New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookbook fails on CentOS Linux release 7.2.1511 - kernel.exec-shield #166

Closed
jonasduarte opened this Issue Aug 10, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@jonasduarte

jonasduarte commented Aug 10, 2017

When running the cookbook from the supermarket on a CentOS Linux release 7.2.1511 node, AWS AMI ami-6d1c2007, I get the following error:

###############################################

"Running handlers:
[2017-08-10T15:51:30-03:00] ERROR: Running exception handlers
[2017-08-10T15:51:30-03:00] ERROR: Running exception handlers
Running handlers complete
[2017-08-10T15:51:30-03:00] ERROR: Exception handlers complete
[2017-08-10T15:51:30-03:00] ERROR: Exception handlers complete
Chef Client failed. 2 resources updated in 03 seconds
[2017-08-10T15:51:30-03:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2017-08-10T15:51:30-03:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2017-08-10T15:51:30-03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-08-10T15:51:30-03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-08-10T15:51:30-03:00] ERROR: sysctl_param[kernel.exec-shield] (sysctl::default line 26) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
---- Begin output of sysctl -w "kernel.exec-shield=1" ----
STDOUT:
STDERR: sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory
---- End output of sysctl -w "kernel.exec-shield=1" ----
Ran sysctl -w "kernel.exec-shield=1" returned 255
[2017-08-10T15:51:30-03:00] ERROR: sysctl_param[kernel.exec-shield] (sysctl::default line 26) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '255'
---- Begin output of sysctl -w "kernel.exec-shield=1" ----
STDOUT:
STDERR: sysctl: cannot stat /proc/sys/kernel/exec-shield: No such file or directory
---- End output of sysctl -w "kernel.exec-shield=1" ----
Ran sysctl -w "kernel.exec-shield=1" returned 255
[2017-08-10T15:51:30-03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[2017-08-10T15:51:30-03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

">>>>>> ------Exception-------

Class: Kitchen::ActionFailed
Message: 1 actions failed.
Converge failed on instance . Please see .kitchen/logs/default-centos-7.log for more details
----------------------"
Please see .kitchen/logs/kitchen.log for more details
Also try running kitchen diagnose --all for configuration"

###################################

To solve this problem I made a local copy e edited the file attributes/sysctl.rb, commenting out the following block:

"case node['platform_family']
when 'rhel', 'fedora'
default['sysctl']['params']['kernel']['exec-shield'] = 1
end"

@bdwyertech

This comment has been minimized.

Show comment
Hide comment
@bdwyertech

bdwyertech Aug 14, 2017

Yep, that block should be yanked or the guard needs to be adjusted to only apply to CentOS/RHEL <7

In RHEL7+ exec-shield is enabled by default and the /proc entry has been removed.

Exec-shield is no longer an option in sysctl for kernel tuning.
This is a security measure, as documented in the RHEL 7 Security Guide.

bdwyertech commented Aug 14, 2017

Yep, that block should be yanked or the guard needs to be adjusted to only apply to CentOS/RHEL <7

In RHEL7+ exec-shield is enabled by default and the /proc entry has been removed.

Exec-shield is no longer an option in sysctl for kernel tuning.
This is a security measure, as documented in the RHEL 7 Security Guide.
@djessich

This comment has been minimized.

Show comment
Hide comment
@djessich

djessich Aug 14, 2017

Same issue here. Indeed, unsetting the attribute using comments does work. Currently this bug fails all my chef-client runs, any idea when a bugfix will be available?

djessich commented Aug 14, 2017

Same issue here. Indeed, unsetting the attribute using comments does work. Currently this bug fails all my chef-client runs, any idea when a bugfix will be available?

@artem-sidorenko artem-sidorenko self-assigned this Aug 15, 2017

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 15, 2017

Member

I'll have a look this week,

@jonasduarte @djessich @bdwyertech thanks for reporting!

Member

artem-sidorenko commented Aug 15, 2017

I'll have a look this week,

@jonasduarte @djessich @bdwyertech thanks for reporting!

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 15, 2017

Member

@bdwyertech can you maybe link me to the source of this changelog?

Member

artem-sidorenko commented Aug 15, 2017

@bdwyertech can you maybe link me to the source of this changelog?

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 15, 2017

Member

This issue got visible due a refactoring of sysctl cookbook (sous-chefs/sysctl#61) in 0.10.0.

I will fix it, however I'm not completely happy with some upstream changes in sysctl and would like to get them fixed as well. So my idea is to introduce a version pinning in the mean time for sysctl dependency like =< 0.9.0. @bdwyertech @jonasduarte @djessich what do you think about this?

Member

artem-sidorenko commented Aug 15, 2017

This issue got visible due a refactoring of sysctl cookbook (sous-chefs/sysctl#61) in 0.10.0.

I will fix it, however I'm not completely happy with some upstream changes in sysctl and would like to get them fixed as well. So my idea is to introduce a version pinning in the mean time for sysctl dependency like =< 0.9.0. @bdwyertech @jonasduarte @djessich what do you think about this?

@jonasduarte

This comment has been minimized.

Show comment
Hide comment
@jonasduarte

jonasduarte Aug 15, 2017

That sounds good to me. Another options is to introduce a check for the CentOS/RHEL version <7, like suggested by @bdwyertech.

rgs.

jonasduarte commented Aug 15, 2017

That sounds good to me. Another options is to introduce a check for the CentOS/RHEL version <7, like suggested by @bdwyertech.

rgs.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 15, 2017

Member

@jonasduarte yes, the idea is to have a fix (check for rhel 7) and version pinning in the same time

Member

artem-sidorenko commented Aug 15, 2017

@jonasduarte yes, the idea is to have a fix (check for rhel 7) and version pinning in the same time

artem-sidorenko added a commit that referenced this issue Aug 18, 2017

Fix: do not touch exec-shield on RHEL 7
as its enabled per default and can't be switched off

Introduction of temporary version pinning for sysctl cookbook,
see #166 (comment)

@atomic111 atomic111 closed this in #168 Aug 20, 2017

@bdwyertech

This comment has been minimized.

Show comment
Hide comment
@bdwyertech

bdwyertech Aug 20, 2017

I'm guessing the version pinning of sysctl is due to the whole one file per sysctl value? @artem-sidorenko I see why that's a pain in the butt, I'm not really sure how I feel about it either

bdwyertech commented Aug 20, 2017

I'm guessing the version pinning of sysctl is due to the whole one file per sysctl value? @artem-sidorenko I see why that's a pain in the butt, I'm not really sure how I feel about it either

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 21, 2017

Member

@bdwyertech right, this is the point. I understand the reason for going this way, as sysctl devs refactored the cookbook to the chef 12.5-resources, what probably even makes sense. I miss however the cleanup of old files, which are unmanaged now. So you can run into situation, if you do a switch of some sysctl flag, it will have no effect because of the old file.

Member

artem-sidorenko commented Aug 21, 2017

@bdwyertech right, this is the point. I understand the reason for going this way, as sysctl devs refactored the cookbook to the chef 12.5-resources, what probably even makes sense. I miss however the cleanup of old files, which are unmanaged now. So you can run into situation, if you do a switch of some sysctl flag, it will have no effect because of the old file.

@artem-sidorenko

This comment has been minimized.

Show comment
Hide comment
@artem-sidorenko

artem-sidorenko Aug 21, 2017

Member

2.1.1 is released with this fix

Member

artem-sidorenko commented Aug 21, 2017

2.1.1 is released with this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment