Sunday, September 28, 2014

Notes on upgrading Openshift Origin PHP Cartridge from v 0.08 to v 0.20

I am currently running OpenShift Origin  V3 platform on a CentOS/RHEL 6.5, but needs PHP 5.4 support. The problem is, PHP cartridge in v0.08 only supports the original PHP version that cames with the OS, which is PHP 5.3.
Other people using Fedora might be able to use PHP 5.5 even with v0.08 version of the PHP cartridge.

The steps to install Origin V4 cartridge (cartridge version 0.20 in manifest.yml / 1.26.9.1 in rpm spec) is (if you have no idea what these means, then you really shouldn't try them) :

  • download the PHP cartridge from Origin V4 rpm repository
  • erase the previous PHP cartridge using yum (yum erase ...)
  • install the new PHP cartridge using rpm (rpm -i ....)
  • install the new PHP cartridge using oo-admin-cartridge (oo-admin-cartridge -a install -s ...)
  • restart the mcollective on the node server (service ruby193-mcollective restart)
  • repeat these process on all nodes
  • clear caches on broker server (/usr/sbin/oo-admin-broker-cache --console)

However, as someone warned me before, this is not recommended because some of the differences from V3 Origin with V4 Origin platform. Most notable are :


  • use of logshifter for logs. we need to install logshifter rpm from Origin V4 in all of the nodes.
  • logshifter moves the php logs to syslog (which writes to  /var/log/messages, I think), except when we configure a default /etc/openshift/logshifter.conf that says otherwise. I create mine from this file.
  • the app-root/logs need to be created in every new gears. See the github commit about "Port cartridges to use logshifter", especially changes in  node/lib/openshift-origin-node/model/application_container_ext/setup.rb. Locate the file in your node and update it.
  • the php control script uses new server status function, the cartridge_sdk/bash/sdk file must be updated. See this github commit about "Making apache server-status optional with a marker". Similar to before, locate the sdk file and edit it.
I haven't tried to upgrade existing gears. So far I only succeded in creating new apps with the new cartridge.

In summary, someone weren't kidding if they said that the only way we could upgrade an openshift platform installation from V3 to V4 is if we know about the changes between the two releases.

Zabbix on Centos/RHEL 6.5 : Fixing SELinux Errors

One of my Openshift Origin servers have lots of these messages in the /var/log/messages :

Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 4dbe6e60-5c4e-47cb-9b7d-040260fc38e0
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a
Sep 28 22:15:20 broker setroubleshoot: SELinux is preventing /usr/sbin/zabbix_agentd from read access on the file cmdline. For complete SELinux messages. run sealert -l 2d781069-0e24-45b6-a949-e978e6671c1a


The errors are somewhat related to ZBX-7537 bug report. Anyway, following the links there takes us to Red Hat BZ 1032691 - [selinux policy] Zabbix agent monitoring access denied. The cure is to create a selinux module fixing these errors, lets call it zabbix-fix. You may call it something else but beware that the module name inside the TE file must match with the TE filename and PP filename.
zabbix-fix.te

policy_module(zabbix-fix, 1.0)

require{
 type zabbix_agent_t;
 type zabbix_t;
 type ping_t;
 type zabbix_tmp_t;
}

allow ping_t zabbix_tmp_t:file read_file_perms;
allow ping_t zabbix_t:tcp_socket { read write };

kernel_read_network_state(zabbix_agent_t)
domain_read_all_domains_state(zabbix_agent_t)
dev_read_sysfs(zabbix_agent_t)
corenet_tcp_connect_all_ports(zabbix_agent_t)

Create the file zabbix-fix.te with above contents, compile the module and install it.
make -f /usr/share/selinux/devel/Makefile zabbix-fix.pp
semodule -i zabbix-fix.pp
After the module was installed, the errors no longer shows in /var/log/messages.

Summary

We need to install a custom SELinux policy module to enable Zabbix on RHEL/CentOS 6.5 servers.