OpenStack-Ansible

osa: Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.

Bug #1662622 reported by Christian Berendt on 2017-02-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Undecided	David Rabel

Bug Description

On CentOS 7 the restart auditd handler fails with the following error:

Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only.

A manual restart of this service with systemctl restart auditd is also not possible on CentOS. It looks like the only way to restart the service is to use service auditd restart (https://bugzilla.redhat.com/show_bug.cgi?id=973697).

Tags:

Revision history for this message

David Rabel (rabel-b1) wrote on 2017-02-08:

Maybe it will be sufficient to tell auditd to reload it's configuration instead of restarting it, since the handler seems to be triggered when auditd.conf is changed.

Revision history for this message

David Rabel (rabel-b1) wrote on 2017-02-08:

So, the handler is triggered, when auditd oder audisp configuration files are touched.

The audidp obtains a SIGHUP when auditd does:

"When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes." - man 8 audisp

Both seem to reload their config files, when they get a SIGHUP:

"SIGHUP causes auditd to reconfigure. This means that auditd re-reads the configuration file." man 8 auditd

For audisp it should be the same.

Changed in openstack-ansible:
assignee:	nobody → David Rabel (rabel-b1)

David Rabel (rabel-b1) on 2017-02-08

Changed in openstack-ansible:
status:	New → Confirmed
status:	Confirmed → In Progress

Revision history for this message

David Rabel (rabel-b1) wrote on 2017-02-08:

There seems to be a workaround for this:
https://github.com/openstack/openstack-ansible-security/commit/23af709fff689518f7443d29bdf8f2ee7287f42d

But still a clean solution would be nicer in my eyes. Comments?

Revision history for this message

Christian Berendt (berendt) wrote on 2017-02-08:

Backported for stable/newton with https://review.openstack.org/#/c/430900/.

David Rabel (rabel-b1) on 2017-02-08

Changed in openstack-ansible:
assignee:	David Rabel (rabel-b1) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-27: Fix proposed to openstack-ansible-security (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/438491

David Rabel (rabel-b1) on 2017-02-27

Changed in openstack-ansible:
assignee:	nobody → David Rabel (rabel-b1)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-27: Fix merged to openstack-ansible-security (stable/newton)

Reviewed: https://review.openstack.org/438491
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=86cc1449d4569d879b5195d1a0be13b948268645
Submitter: Jenkins
Branch: stable/newton

commit 86cc1449d4569d879b5195d1a0be13b948268645
Author: Major Hayden <email address hidden>
Date: Tue Jan 3 12:19:46 2017 -0600

Unblock security role gate

This patch addresses two issues that are blocking the security role
CI jobs from completing:

    The OpenStack CI image is missing the default audit.rules file and this
    causes augenrules to fail when it loads new rules. The first line in
    the default rules file deletes existing rules and this must be in
    place before loading new rulesets. The contents of the default file
    are now in the template file, which is safer anyway. The default
    file provided by the OS is removed.

    The task that updates the apt cache in test.yml was running more than
    once during the CI job run when the gate ran slowly. That's fine, but
    it breaks the idempotence checks. A `changed_when` is added to the task
    to ensure that the idempotence tests aren't affected by an apt cache
    update.

Change-Id: I48be02df02b8a2a401bfd96e16ea0329632d9381
Partial-Bug: #1662622

tags:

added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-27: Fix proposed to openstack-ansible-security (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/438696

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-01: Fix merged to openstack-ansible-security (stable/newton)

Reviewed: https://review.openstack.org/438696
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=83e3c206e8bbd8344a3770f8c2cff2651f528d5c
Submitter: Jenkins
Branch: stable/newton

commit 83e3c206e8bbd8344a3770f8c2cff2651f528d5c
Author: Major Hayden <email address hidden>
Date: Mon Dec 12 12:17:05 2016 -0600

Fix issues from new CentOS 7 release

    The auditd daemon now resets file permissions on its log directory each
    time it restarts and that breaks the idempotence tests. That task now
    has "changed_when: False".

These patches should unblock the security role gate.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1293713

Change-Id: I80b66a6d9e7c8ad97761a1f890ec6a3d2db88659
Partial-Bug: #1662622

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-09:

Reviewed: https://review.openstack.org/430900
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-security/commit/?id=2a2b1e619f299b6d408ba36bed4763673caf7634
Submitter: Jenkins
Branch: stable/newton

commit 2a2b1e619f299b6d408ba36bed4763673caf7634
Author: Major Hayden <email address hidden>
Date: Mon Nov 7 10:43:39 2016 -0600

Fix auditd restart handler

    It is not possible to restart auditd with systemctl. Using the service
    interface is required. There are chef cookbooks[1] with the same
    workaround.

This patch also includes a `cache_valid_time` addition to test.yml to
unblock the gate.

[1] https://github.com/chef-cookbooks/auditd/pull/22/files

    Closes-Bug: #1662622
    Change-Id: I1aa3faf88f5953c230693600fcbcb786d49a35e0
    (cherry picked from commit 23af709fff689518f7443d29bdf8f2ee7287f42d)