| *** olivierb_ has joined #openstack-dib | 07:47 | |
| *** hwoarang has joined #openstack-dib | 07:49 | |
| olivierb_ | ianw yolanda, could you please add your comments to https://review.openstack.org/#/c/559485 ? Many thanks | 08:32 |
|---|---|---|
| ianw | olivierb_: i was discussing something that looks extremely similar with eandersson today | 08:39 |
| ianw | are you running in a docker container? | 08:40 |
| olivierb_ | ianw not at all, either VirtualBox VM either baremetal machine | 08:40 |
| olivierb_ | both having same behaviour | 08:40 |
| olivierb_ | do you mean that the CI jobs are running in containers ? | 08:41 |
| ianw | no they are not | 08:43 |
| ianw | http://paste.openstack.org/show/729091/ | 08:45 |
| ianw | was his suggestion. this wsa inside a docker container, where the selinux sysfs directory was there, but not populated | 08:45 |
| olivierb_ | this is what I thought but just wanted to be sure | 08:45 |
| olivierb_ | both VM and baremetal are running Ubuntu xenial minimal set of packages without selinux installed/configured | 08:47 |
| olivierb_ | only the following packages: | 08:47 |
| olivierb_ | libselinux1:amd64 libsemanage-common libsemanage1:amd64 libsepol1:amd64 python-selinux | 08:47 |
| olivierb_ | tried to diff the running processes in CI machine as well as list of packages to see diffs but nothing showed up real clear | 08:48 |
| olivierb_ | https://review.openstack.org/591366 | 08:48 |
| ianw | the other thing was https://github.com/fedora-selinux/selinux/blob/master/policycoreutils/setfiles/setfiles.c#L112 | 08:49 |
| olivierb_ | yes, indeed, reading this code too, I was thinking that may be under some condition I do not know about it may have the mass_relabel set off therefore not going into open call which most probably lead to my error | 08:52 |
| olivierb_ | but I am definitely way off being a selinux knowledgeable person | 08:52 |
| ianw | olivierb_ : what happens if you actually install auditd on the building system? | 08:59 |
| *** noama has joined #openstack-dib | 09:00 | |
| olivierb_ | ianw will try this in the next few hours | 09:02 |
| ianw | i think it uses a netlink socket? which would be available within the chroot ... if the setfiles version didn't have that exit(-1) commented out ... | 09:03 |
| *** jesusaur has joined #openstack-dib | 09:33 | |
| *** hwoarang has quit IRC | 11:20 | |
| *** hwoarang has joined #openstack-dib | 11:20 | |
| *** rnm has joined #openstack-dib | 11:34 | |
| *** rnm is now known as rmart04 | 11:36 | |
| *** rmart04 has quit IRC | 11:40 | |
| *** rnm has joined #openstack-dib | 11:40 | |
| *** rnm has quit IRC | 11:42 | |
| *** rnm has joined #openstack-dib | 11:42 | |
| *** rnm is now known as rmart04 | 11:43 | |
| *** hwoarang has quit IRC | 11:46 | |
| *** hwoarang has joined #openstack-dib | 11:46 | |
| olivierb_ | ianw tried to install and launch auditd on my xenial installation | 14:14 |
| olivierb_ | apt-get install auditd audispd-plugins | 14:15 |
| olivierb_ | sudo systemctl start auditd | 14:15 |
| olivierb_ | sudo systemctl status auditd | 14:15 |
| olivierb_ | Condition: start condition failed at Thu 2018-08-30 16:11:04 CEST; 3s ago | 14:15 |
| olivierb_ | ConditionKernelCommandLine=!audit=0 was not met | 14:15 |
| olivierb_ | will try to reboot after enabling audit=1 in grub | 14:17 |
| olivierb_ | auditd now functional on my system, retrying to build image | 14:21 |
| olivierb_ | ianw however please note that unless I have badly launched the jobs in https://review.openstack.org/591366 your CI xenial system does not run auditd either | 14:22 |
| olivierb_ | or if I badly checked the list of running processes | 14:22 |
| olivierb_ | ianw ok after several tests with audit=0 and audit=1 and auditd installed on my xenial system I confirm that CentOS image generation succeeds when audit=1 and fails when audit=0 | 14:39 |
| olivierb_ | so would it make sense to update https://review.openstack.org/#/c/559485 with a test for grep audit=1 /proc/cmdline ??? | 14:40 |
| olivierb_ | however from a "conceptual" point of view, I do not understand why building an image (whatever it is and on whatever system) should depend (read succeed or fail) depending on its "kernel settings" | 14:42 |
| olivierb_ | please advise | 14:43 |
| *** olivier__ has joined #openstack-dib | 15:21 | |
| *** olivierb_ has quit IRC | 15:22 | |
| *** olivier__ has quit IRC | 15:46 | |
| *** olivierb_ has joined #openstack-dib | 15:48 | |
| *** noama has quit IRC | 16:30 | |
| *** rmart04 has quit IRC | 16:41 | |
| *** olivier__ has joined #openstack-dib | 19:19 | |
| *** olivierb_ has quit IRC | 19:20 | |
| *** olivier__ has quit IRC | 19:54 | |
| *** rmart04 has joined #openstack-dib | 20:45 | |
| *** rmart04 has quit IRC | 21:16 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!