Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding a port gets an error the first time #38

Closed
TJM opened this issue May 20, 2015 · 5 comments
Closed

Adding a port gets an error the first time #38

TJM opened this issue May 20, 2015 · 5 comments

Comments

@TJM
Copy link
Contributor

TJM commented May 20, 2015

I am seeing the following error:

err /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns change from notrun to 0 failed: semanage port -a -t ssh_port_t -p tcp 1022 returned 1 instead of one of [0]
err Puppet  semanage port -a -t ssh_port_t -p tcp 1022 returned 1 instead of one of [0]
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns ValueError: Could not commit semanage transaction
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns libsemanage.semanage_reload_policy: load_policy returned error code 2.
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns /sbin/load_policy: Can't load policy: No such file or directory
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns libsemanage.semanage_reload_policy: load_policy returned error code 2.
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns /sbin/load_policy: Can't load policy: No such file or directory
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.29: No such file or directory
notice  /Stage[main]/Lark::Profile::Ssh/Selinux::Port[allow-ssh-port-selinux]/Exec[add_ssh_port_t_1022]/returns SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.29, searching for an older version.

With the following puppet code (snippet):

  # SELinux Stuff                                                               
  # semanage port -a -t $type -p $port                                          
  # We may need to add some "conditionals" around this in the future            
  if hiera('selinux_enabled', false) {                                          
    selinux::port { 'allow-ssh-port-selinux':                                   
      context  => 'ssh_port_t',                                                 
      protocol => 'tcp',                                                        
      port     => $port,                                                        
    }
  }

I only get the error the first time it runs, but it does succeed. I haven't really dug into the code yet, but I am seeing this consistently enough (every time recently) that I thought I should report it. :)

NOTE: I am building a CentOS 7 VM (droplet) at Digital Ocean.
@thoopes
Copy link

thoopes commented Dec 20, 2015

Having the same issue here, were you able to figure it out?

@thoopes
Copy link

thoopes commented Dec 20, 2015

My terminal returns that the port was already defined when I try to run it again.

@TJM
Copy link
Contributor Author

TJM commented Dec 21, 2015

Like I said, it does appear to work, but it reports an error. This only happens the first time it runs, after that, it "detects" that its already there and doesn't run. I am wondering if it has anything to do with SELINUX being disabled on digitalocean? Were you able to reproduce it on other providers?

Tommy

@thoopes
Copy link

thoopes commented Dec 22, 2015

I will try it out on AWS as soon as I get another box spun up I can test
with.

On Mon, Dec 21, 2015 at 10:35 AM, Tommy McNeely notifications@github.com
wrote:

Like I said, it does appear to work, but it reports an error. This only
happens the first time it runs, after that, it "detects" that its already
there and doesn't run. I am wondering if it has anything to do with SELINUX
being disabled on digitalocean? Were you able to reproduce it on other
providers?

Tommy


Reply to this email directly or view it on GitHub
#38 (comment)
.

@oranenj oranenj mentioned this issue Jan 14, 2017
Merged
@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017

@thoopes the problem is for sure selinux is disabled. the semanage utility fails to list things while selinux is disabled and puppet then does not know what to do and fails ugly.

this is now documented in the README.md and will possibly worked around by not applying the resources while disabled.

@vinzent vinzent closed this as completed Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vinzent @TJM @thoopes