consul-formula icon indicating copy to clipboard operation
consul-formula copied to clipboard
verified publisher icon saltstack-formulas

[BUG] service fails to start in Centos 8

Open campbellmc opened this issue 5 years ago • 1 comments

Bug details

Describe the bug

Just noticed this when we changed from Centos 7 to Centos 8. With selinux enforcing, the consul binary moved from /tmp retains the context tmp_t. selinux denies execution of the consul binary so startup fails.

Steps to reproduce the bug

In pillar, set:

consul:
  service: True

Install and try to run consul on a Centos 8 minion. salt-call state.apply consul

state will fail.

Check the audit log:

grep consul /var/log/audit/audit.log

Expected behaviour

service should start

Attempts to fix the bug

We use the following in install.sls after file.rename fixes the context;

{% if grains['os_family'] == 'RedHat' %}
consul_bin_restorecon:
  module.run:
    - file.restorecon:
        - /usr/local/bin/consul-{{consul.version}}
    - watch:
      - file: consul_install
{% endif %}

Use the module function file.restorecon to change the context of the consul binary to match destination location of the file - which then permits execution by systemd.

campbellmc avatar Apr 27 '20 19:04 campbellmc

We are seeing a similar issue on Rocky 8. Modified @campbellmc fix like so and inserted after consul-install in install.sls:

{% if grains['os_family'] == 'RedHat' %}

consul-bin-restorecon:
  module.run:
    - file.restorecon:
        - {{ consul.bin_dir ~ 'consul-' ~ consul.version }}
    - watch:
      - file: consul-install

{% endif %}

ehanks-habana avatar May 05 '23 18:05 ehanks-habana