New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash when upgrading from 2.10.0 to 2.10.1 (SELinux related) #6710
Comments
That's an SELinux problem then, it seems the policies for creating runtime data by the daemon in In terms of the meaning "crash" - the exit is not super fancy, but actually "permission denied" errors should immediately halt the daemon. |
PS: I now know where you are working, likely in my hometown. You might want to replace the screenshots ;) |
ups - thank you .. I had a Little stress do bring up the Cluster again and at the same time I wrote that issue :-) ... and it's friday .. :-) |
Due to the history of comment edits this information is still available. As far as I know there is no way to remove leaked information from a GitHub issue. :( |
@ekeih and is it possible do delete this issue? |
@stevie-sy I think this is also not possible: isaacs/github#253 |
@ekeih yeah, I forgot that you can now edit issues. @stevie-sy I cannot delete issues, GH doesn't allow that for public repos. You may want to ask GH support, if it really hurts. If not, make it public via https://icinga.com/about/customers/#shareyourstory :) |
Thank you. I found an Option: delete old Version of the edit history. in my pull down menue there ist the text "deleted". if you don't see nothing it worked for me and the day is saved :-) |
@stevie-sy I only see that you deleted the content of old versions. But the content is not visible anymore 👍 |
thank you for the check. (y) |
Poke @dgoetz :) |
@stevie-sy Can you please run |
@dgoetz thanks for the answer. The nodes which I updated already to 2.10.1 are still fixed . And the nodes got config updates from the config-master and the director. I controlled the nodes, where I stopped the updates from 2.10.0 to 2.10.1, there the folder has the label _system_u:object_r:var_lib_t:s0 _. Every node was a fresh Installation with 2.10.0. After restorecon I tried to update one of the left nodes to 2.10.1. The node crashed also with In the crash-file you can find the line: that are the Labels of the files in the Cache Folder: I deleted the files icinga2.vars.* and icinga2.debug.* But that also didn't work. So there are again SELinux permission missing. So i did again some manully runs with audit2allow & semodule (at least 6 times)
With that it worked for now. Two nodes are left for the update. One of them is our config master. But I won't update this one if it isn't clear why this happens. So is it possible that the rpm-packes for 2.10.0 were not correctly installed? |
You should not allow these things as they are granting to much access. I think I found the problem. With 2.10 the package layout changed and the scriptlet during installation/update only runs a relabeling for |
Thanks so I will create a PR and depending on release plan I will ask for a package release. The scripts should run in a separate domain like |
You're welcome :-) And thanks for the tipps and the link. I will put it on my To-Do when I have time for it. |
@dgoetz We can do that for 2.10.2, depending on users test feedback this is happening soon enough. |
I wanted to upgrade vom 2.10.0 to 2.10.1 on our CentOS 7.5 System. But after the start of icinga2 failed. with
I saw in the Audit.log a lot of "denied" for icinga. e.g.
after I imported the selinux rules which I generated with "audit2allow" & "semodule", I could restart the icinga Service with "systemctl reset-failed icinga2.service"
But this doesn't work:
the file "/var/lib/icinga2/api/packages/_api/include.conf" in this message has only this Content:
and this is the Content of the crash-file in the message of systemctl:
I wanted to downgrade to 2.10.0. But with this I had also troubles now.
So I had to fix this with more SELinux rules.
After this import-rules the icinga2 Service run:
first Import file for sexlinux (with this icinga crashed again like I wrote before)
second Import file for selinux (after this one I could start icinga2:
The text was updated successfully, but these errors were encountered: