0600'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/inputs.conf]/seluser: seluser changed 'unconfined_u' to 'system_u'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/outputs.conf]/mode: mode changed '0644' to '0600'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/outputs.conf]/seluser: seluser changed 'unconfined_u' to 'system_u'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/web.conf]/mode: mode changed '0644' to '0600'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/web.conf]/seluser: seluser changed 'unconfined_u' to 'system_u'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/limits.conf]/ensure: created
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/server.conf]/ensure: created
  Notice: /Stage[main]/Splunk::Platform::Posix/Exec[license_splunkforwarder]/returns: executed successfully
  Notice: /Stage[main]/Splunk::Platform::Posix/Exec[enable_splunkforwarder]/returns: executed successfully
  Info: /Stage[main]/Splunk::Platform::Posix/Exec[enable_splunkforwarder]: Scheduling refresh of Service[splunk]
  Notice: /Stage[main]/Splunk::Virtual/Service[splunk]/ensure: ensure changed 'stopped' to 'running'
  Info: /Stage[main]/Splunk::Virtual/Service[splunk]: Unscheduling refresh on Service[splunk]
  Info: Creating state file /opt/puppetlabs/puppet/cache/state/state.yaml
  Notice: Applied catalog in 10.79 seconds

Second run

  Info: Loading facts
  Info: Loading facts
  Warning: /etc/puppetlabs/puppet/hiera.yaml: Use of 'hiera.yaml' version 3 is deprecated. It should be converted to version 5
     (in /etc/puppetlabs/puppet/hiera.yaml)
  Notice: Compiled catalog for rhel-74-x64.attlocal.net in environment production in 0.44 seconds
  Info: Applying configuration version '1507523806'
  Notice: /Stage[main]/Splunk::Forwarder/File[/opt/splunkforwarder/etc/system/local/server.conf]/seluser: seluser changed 'unconfined_u' to 'system_u'
  Notice: Applied catalog in 0.17 seconds

@bastelfreak
Copy link
Member

mh I've no idea. @vinzent @oranenj can you help us out here?

@oranenj
Copy link

oranenj commented Oct 9, 2017

Hard to tell what's going on without actually testing the module myself, but my initial guess is that something changes the SELinux policy while puppet is running (eg. one of the packages it installs) so that on the next run, the file contexts for that particular path are different than on the first run and puppet corrects them.

To see which is "correct", run restorecon on that path. If it changes from unconfined_u to system_u, then that's what the policy declares and the puppet code should probably default to that too.

@wyardley wyardley removed their request for review October 9, 2017 22:37
@wyardley
Copy link
Contributor

wyardley commented Oct 9, 2017

I'm also not sure, but what @oranenj says makes sense (if the settings are coming from the package rather than from Puppet, you could also try looking at the rpm's scripts).

@TraGicCode
Copy link
Contributor Author

I'll give this a shot.

alexjfisher
alexjfisher requested changes Oct 10, 2017
View reviewed changes
manifests/forwarder.pp
@@ -171,7 +171,8 @@
mode => $facts['kernel'] ? {
'windows' => undef,
default => '0600',
}
},
seluser => 'unconfined_u',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this is right. If on the second run, puppet wants to set it to system_u that's probably because a new selinux module has been installed with the RPM and the type should be system_u. I think there's also a high probability users are bumping into https://tickets.puppetlabs.com/browse/PUP-2169 which puppet apply (as used in the acceptance tests) won't be affected by.

Basically, puppet defaults the value of seluser based on what it thinks it should be. But, there's a caching issue and it never rechecks after a new selinux policy is loaded. You need to restart the puppet service... :(

@bastelfreak bastelfreak added the needs-work not ready to merge just yet label Dec 9, 2017
@alexjfisher alexjfisher mentioned this pull request Apr 9, 2019
Merged
@vox-pupuli-tasks
Copy link

Dear @TraGicCode, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @TraGicCode, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @TraGicCode, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

@vox-pupuli-tasks
Copy link

Dear @TraGicCode, thanks for the PR!

This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?

You can find my sourcecode at voxpupuli/vox-pupuli-tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexjfisher alexjfisher alexjfisher requested changes

@bastelfreak bastelfreak Awaiting requested review from bastelfreak

Assignees
No one assigned
Labels
merge-conflicts needs-work not ready to merge just yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@TraGicCode @bastelfreak @oranenj @wyardley @alexjfisher @dhoppe