[Gluster-devel] [Fwd: [Gluster-infra] Reboot of infra this week end to fix CVE-2017-6074]

Mon Feb 27 08:47:52 UTC 2017

Thank you Michael for taking care of this restart and fixing up the new
problems that came up :)

On Sat, Feb 25, 2017 at 8:54 PM, Michael Scherer <mscherer at redhat.com>
wrote:

> Le samedi 25 février 2017 à 16:21 +0100, Michael Scherer a écrit :
> > Le samedi 25 février 2017 à 15:45 +0100, Michael Scherer a écrit :
> > > Le samedi 25 février 2017 à 14:38 +0100, Michael Scherer a écrit :
> > > > Le samedi 25 février 2017 à 14:21 +0100, Michael Scherer a écrit :
> > > > > Le vendredi 24 février 2017 à 19:58 +0100, Michael Scherer a écrit
> :
> > > > >
> > > > > so the great upgrade has started, and while almost everything went
> well,
> > > > > the host running gerrit/jenkins/etc (myrmicinae.rht.gluster.org)
> is
> > > > > again taking ages, because "firmware is loading" .
> > > > >
> > > > > So just to let you know that situation is under control, we just
> have to
> > > > > wait.
> > > >
> > > > It turn out that I was slightly too optimist, as the server where
> > > > builders and fstat are running (haplometrosis.rht) have been
> > > > misconfigured since it was starting a interface both as part of a
> bridge
> > > > and outside of a bridge. Of course, this did create a race condition
> and
> > > > sometme it work, sometime it don't.
> > > >
> > > > And this time, it didn't. So this is now fixed (as I tested to
> reboot)
> > > >
> > > > Of course, things wouldn't be fun if something didn't broke, and
> fstat
> > > > is not coming back on the new kernel. As the old kernel is fine, I
> > > > suspect something broke during the upgrade of the kernel and it did
> > > > create a invalid initrd. I will investigate and report.
> > > >
> > > >
> > > > And if you wonder, yes we are still waiting on myrmicinae to boot.
> > >
> > > So myrmicinae finally came back.
> > >
> > > And unsurprisingly, it didn't work as planned.
> > >
> > > First, it suffered from the same problem with network than
> haplometrosis
> > > (cause I configured the same, using nmcli, who created the same wrong
> > > file). The trick was how to restart network for VM without a full
> > > restart of the server.
> > >
> > > Then, gerrit didn't start automatically. This is gonna be fixed once we
> > > move it to ansible.
> > >
> > > Third, after I started manually gerrit, it took a long time to log me
> > > (which mean I started to freak out and plan how to debug it), but now,
> I
> > > can connect to the web interface, etc.
> > >
> > > If anything is broken, please sent emails and/or ping me on internal
> irc
> > > and/or ping nigel
> >
> > So since I had free time and since we still have 890 coverity defects, I
> > decided to continue the cleaning I started, and ... found out that
> > selinux is in the way and it broke unauthenticated git clone.
> >
> > I am fixing it.
>
> # grep 1488035935.129:282 /var/log/audit/audit.log |audit2why
> type=AVC msg=audit(1488035935.129:282): avc:  denied  { getattr } for
> pid=3662 comm="git-daemon" path="/review/review.gluster.org/git"
> dev="vdb1" ino=8388690
> scontext=system_u:system_r:git_system_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:git_user_content_t:s0 tclass=dir
>
>         Was caused by:
>         The boolean git_system_enable_homedirs was set incorrectly.
>         Description:
>         Allow git to system enable homedirs
>
>         Allow access by executing:
>         # setsebool -P git_system_enable_homedirs 1
>
> So I just enabled the right boolean, I will defer the proper fix for
> later (ie, use a different label for the git repository)
>
> --
> Michael Scherer
> Sysadmin, Community Infrastructure and Platform, OSAS
>
>
>
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://lists.gluster.org/mailman/listinfo/gluster-devel
>

-- 
nigelb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gluster.org/pipermail/gluster-devel/attachments/20170227/5c702e2a/attachment.html>