You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2020/01/02 03:55:40 UTC
[GitHub] [trafficcontrol] zrhoffman opened a new issue #4249: Unable to
update or remove Traffic Ops in Docker
zrhoffman opened a new issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249
<!--
************ STOP!! ************
If this issue identifies a security vulnerability, DO NOT submit it! Instead, contact
the Apache Software Foundation Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://www.apache.org/security/ regarding vulnerability disclosure.
-->
<!--
- For *SUPPORT QUESTIONS*, use the
[Traffic Control slack channels](https://traffic-control-cdn.slack.com) or [Traffic Control mailing lists](http://trafficcontrol.apache.org/mailing_lists/).
- Before submitting, please **SEARCH GITHUB** for a similar issue or PR. -->
## I'm submitting a ...
<!-- (check all that apply with "[x]") -->
<!--- security vulnerability (STOP!! - see above)-->
- [x] bug report
- [ ] new feature / enhancement request
- [ ] improvement request (usability, performance, tech debt, etc.)
- [ ] other <!--(Please do not submit support requests here - see above)-->
## Traffic Control components affected ...
<!-- (check all that apply with "[x]") -->
- [x] CDN in a Box
- [ ] Documentation
- [ ] Grove
- [ ] Traffic Control Client
- [ ] Traffic Monitor
- [x] Traffic Ops
- [ ] Traffic Ops ORT
- [ ] Traffic Portal
- [ ] Traffic Router
- [ ] Traffic Stats
- [ ] Traffic Vault
- [ ] unknown
## Current behavior:
When installing a Traffic Ops RPM, the RPM's `%pre` script [checks](https://github.com/apache/trafficcontrol/blob/RELEASE-4.0.0-RC0/traffic_ops/build/traffic_ops.spec#L132-L135) to see if we are upgrading the package (which includes reinstalling). If so, it attempts to stop the `traffic_ops` `systemd` service. However, unprivileged docker containers cannot use `systemd`, so it is running in an unprivileged docker container, this causes the `%pre` script (and the whole upgrade) to fail.
This issue also affects removing Traffic Ops in unprivileged docker containers.
<!-- Describe how the bug manifests / how the current features are insufficient. -->
## Expected / new behavior:
<!-- Describe what the behavior would be without the bug / how the feature would improve Traffic Control -->
Traffic Ops should upgrade or remove uninhibited by the environment's ability to use `systemctl`.
## Minimal reproduction of the problem with instructions:
<!--
If the current behavior is a bug or you can illustrate your feature request better with an example,
please provide the *STEPS TO REPRODUCE* and include the applicable TC version.
-->
1. Copy the RPM into a `centos:7` docker container
2. `yum -y install <the RPM>`
3. `yum -y reinstall <the RPM>`
And:
1. Copy the RPM into a `centos:7` docker container
2. `yum -y install <the RPM>`
3. `yum -y remove <the RPM>`
## Anything else:
This is blocking #4247.
See console output below. The relevant error is `Failed to get D-Bus connection: Operation not permitted`.
<!-- e.g. stacktraces, related issues, suggestions how to fix -->
<details><summary>Expand to see the console output for reinstalling.</summary>
```shell
[root@8d16eeb6ab0e /]# yum -y reinstall traffic_ops-4.0.0-10407.bfa61795.el7.x86_64.rpm
Loaded plugins: fastestmirror, ovl
Examining traffic_ops-4.0.0-10407.bfa61795.el7.x86_64.rpm: traffic_ops-4.0.0-10407.bfa61795.el7.x86_64
Resolving Dependencies
--> Running transaction check
---> Package traffic_ops.x86_64 0:4.0.0-10407.bfa61795.el7 will be reinstalled
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================================================================================================================================
Reinstalling:
traffic_ops x86_64 4.0.0-10407.bfa61795.el7 /traffic_ops-4.0.0-10407.bfa61795.el7.x86_64 26 M
Transaction Summary
=================================================================================================================================================================================================================================================================================
Reinstall 1 Package
Total size: 26 M
Installed size: 26 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
trafops:x:997:
trafops:x:999:997::/opt/traffic_ops:/sbin/nologin
Backing up config files.
tar: app/local: Cannot stat: No such file or directory
tar: app/cpanfile.snapshot: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
Failed to get D-Bus connection: Operation not permitted
error: %pre(traffic_ops-4.0.0-10407.bfa61795.el7.x86_64) scriptlet failed, exit status 1
Error in PREIN scriptlet in rpm package traffic_ops-4.0.0-10407.bfa61795.el7.x86_64
Verifying : traffic_ops-4.0.0-10407.bfa61795.el7.x86_64 1/1
Failed:
traffic_ops.x86_64 0:4.0.0-10407.bfa61795.el7
Complete!
```
</details>
<details><summary>Expand to see the console output for removing.</summary>
```shell
[root@8d16eeb6ab0e /]# yum -y remove traffic_ops
Loaded plugins: fastestmirror, ovl
Resolving Dependencies
--> Running transaction check
---> Package traffic_ops.x86_64 0:4.0.0-10407.bfa61795.el7 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================================================================================================================================
Removing:
traffic_ops x86_64 4.0.0-10407.bfa61795.el7 @/traffic_ops-4.0.0-10407.bfa61795.el7.x86_64 26 M
Transaction Summary
=================================================================================================================================================================================================================================================================================
Remove 1 Package
Installed size: 26 M
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Failed to get D-Bus connection: Operation not permitted
error: %preun(traffic_ops-4.0.0-10407.bfa61795.el7.x86_64) scriptlet failed, exit status 1
Error in PREUN scriptlet in rpm package traffic_ops-4.0.0-10407.bfa61795.el7.x86_64
Verifying : traffic_ops-4.0.0-10407.bfa61795.el7.x86_64 1/1
Failed:
traffic_ops.x86_64 0:4.0.0-10407.bfa61795.el7
Complete!
```
</details>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rob05c commented on issue #4249: Unable to update
or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570118610
Ah, you're right, `systemctl stop traffic_ops` fails. I have an unprivileged `centos/systemd` container, and always use `service traffic_ops stop`, which gives the same DBUS message, but succeeds. Odd.
We could change the RPM to call `service traffic_ops stop` instead. But we'd also have to make it require the `initscripts` package. Which I have mixed feelings about. It's part of the Linux Standard Base, IMO supporting/requiring LSB isn't a bad thing. But I don't want to start a SystemD holy war.
It's also frustrating to have to deal with SystemD and Docker not playing well together. On one hand, I'm not sure we should be changing the Prod RPM for the CiaB. On the other, someone wanting to use Docker for their Prod system isn't unreasonable.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rob05c commented on issue #4249: Unable to update
or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570119174
Hm, this looks promising: https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] zrhoffman commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570115751
`systemd` is included already in `centos:7`. `centos/systemd` also requires the container to be privileged in order to work and fails with the same error if it is unprivileged. Do we want CiaB to run in privileged containers?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] zrhoffman commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570277831
If the goal is only to unblock #4247 the `yum reinstall` could be changed to something like:
```shell
yum deplist traffic_ops-4.0.0-10414.5ac65099.el7.x86_64.rpm |
grep provider: |
awk '{print $2}' |
xargs yum -y install
```
That would avoid re-running the RPM's `%pre` script. Upgrades are are not as common in Docker anyway, in practice one would instead build a newer image.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rob05c commented on issue #4249: Unable to update
or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570114950
Should we change the base image of `infrastructure/cdn-in-a-box/traffic_ops/Dockerfile` from `FROM centos:7` to `FROM centos/systemd`? I believe that would achieve what you want, as well as generally making systemd commands work on CiaB containers.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] ocket8888 commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570618122
CiaB isn't really used for too much testing anyway, as I understand.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] zrhoffman commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
zrhoffman commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570347757
No longer blocking #4247.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] mitchell852 commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
mitchell852 commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-575218051
not really sure if this is a bug or an enhancement or an improvement. feel free to change the label if anyone has opinions on that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rob05c edited a comment on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
rob05c edited a comment on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570118610
Ah, you're right, `systemctl stop traffic_ops` fails. I have an unprivileged `centos/systemd` container, and always use `service traffic_ops stop`, which gives the same DBUS message, but succeeds. Odd.
We could change the RPM to call `service traffic_ops stop` instead. But we'd also have to make it require the `initscripts` package. Which I have mixed feelings about. It's part of the Linux Standard Base, IMO supporting/requiring LSB isn't a bad thing. But I don't want to start a SystemD holy war.
It's frustrating to have to deal with SystemD and Docker not playing well together. On one hand, I'm not sure we should be changing the Prod RPM for the CiaB. On the other, someone wanting to use Docker for their Prod system isn't unreasonable.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] ocket8888 commented on issue #4249: Unable to
update or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
ocket8888 commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570249280
I personally am still fully in favor of not using RPMs at all in CiaB, which would solve this by not requiring a daemon manager at all.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
[GitHub] [trafficcontrol] rob05c commented on issue #4249: Unable to update
or remove Traffic Ops in Docker
Posted by GitBox <gi...@apache.org>.
rob05c commented on issue #4249: Unable to update or remove Traffic Ops in Docker
URL: https://github.com/apache/trafficcontrol/issues/4249#issuecomment-570423073
>I personally am still fully in favor of not using RPMs at all in CiaB, which would solve this by not requiring a daemon manager at all.
That has advantages and disadvantages. One of the biggest disadvantages is making the CiaB less like Production environments. Which makes both development and testing more artificial, and more likely to miss something and introduce a bug, potentially even bringing down the Production deployment.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services