charm install hook fails when CIS hardening is enabled

Bug #1879302 reported by Gábor Mészáros
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Thruk Agent Charm
Won't Fix
Low
Unassigned

Bug Description

It fails due to CIS hardening adds filtering for crontab users.

As a workaround had to add www-data to /etc/cron.allow file.

Log is:
2020-05-18 10:10:30 DEBUG install Reading package lists...

2020-05-18 10:10:30 DEBUG install Building dependency tree...

2020-05-18 10:10:30 DEBUG install Reading state information...

2020-05-18 10:10:31 DEBUG install pwgen is already the newest version (2.08-1).

2020-05-18 10:10:31 DEBUG install apache2-utils is already the newest version (2.4.29-1ubuntu4.13).

2020-05-18 10:10:31 DEBUG install thruk is already the newest version (2.24-2ubuntu6).

2020-05-18 10:10:31 DEBUG install 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

2020-05-18 10:10:31 DEBUG install 3 not fully installed or removed.

2020-05-18 10:10:31 DEBUG install After this operation, 0 B of additional disk space will be used.

2020-05-18 10:10:31 DEBUG install Setting up thruk-base (2.24-2ubuntu6) ...

2020-05-18 10:10:31 DEBUG install thruk plugins enabled: business_process conf minemap mobile panorama statusmap

2020-05-18 10:10:31 DEBUG install Configuring apache2 vhost ...

2020-05-18 10:10:31 DEBUG install Module alias already enabled

2020-05-18 10:10:31 DEBUG install Module fcgid already enabled

2020-05-18 10:10:31 DEBUG install Considering dependency authn_core for auth_basic:

2020-05-18 10:10:31 DEBUG install Module authn_core already enabled

2020-05-18 10:10:31 DEBUG install Module auth_basic already enabled

2020-05-18 10:10:31 DEBUG install Module rewrite already enabled

2020-05-18 10:10:31 DEBUG install Thruk have been configured for http://nagios-1/thruk/.

2020-05-18 10:10:31 DEBUG install The default user is 'thrukadmin' with password 'thrukadmin'. You can usually change that by 'htpasswd /etc/thruk/htpasswd thrukadmin'

2020-05-18 10:10:31 DEBUG install The user www-data cannot use this program (crontab)

2020-05-18 10:10:31 DEBUG install dpkg: error processing package thruk-base (--configure):

2020-05-18 10:10:31 DEBUG install installed thruk-base package post-installation script subprocess returned error exit status 1

2020-05-18 10:10:31 DEBUG install dpkg: dependency problems prevent configuration of thruk:

2020-05-18 10:10:31 DEBUG install thruk depends on thruk-base (= 2.24-2ubuntu6); however:

2020-05-18 10:10:31 DEBUG install Package thruk-base is not configured yet.

2020-05-18 10:10:31 DEBUG install

2020-05-18 10:10:31 DEBUG install dpkg: error processing package thruk (--configure):

2020-05-18 10:10:31 DEBUG install dependency problems - leaving unconfigured

2020-05-18 10:10:31 DEBUG install No apport report written because the error message indicates its a followup error from a previous failure.

2020-05-18 10:10:31 DEBUG install dpkg: dependency problems prevent configuration of thruk-plugin-reporting:

2020-05-18 10:10:31 DEBUG install thruk-plugin-reporting depends on thruk-base (= 2.24-2ubuntu6); however:

2020-05-18 10:10:31 DEBUG install Package thruk-base is not configured yet.

2020-05-18 10:10:31 DEBUG install

2020-05-18 10:10:31 DEBUG install dpkg: error processing package thruk-plugin-reporting (--configure):

2020-05-18 10:10:31 DEBUG install dependency problems - leaving unconfigured

2020-05-18 10:10:31 DEBUG install No apport report written because the error message indicates its a followup error from a previous failure.

2020-05-18 10:10:31 DEBUG install Errors were encountered while processing:

2020-05-18 10:10:31 DEBUG install thruk-base

2020-05-18 10:10:31 DEBUG install thruk

2020-05-18 10:10:31 DEBUG install thruk-plugin-reporting

2020-05-18 10:10:33 DEBUG install E: Sub-process /usr/bin/dpkg returned an error code (1)

2020-05-18 10:10:33 DEBUG install Traceback (most recent call last):

2020-05-18 10:10:33 DEBUG install File "/var/lib/juju/agents/unit-thruk-agent-0/charm/hooks/install", line 21, in <module>

2020-05-18 10:10:33 DEBUG install install()

2020-05-18 10:10:33 DEBUG install File "/var/lib/juju/agents/unit-thruk-agent-0/charm/hooks/install", line 18, in install

2020-05-18 10:10:33 DEBUG install apt_install(packages=package_list, fatal=True)

2020-05-18 10:10:33 DEBUG install File "/var/lib/juju/agents/unit-thruk-agent-0/charm/hooks/charmhelpers/fetch/ubuntu.py", line 243, in apt_install

2020-05-18 10:10:33 DEBUG install _run_apt_command(cmd, fatal)

2020-05-18 10:10:33 DEBUG install File "/var/lib/juju/agents/unit-thruk-agent-0/charm/hooks/charmhelpers/fetch/ubuntu.py", line 714, in _run_apt_command

2020-05-18 10:10:33 DEBUG install retry_message="Couldn't acquire DPKG lock")

2020-05-18 10:10:33 DEBUG install File "/var/lib/juju/agents/unit-thruk-agent-0/charm/hooks/charmhelpers/fetch/ubuntu.py", line 690, in _run_with_retries

2020-05-18 10:10:33 DEBUG install result = subprocess.check_call(cmd, **kwargs)

2020-05-18 10:10:33 DEBUG install File "/usr/lib/python2.7/subprocess.py", line 190, in check_call

2020-05-18 10:10:33 DEBUG install raise CalledProcessError(retcode, cmd)

2020-05-18 10:10:33 DEBUG install subprocess.CalledProcessError: Command '['apt-get', '--assume-yes', '--option=Dpkg::Options::=--force-confold', 'install', 'thruk', 'pwgen', 'apache2-utils']' returned non-zero exit status 100

2020-05-18 10:10:33 ERROR juju.worker.uniter.operation runhook.go:132 hook "install" failed: exit status 1

Diko Parvanov (dparv)
Changed in charm-thruk-agent:
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Arif Ali (arif-ali) wrote :

Hi @dparv,

The customer is going to be deploying thruk-agent on future sites with CIS hardening, and would ultimately like to not have to do this manually to resolve this.

Would you be able to give us an idea, when we'll see an update to get this moving forward

Thanks,
Arif

Revision history for this message
Xav Paice (xavpaice) wrote :

The decision to support CIS hardening is a bit larger than this bug alone, and would need to be part of the product roadmap itself. If this particular issue is blocking a deployment, then please see the process for field sla, which would bump the fix to the front of the queue.

Revision history for this message
Xav Paice (xavpaice) wrote :

Workaround: remove the crontab line from /var/lib/dpkg/info/thruk-base.postinst

This allows the installation to complete, albeit without a working cron for the www-data user.

Revision history for this message
Eric Chen (eric-chen) wrote :

This charm is no longer being actively maintained. I will close this issue

Changed in charm-thruk-agent:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.