Ah.Â* Silly me - it was an SELinux problem.Â* I
was fooled by the fact that the traceback and ‘Permission denied’
error occurred in kojid.log into
thinking that the problem was on the kojid side.Â* After attempting to
trace the code
Â*
repo_id,
event_id = self.session.host.repoInit(tinfo['id'], **kwargs)
Â*
and finding that session doesn’t have a host method or
attribute and repoInit doesn’t exist anywhere in kojid, I searched every
file on both systems for repoInit and found it in /usr/share/koji-hub/kojihub.py -
with corresponding error messages in /var/log/httpd/error_log.Â*
I also discovered the hub option KojiTraceback = extended,
which helped.
Â*
The problem code was
Â*
Â*
File "/usr/share/koji-hub/kojihub.py", line 2060, in repo_init
Â*Â*Â*
os.makedirs(repodir)Â* #should not already exist
Â*
and after a setenforce 0 on the hub it started to work.Â* I
was sure I had checked the AVC log, but perhaps that was before I had nfs
working.Â* Now it shows:
Â*
[root@kojihub
~] # aureport --avc -ts recent
Â*
AVC
Report
================================================== ======
#
date time comm subj syscall class permission obj event
================================================== ======
1.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr
system_u
bject_r:nfs_t:s0 denied 494
2.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search
system_u
bject_r:nfs_t:s0 denied 493
3.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir write
system_u
bject_r:nfs_t:s0 denied 495
4.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name
system_u
bject_r:nfs_t:s0 denied 495
5.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir create
unconfined_u
bject_r:nfs_t:s0 denied 495
6.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file create
unconfined_u
bject_r:nfs_t:s0 denied 496
7.
04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file open
system_u
bject_r:nfs_t:s0 denied 496
Â*
Perhaps Koji/ServerHowTo could have a note for beginners that if
the hub’s /mnt/koji is on nfs you need to beat SELinux into submission.Â*
Unfortunately my current nfs server doesn’t have proper SELinux support.Â*
I may have to rearrange some disk space.
Â*
Â*
Moray.
“To err is human; to purr, feline.â€
Â*
From: Andreas Mack
[mailto:andreas.mack@gmail.com]
Sent: 13 April 2012 12:19
To: Discussion of Fedora build system
Subject: Re: newRepo Permission denied: '/mnt/koji/repos'
Â*
Hey,
Â*
just my two cents: It's possible to run the builders
completely without NFS. I use "topurl=" instead of
"topdir=" in kojid.conf. The URL is Â*http://kojihub.domain.tld/kojimnt
where kojimnt is apache aliased to the /mnt/koji on kojihub. Regen repos has to
be run on kojihub in thatcase. It's the only one in the createrepo channel.
Â*
As for the NFS problem: Smells so much like Selinux. Maybe
on the server-side? Do you use NFS4 ?
Â*
HTH
Andreas
On Thu, Apr 12, 2012 at 17:40, Moray Henderson <Moray.Henderson@ict-software.org>
wrote:
Is this the right place for questions on local koji
installations?
Fresh setup of koji on CentOS 6.2. Â*I've got hub, web and builder all
talking to each other, external repositories defined for the build tag and
build groups set up.
/mnt/koji is an nfs mount with root squashed to uid 48 (apache). Â*I've
tested that I can write to the subdirectories as root and the owner comes
out as apache. Â*The directory looks like
Â*# ll -R koji
Â*koji:
Â*total 16
Â*drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 packages
Â*drwxr-xr-x 3 apache apache 4096 Apr 12 15:20 repos
Â*drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 scratch
Â*drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 work
Â*koji/packages:
Â*total 0
Â*koji/repos:
Â*total 0
Â*koji/scratch:
Â*total 0
Â*koji/work:
Â*total 0
The Koji/ExternalRepoServerBootstrap document says "Wait for the repo to
regenerate, and you should now be able to run a build successfully."
However, Koji-web lists the newRepo task as failed with result "<type
'exceptions.OSError'>: [Errno 13] Permission denied:
'/mnt/koji/repos'". Â*On
the builder, kojid.log reports:
Â*2012-04-12 14:20:31,067 [INFO] koji.build: Starting up
Â*2012-04-12 14:20:34,363 [INFO] koji.TaskManager: Attempting to take task
176
Â*2012-04-12 14:20:36,275 [INFO] koji.TaskManager: pids: {176: 17925}
Â*2012-04-12 14:20:36,855 [WARNING] koji.TaskManager: FAULT:
Â*Traceback (most recent call last):
Â* Â*File "/usr/lib/python2.6/site-packages/koji/daemon.py",
line 1114, in
runTask
Â* Â* Â*response = (handler.run(),)
Â* Â*File "/usr/lib/python2.6/site-packages/koji/tasks.py",
line 146, in run
Â* Â* Â*return self.handler(*self.params,**self.opts)
Â* Â*File "/usr/sbin/kojid", line 2491, in handler
Â* Â* Â*repo_id, event_id = self.session.host.repoInit(tinfo['id'],
**kwargs)
Â* Â*File "/usr/lib/python2.6/site-packages/koji/__init__.py",
line 1510, in
__call__
Â* Â* Â*return self.__func(self.__name,args,opts)
Â* Â*File
"/usr/lib/python2.6/site-packages/koji/__init__.py", line 1760, in
_callMethod
Â* Â* Â*raise err
Â*Fault: <Fault 1: "<type 'exceptions.OSError'>: [Errno 13]
Permission
denied: '/mnt/koji/repos'">
Â*2012-04-12 14:20:37,110 [INFO] koji.TaskManager: open task: {'waiting':
None, 'id': 176, 'weight': 0.10000000000000001}
I've looked into the code, but my python is not up to debugging that.
Â*It's
not an SELinux problem (I tried permissive mode) and /mnt/koji is mounted
read-write on the builder even though the documentation says that's not
necessary. Â*Can someone point me in the right direction?
Moray.
"To err is human; to purr, feline."
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
Â*
--
buildsys mailing list
buildsys@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/buildsys
newRepo Permission denied: '/mnt/koji/repos'
