[Gluster-devel] [Fwd: [Gluster-infra] Reboot of infra this week end to fix CVE-2017-6074]

Michael Scherer mscherer at redhat.com
Sat Feb 25 15:24:36 UTC 2017 

Le samedi 25 février 2017 à 16:21 +0100, Michael Scherer a écrit :
> Le samedi 25 février 2017 à 15:45 +0100, Michael Scherer a écrit :
> > Le samedi 25 février 2017 à 14:38 +0100, Michael Scherer a écrit :
> > > Le samedi 25 février 2017 à 14:21 +0100, Michael Scherer a écrit :
> > > > Le vendredi 24 février 2017 à 19:58 +0100, Michael Scherer a écrit :
> > > > 
> > > > so the great upgrade has started, and while almost everything went well,
> > > > the host running gerrit/jenkins/etc (myrmicinae.rht.gluster.org) is
> > > > again taking ages, because "firmware is loading" .
> > > > 
> > > > So just to let you know that situation is under control, we just have to
> > > > wait.
> > > 
> > > It turn out that I was slightly too optimist, as the server where
> > > builders and fstat are running (haplometrosis.rht) have been
> > > misconfigured since it was starting a interface both as part of a bridge
> > > and outside of a bridge. Of course, this did create a race condition and
> > > sometme it work, sometime it don't. 
> > > 
> > > And this time, it didn't. So this is now fixed (as I tested to reboot)
> > > 
> > > Of course, things wouldn't be fun if something didn't broke, and fstat
> > > is not coming back on the new kernel. As the old kernel is fine, I
> > > suspect something broke during the upgrade of the kernel and it did
> > > create a invalid initrd. I will investigate and report.
> > > 
> > > 
> > > And if you wonder, yes we are still waiting on myrmicinae to boot. 
> > 
> > So myrmicinae finally came back. 
> > 
> > And unsurprisingly, it didn't work as planned.
> > 
> > First, it suffered from the same problem with network than haplometrosis
> > (cause I configured the same, using nmcli, who created the same wrong
> > file). The trick was how to restart network for VM without a full
> > restart of the server.
> > 
> > Then, gerrit didn't start automatically. This is gonna be fixed once we
> > move it to ansible.
> > 
> > Third, after I started manually gerrit, it took a long time to log me
> > (which mean I started to freak out and plan how to debug it), but now, I
> > can connect to the web interface, etc.
> > 
> > If anything is broken, please sent emails and/or ping me on internal irc
> > and/or ping nigel 
> 
> So since I had free time and since we still have 890 coverity defects, I
> decided to continue the cleaning I started, and ... found out that
> selinux is in the way and it broke unauthenticated git clone.
> 
> I am fixing it.

# grep 1488035935.129:282 /var/log/audit/audit.log |audit2why 
type=AVC msg=audit(1488035935.129:282): avc:  denied  { getattr } for
pid=3662 comm="git-daemon" path="/review/review.gluster.org/git"
dev="vdb1" ino=8388690
scontext=system_u:system_r:git_system_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:git_user_content_t:s0 tclass=dir

	Was caused by:
	The boolean git_system_enable_homedirs was set incorrectly. 
	Description:
	Allow git to system enable homedirs

	Allow access by executing:
	# setsebool -P git_system_enable_homedirs 1

So I just enabled the right boolean, I will defer the proper fix for
later (ie, use a different label for the git repository) 

-- 
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20170225/ded838c5/attachment.sig>

More information about the Gluster-devel mailing list