Hi Mike, Thanks for the info.
I think that did solve a few problems. I notice that pulpcore-api seems stable now (it was caught in an auto-restart cycle before). However I’m still seeing a few SELinux problems: /varlog/messages: SELinux is preventing /usr/libexec/platform-python3.6 from read access on the l nk_file /var/lib/pulp/assets/admin/css/autocomplete.css SELinux is preventing /usr/libexec/platform-python3.6 from name_connect access on the tcp_socket port 5432 SELinux is preventing /usr/libexec/platform-python3.6 from create access on the file /var/run/pulpcore-worker-1/ Thanks, -Sheldon From: Mike DePaulo [mailto:mikedep...@redhat.com] Sent: May 14, 2021 4:14 PM To: Briand, Sheldon <sheldon.bri...@nrc-cnrc.gc.ca> Cc: pulp-list@redhat.com Subject: Re: [Pulp-list] SELinux errors on upgrade ***ATTENTION*** This email originated from outside of the NRC. ***ATTENTION*** Ce courriel provient de l'extérieur du CNRC Hi Sheldon, Sorry to hear you ran into this, I suspect it's this bug, which I intend to fix soon: https://pulp.plan.io/issues/8620 To try to recover manually: 1. Run this for each file under the directory: sudo semodule -i /usr/local/share/selinux/targeted/<filename> 2. Run: sudo /sbin/fixfiles restore /usr/local/lib/pulp /etc/pulp /var/lib/pulp/ /var/run/pulpcore These assume default directory paths. -Mike On Fri, May 14, 2021 at 1:46 PM Briand, Sheldon <sheldon.bri...@nrc-cnrc.gc.ca<mailto:sheldon.bri...@nrc-cnrc.gc.ca>> wrote: Hi, I recently tried to update my pulp3 install. It was installed using the ansible installer. I believe the original install was working because the ansible installer ran without any errors. I never got much of chance to try it out though. When I revisited pulp3 I saw there was an update. I may not have run the update properly the first time. Now when I run the installer it gets stuck checking the health of the pulp3 services and then fails. Note that my system is running SELinux in enforcing mode. I’ve looked at the logs and I’m seeing lots of permission denied messages. Checking the SELinux logs shows: type=AVC msg=audit(1621012482.823:159368): avc: denied { create } for pid=107534 comm="rq" name="reserved-resource-worker-1.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1621012483.052:159369): avc: denied { create } for pid=107542 comm="rq" name="reserved-resource-worker-2.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1621012486.569:159424): avc: denied { name_connect } for pid=107595 comm="rq" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1621012488.581:159430): avc: denied { name_connect } for pid=107611 comm="gunicorn" dest=5432 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket permissive=0 type=AVC msg=audit(1621012489.177:159435): avc: denied { create } for pid=107595 comm="rq" name="resource-manager.pid" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:pulpcore_var_run_t:s0 tclass=file permissive=0 type=AVC msg=audit(1621012490.511:159443): avc: denied { read } for pid=107611 comm="gunicorn" name="autocomplete.css" dev="sda5" ino=8390506 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pulpcore_var_lib_t:s0 tclass=lnk_file permissive=0 Not sure if this is something I did or if these logs might help debug anything. Thanks, -Sheldon _______________________________________________ Pulp-list mailing list Pulp-list@redhat.com<mailto:Pulp-list@redhat.com> https://listman.redhat.com/mailman/listinfo/pulp-list -- Mike DePaulo He / Him / His Service Reliability Engineer, Pulp Red Hat<https://www.redhat.com/> IM: mikedep333 GPG: 51745404 [Image removed by sender.]<https://www.redhat.com/>
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://listman.redhat.com/mailman/listinfo/pulp-list