Juniper Openstack

setenforce 0 returning with exit 1 causing ansible provisioning to fail

Bug #1689900 reported by Vedamurthy Joshi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.0
Fix Committed
High
Yuvaraja Mariappan
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"
Trunk
Fix Committed
High
Yuvaraja Mariappan
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

R4.0 3073

On Centos 7.1.1503, 'setenforce 0' exited with non-zero value(1) and ansible provisioning failed.

We see this manually as well on a similar node nodeg11 below

https://github.com/ansible/ansible/issues/2058 seems related ?

------------
nodeg11.englab.juniper.net:

[root@nodeg11 ~]# cat /etc/redhat-release
CentOS Linux release 7.1.1503 (Core)
[root@nodeg11 ~]# setenforce 0
setenforce: SELinux is disabled
[root@nodeg11 ~]# echo $?
1
[root@nodeg11 ~]#
[root@nodeg11 ~]# getenforce
Disabled
[root@nodeg11 ~]#
--------------
ansible logs :

TASK [common : Disable selinux for redhat systems] *****************************
fatal: [10.204.216.222]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.011568", "end": "2017-05-09 14:48:47.557790", "failed": true, "rc": 1, "start": "2017-05-09 14:48:47.546222", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
fatal: [10.204.216.59]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.025877", "end": "2017-05-09 14:48:47.559846", "failed": true, "rc": 1, "start": "2017-05-09 14:48:47.533969", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
fatal: [10.204.216.221]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.014665", "end": "2017-05-09 14:48:47.570706", "failed": true, "rc": 1, "start": "2017-05-09 14:48:47.556041", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
fatal: [10.204.216.58]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.031054", "end": "2017-05-09 14:48:47.575227", "failed": true, "rc": 1, "start": "2017-05-09 14:48:47.544173", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
fatal: [10.204.216.60]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.020383", "end": "2017-05-09 14:48:47.577564", "failed": true, "rc": 1, "start": "2017-05-09 14:48:47.557181", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
fatal: [10.204.216.223]: FAILED! => {"changed": true, "cmd": ["setenforce", "0"], "delta": "0:00:00.015881", "end": "2017-05-09 14:42:27.889286", "failed": true, "rc": 1, "start": "2017-05-09 14:42:27.873405", "stderr": "setenforce: SELinux is disabled", "stdout": "", "stdout_lines": [], "warnings": []}
        to retry, use: --limit @/home/root/jenkins/workspace/nodec1-sanity/contrail-ansible/playbooks/site.retry

PLAY RECAP *********************************************************************
10.204.216.221 : ok=4 changed=1 unreachable=0 failed=1
10.204.216.222 : ok=4 changed=1 unreachable=0 failed=1
10.204.216.223 : ok=4 changed=1 unreachable=0 failed=1
10.204.216.58 : ok=4 changed=1 unreachable=0 failed=1
10.204.216.59 : ok=4 changed=1 unreachable=0 failed=1
10.204.216.60 : ok=4 changed=1 unreachable=0 failed=1

Revision history for this message
Ignatious Johnson Christopher (ijohnson-x) wrote :

Please assign Kubernetees related bugs to Kubernetees team manager.

Changed in juniperopenstack:
assignee: Ignatious Johnson Christopher (ijohnson-x) → nobody
assignee: nobody → Vedamurthy Joshi (vedujoshi)
Vedamurthy Joshi (vedujoshi)
Changed in juniperopenstack:
assignee: Vedamurthy Joshi (vedujoshi) → Rudra Rugge (rudrarugge)
Jeba Paulaiyan (jebap)
tags: added: blocker
Revision history for this message
Harish Kumar (hkumarmk) wrote : Re: [Bug 1689900] Re: setenforce 0 returning with exit 1 causing ansible provisioning to fail
Download full text (4.7 KiB)

it seems the command "setenforce 0" exit with non-zero exit code when it is
already disabled. So it probably just need need to say ansible that "if you
see the message 'setenforce: SELinux is disabled'" in stderr, that is not
failure". You may do it with "failed_when" keyword in ansible.

May be something like this.

- name: Disable selinux for redhat systems
  command: setenforce 0

  register: disable_selinux

  failed_when: (disable_selinux.rc != 0 and disable_selinux.stderr not
in "setenforce: SELinux is disabled" )

  when: ansible_os_family == 'RedHat'

BTW, You may have to test this.

On Fri, May 12, 2017 at 7:37 AM, Rudra Rugge <email address hidden>
wrote:

> ** Changed in: juniperopenstack/r4.0
> Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> ** Changed in: juniperopenstack/trunk
> Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> --
> You received this bug notification because you are a member of Contrail
> Systems engineering, which is subscribed to Juniper Openstack.
> https://bugs.launchpad.net/bugs/1689900
>
> Title:
> setenforce 0 returning with exit 1 causing ansible provisioning to
> fail
>
> Status in Juniper Openstack:
> New
> Status in Juniper Openstack r4.0 series:
> New
> Status in Juniper Openstack trunk series:
> New
>
> Bug description:
> R4.0 3073
>
> On Centos 7.1.1503, 'setenforce 0' exited with non-zero value(1) and
> ansible provisioning failed.
>
> We see this manually as well on a similar node nodeg11 below
>
> https://github.com/ansible/ansible/issues/2058 seems related ?
>
> ------------
> nodeg11.englab.juniper.net:
>
> [root@nodeg11 ~]# cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
> [root@nodeg11 ~]# setenforce 0
> setenforce: SELinux is disabled
> [root@nodeg11 ~]# echo $?
> 1
> [root@nodeg11 ~]#
> [root@nodeg11 ~]# getenforce
> Disabled
> [root@nodeg11 ~]#
> --------------
> ansible logs :
>
> TASK [common : Disable selinux for redhat systems]
> *****************************
> fatal: [10.204.216.222]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.011568", "end": "2017-05-09
> 14:48:47.557790", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.546222", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.59]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.025877", "end": "2017-05-09
> 14:48:47.559846", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.533969", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.221]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.014665", "end": "2017-05-09
> 14:48:47.570706", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.556041", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.58]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.031054", "end": "2017-05-09
> 14:48:47.575227", "failed": tru...

Read more...

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/31452
Submitter: Yuvaraja Mariappan

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/31453
Submitter: Yuvaraja Mariappan

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/31452
Submitter: Yuvaraja Mariappan

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/31453
Submitter: Yuvaraja Mariappan

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/31453
Committed: http://github.com/Juniper/contrail-ansible/commit/2946525efecfb01868db731ebda733956802a375
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 2946525efecfb01868db731ebda733956802a375
Author: Yuvaraja Mariappan <email address hidden>
Date: Thu May 11 21:17:30 2017 -0700

Fixed setenforce issue in k8s/mesos/openshift systems

command "setenforce 0" will be executed only if ansible_selinux.status
== 'enabled' in k8s/mesos/openshift systems

Change-Id: I16af4dcb553bff06b9e81208c40faf475eb4bddb
Closes-bug: #1689900

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/31452
Committed: http://github.com/Juniper/contrail-ansible/commit/c6c69b93fbaf9450836cc9f97eebfec4f9c95477
Submitter: Zuul (<email address hidden>)
Branch: master

commit c6c69b93fbaf9450836cc9f97eebfec4f9c95477
Author: Yuvaraja Mariappan <email address hidden>
Date: Thu May 11 21:17:30 2017 -0700

Fixed setenforce issue in k8s/mesos/openshift systems

command "setenforce 0" will be executed only if ansible_selinux.status
== 'enabled' in k8s/mesos/openshift systems

Change-Id: I16af4dcb553bff06b9e81208c40faf475eb4bddb
Closes-bug: #1689900

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.