Re: [Fwd: [Gluster-infra] Reboot of infra this week end to fix CVE-2017-6074]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Le samedi 25 février 2017 à 16:21 +0100, Michael Scherer a écrit :
> Le samedi 25 février 2017 à 15:45 +0100, Michael Scherer a écrit :
> > Le samedi 25 février 2017 à 14:38 +0100, Michael Scherer a écrit :
> > > Le samedi 25 février 2017 à 14:21 +0100, Michael Scherer a écrit :
> > > > Le vendredi 24 février 2017 à 19:58 +0100, Michael Scherer a écrit :
> > > > 
> > > > so the great upgrade has started, and while almost everything went well,
> > > > the host running gerrit/jenkins/etc (myrmicinae.rht.gluster.org) is
> > > > again taking ages, because "firmware is loading" .
> > > > 
> > > > So just to let you know that situation is under control, we just have to
> > > > wait.
> > > 
> > > It turn out that I was slightly too optimist, as the server where
> > > builders and fstat are running (haplometrosis.rht) have been
> > > misconfigured since it was starting a interface both as part of a bridge
> > > and outside of a bridge. Of course, this did create a race condition and
> > > sometme it work, sometime it don't. 
> > > 
> > > And this time, it didn't. So this is now fixed (as I tested to reboot)
> > > 
> > > Of course, things wouldn't be fun if something didn't broke, and fstat
> > > is not coming back on the new kernel. As the old kernel is fine, I
> > > suspect something broke during the upgrade of the kernel and it did
> > > create a invalid initrd. I will investigate and report.
> > > 
> > > 
> > > And if you wonder, yes we are still waiting on myrmicinae to boot. 
> > 
> > So myrmicinae finally came back. 
> > 
> > And unsurprisingly, it didn't work as planned.
> > 
> > First, it suffered from the same problem with network than haplometrosis
> > (cause I configured the same, using nmcli, who created the same wrong
> > file). The trick was how to restart network for VM without a full
> > restart of the server.
> > 
> > Then, gerrit didn't start automatically. This is gonna be fixed once we
> > move it to ansible.
> > 
> > Third, after I started manually gerrit, it took a long time to log me
> > (which mean I started to freak out and plan how to debug it), but now, I
> > can connect to the web interface, etc.
> > 
> > If anything is broken, please sent emails and/or ping me on internal irc
> > and/or ping nigel 
> 
> So since I had free time and since we still have 890 coverity defects, I
> decided to continue the cleaning I started, and ... found out that
> selinux is in the way and it broke unauthenticated git clone.
> 
> I am fixing it.

# grep 1488035935.129:282 /var/log/audit/audit.log |audit2why 
type=AVC msg=audit(1488035935.129:282): avc:  denied  { getattr } for
pid=3662 comm="git-daemon" path="/review/review.gluster.org/git"
dev="vdb1" ino=8388690
scontext=system_u:system_r:git_system_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:git_user_content_t:s0 tclass=dir

	Was caused by:
	The boolean git_system_enable_homedirs was set incorrectly. 
	Description:
	Allow git to system enable homedirs

	Allow access by executing:
	# setsebool -P git_system_enable_homedirs 1

So I just enabled the right boolean, I will defer the proper fix for
later (ie, use a different label for the git repository) 

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS


Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Gluster-devel mailing list
Gluster-devel@xxxxxxxxxxx
http://lists.gluster.org/mailman/listinfo/gluster-devel

[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux