SElinux blocking Google-Chrome (headless)

SElinux blocking Google-Chrome (headless) - google-chrome-headless

Good evening all,
Last month I commissioned a new OracleLinux server, and installed the latest Chrome version on it.
The project currently, is a small website which needs to generate a PDF report.
First, I create a HTML file with the entire content (it's only a header image, a table, and a footer - nothing too fancy).
Then, PHP issues this to generate the PDF file, after which it's downloaded by the user.
$output = shell_exec('/usr/bin/xvfb-run /usr/bin/google-chrome --no-sandbox --headless --disable-gpu --no-margins --print-to-pdf-no-header --print-to-pdf=/location/to/pdffile.pdf /location/to/htmlfile.html ');
This works great when I perform the action on the commandline (copy & paste the command).
However, when the PHP script executes the action, the following errors are generated and shown in the browser;
[0110/224510.775219:ERROR:file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches
[0110/224510.779754:ERROR:udev_watcher.cc(51)] Failed to initialize a udev monitor. # # Fatal error in , line 0 # ignored # # # #FailureMessage Object: 0x7fff1b3fa650#0 0x55d633e63289 [0110/224510.816882:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid, attempt = 1 retry ...
[0110/224510.830491:ERROR:file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches
[0110/224510.918277:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid, attempt = 2 retry ...
[0110/224511.018809:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid, attempt = 3 retry ...
[0110/224511.119405:WARNING:crash_handler_host_linux.cc(365)] Could not translate tid - assuming crashing thread is thread group leader; syscall_supported=1 [0110/224511.121596:ERROR:crash_handler_host_linux.cc(444)] Failed to write crash dump for pid 106039 Cannot upload crash dump: failed to open --2021-01-10 22:45:11-- https://clients2.google.com/cr/report Resolving clients2.google.com (clients2.google.com)...
[0110/224511.507094:ERROR:headless_shell.cc(391)] Abnormal renderer termination. 172.217.17.142 Connecting to clients2.google.com (clients2.google.com)|172.217.17.142|:443... failed: Permission denied. Giving up. Unexpected crash report id length Failed to get crash dump id. Report Id:
Trying to find anything useless on the internet on those errors, failed.
So I looked further in /var/log/messages
It appears that Chrome needs all kinds of permissions to print a HTML into a PDF.
SElinux is prohibiting Chrome certain actions.
Now I'm wondering ... What is the solution?
Can I simply execute the commands suggested by SElinux in the errors below, or is it better to do something else? If so, what?
After spending the entire weekend on the internet, I found no real information regarding this.
[root#testserver1 bin]# > /var/log/messages
[root#testserver1 bin]# cat /var/log/messages
Jan 10 22:45:10 testserver1 dbus-daemon[1112]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.150' (uid=0 pid=26234 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Jan 10 22:45:11 testserver1 kernel: traps: chrome[106039] trap invalid opcode ip:55d636e755d2 sp:7fff1b3fa640 error:0 in chrome[55d6312bf000+7b80000]
Jan 10 22:45:11 testserver1 systemd[1]: Started Process Core Dump (PID 106054/UID 0).
Jan 10 22:45:11 testserver1 dbus-daemon[1112]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan 10 22:45:11 testserver1 systemd-coredump[106057]: Process 106039 (chrome) of user 48 dumped core.#012#012Stack trace of thread 106039:#012#0 0x000055d636e755d2 n/a (chrome)#012#1 0x000055d636e7270e n/a (chrome)#012#2 0x000055d6331e2ce1 n/a (chrome)#012#3 0x000055d6331efcef n/a (chrome)#012#4 0x000055d63311e086 n/a (chrome)#012#5 0x000055d63311ec19 n/a (chrome)#012#6 0x000055d6334eb437 n/a (chrome)#012#7 0x000055d63301a159 n/a (chrome)#012#8 0x000055d636e7785a n/a (chrome)#012#9 0x000055d636d6df47 n/a (chrome)#012#10 0x000055d636d6e6d3 n/a (chrome)#012#11 0x000055d636e9f4d6 n/a (chrome)#012#12 0x000055d6385bf1c2 n/a (chrome)#012#13 0x000055d6385af82e n/a (chrome)#012#14 0x000055d6385b1d0f n/a (chrome)#012#15 0x000055d638d3add0 n/a (chrome)#012#16 0x000055d633d7d3e2 n/a (chrome)#012#17 0x000055d633d7b659 n/a (chrome)#012#18 0x000055d633dcae1c n/a (chrome)#012#19 0x000055d633dcac51 n/a (chrome)#012#20 0x000055d633dc94d5 n/a (chrome)#012#21 0x000055d63160676d ChromeMain (chrome)#012#22 0x00007ff0a7daf7a3 __libc_start_main (libc.so.6)#012#23 0x000055d6312bfa6a _start (chrome)#012#012Stack trace of thread 106042:#012#0 0x00007ff0a7e89257 epoll_wait (libc.so.6)#012#1 0x000055d633f9efeb n/a (chrome)#012#2 0x000055d633f9c9cb n/a (chrome)#012#3 0x000055d633e83a4b n/a (chrome)#012#4 0x000055d633e3572a n/a (chrome)#012#5 0x000055d633e0b811 n/a (chrome)#012#6 0x000055d633e4792d n/a (chrome)#012#7 0x000055d633e4e809 n/a (chrome)#012#8 0x000055d633e73b94 n/a (chrome)#012#9 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#10 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106043:#012#0 0x00007ff0ada50708 pthread_cond_timedwait##GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fbd1 n/a (chrome)#012#2 0x000055d633e70243 n/a (chrome)#012#3 0x000055d633e489bf n/a (chrome)#012#4 0x000055d633e485ad n/a (chrome)#012#5 0x000055d633e73b94 n/a (chrome)#012#6 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#7 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106044:#012#0 0x00007ff0a7e89257 epoll_wait (libc.so.6)#012#1 0x000055d633f9efeb n/a (chrome)#012#2 0x000055d633f9c9cb n/a (chrome)#012#3 0x000055d633e83a4b n/a (chrome)#012#4 0x000055d633e3572a n/a (chrome)#012#5 0x000055d633e0b811 n/a (chrome)#012#6 0x000055d633e4e809 n/a (chrome)#012#7 0x000055d633e73b94 n/a (chrome)#012#8 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#9 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106045:#012#0 0x00007ff0ada5031c pthread_cond_wait##GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fa3d n/a (chrome)#012#2 0x000055d633e70396 n/a (chrome)#012#3 0x000055d633e7000e n/a (chrome)#012#4 0x000055d633de6487 n/a (chrome)#012#5 0x000055d633e3572a n/a (chrome)#012#6 0x000055d633e0b811 n/a (chrome)#012#7 0x000055d633e4e809 n/a (chrome)#012#8 0x000055d633e73b94 n/a (chrome)#012#9 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#10 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106051:#012#0 0x00007ff0ada50708 pthread_cond_timedwait##GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fbd1 n/a (chrome)#012#2 0x000055d633e70243 n/a (chrome)#012#3 0x000055d633e4875c n/a (chrome)#012#4 0x000055d633e485ad n/a (chrome)#012#5 0x000055d633e73b94 n/a (chrome)#012#6 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#7 0x00007ff0a7e88f23 __clone (libc.so.6)
Jan 10 22:45:11 testserver1 systemd[1]: systemd-coredump#31-106054-0.service: Succeeded.
Jan 10 22:45:11 testserver1 dbus-daemon[1112]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.3219' (uid=995 pid=106033 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
Jan 10 22:45:12 testserver1 dbus-daemon[1112]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: SELinux is preventing /usr/bin/bash from write access on the directory /dev/fd/63. For complete SELinux messages run: sealert -l 472c7d4e-7e04-47a1-9dae-17cd3c696468
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: SELinux is preventing /usr/bin/bash from write access on the directory /dev/fd/63.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed write access on the 63 directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'google-chrome' --raw | audit2allow -M my-googlechrome#012# semodule -X 300 -i my-googlechrome.pp#012
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: failed to retrieve rpm info for /proc/sys/fs/inotify/max_user_watches
Jan 10 22:45:14 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches. For complete SELinux messages run: sealert -l 1c33cba5-b4df-430d-9bdb-dec10b11639f
Jan 10 22:45:14 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -X 300 -i my-ThreadPoolForeg.pp#012
Jan 10 22:45:15 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the execmem access on a process. For complete SELinux messages run: sealert -l 2c8783bf-dec7-454d-997e-6a2c1dfbb240
Jan 10 22:45:15 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the execmem access on a process.#012#012***** Plugin allow_execmem (53.1 confidence) suggests *********************#012#012If you know why chrome needs to map a memory region that is both executable and writable and understand that this is a potential security problem.#012Then you can allow the mapping by switching one of the following booleans: httpd_execmem#012Do#012follow the advice of the catchall_boolean plugin, otherwise contact your security administrator and report this issue#012#012***** Plugin catchall_boolean (42.6 confidence) suggests ******************#012#012If you want to allow httpd to execmem#012Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.#012#012Do#012setsebool -P httpd_execmem 1#012#012***** Plugin catchall (5.76 confidence) suggests **************************#012#012If you believe that chrome should be allowed execmem access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:17 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:17 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:18 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:18 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: failed to retrieve rpm info for /proc/sys/fs/inotify/max_user_watches
Jan 10 22:45:20 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches. For complete SELinux messages run: sealert -l 1c33cba5-b4df-430d-9bdb-dec10b11639f
Jan 10 22:45:20 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -X 300 -i my-ThreadPoolForeg.pp#012
Jan 10 22:45:21 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:21 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
[root#testserver1 bin]#
Any help is appreciated.

I feel like an idiot... I should have broaden my search. Instead of looking just for my specific error, look for generic errors and solutions. So I spent a weekend for nothing.
The solution will work for anyone I guess, I found this URL here:
https://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
It explains how to troubleshoot and fix these errors.
Install the setroubleshoot packages using Yum.
sudo yum install setroubleshoot setools
Because I wanted to start with a fresh logfile, I rotated the audit.log;
sudo service auditd rotate
Then... Do whatever you did to generate the errors.
After that, start the just installed troubleshoot package;
sudo sealert -a /var/log/audit/audit.log
It provides a report with all errors found, and ways to fix them.
The report will sort the errors and fixes by confidence level.
My approach was, fix the errors with a 100% confedence level.
Then rotate the logs again, try again what I wanted to do, see if it works or not, and if it doesn't, generate a new report.
Etc.

Related

Dronekit-sitl fails to bind on default port 5760

I have dronekit-sitl installed in a python3 virtual environment on my Windows 10 machine and have used it before by running dronekit-sitl copter with no issues. However, as of today I am running across what seems to be a permission issue when trying to execute the ArduCopter sitl.
$ dronekit-sitl copter
os: win, apm: copter, release: stable
SITL already Downloaded and Extracted.
Ready to boot.
Execute: C:\Users\kyrlon\.dronekit\sitl\copter-3.3\apm.exe --home=-35.363261,149.165230,584,353 --model=quad -I 0
SITL-0> Started model quad at -35.363261,149.165230,584,353 at speed 1.0
SITL-0.stderr> bind port 5760 for 0
Starting sketch 'ArduCopter'
bind failed on port 5760 - Operation not permitted
Starting SITL input
Not sure what might have triggered a new operation permission issue, and I tried to start over with a fresh Python environment, but even after a complete PC shutdown, I am still having the error as shown above.

It turns out that having docker on my system was the culprit and excluding the port I was attempting to use as mentioned in this SO post that led me to this github issue. Running the command in an elevated terminal:
netsh interface ipv4 show excludedportrange protocol=tcp
Provided me the results of the following excluded ports:
Protocol tcp Port Exclusion Ranges
Start Port End Port
---------- --------
1496 1595
1658 1757
1758 1857
1858 1957
1958 2057
2058 2157
2180 2279
2280 2379
2380 2479
2480 2579
2702 2801
2802 2901
2902 3001
3002 3101
3102 3201
3202 3301
3390 3489
3490 3589
3590 3689
3693 3792
3793 3892
3893 3992
3993 4092
4093 4192
4193 4292
4293 4392
4393 4492
4493 4592
4593 4692
4768 4867
4868 4967
5041 5140
5141 5240
5241 5340
5357 5357
5358 5457
5458 5557
5558 5657
5700 5700
5701 5800
8005 8005
8884 8884
15202 15301
15302 15401
15402 15501
15502 15601
15602 15701
15702 15801
15802 15901
15902 16001
16002 16101
16102 16201
16202 16301
16302 16401
16402 16501
16502 16601
16602 16701
16702 16801
16802 16901
16993 17092
17093 17192
50000 50059 *
* - Administered port exclusions.
Turns out that docker or possibly Hyper-V excluded the range that included 5760:
5701 5800
And as mentioned from the github issue, I probably resolved this issue before after a set number of restarts that incremented the port ranges, or possibly got lucky in the past starting dronekit-sitl before docker ran on my system.
Either way, to resolve this issue of Operation not permitted, running the command as admin:
net stop winnat
net start winnat
solved the issue with dronekit-sitl without having to specify a different port besides the default 5760.

Start systemd service after DRM card0 device

I have kiosk display running an electron app.
This app needs to be started on boot.
[Unit]
Description=Display Application
After=network.target getty#tty1.service
Conflicts=getty#tty1.service
[Service]
Type=simple
ExecStart=/usr/bin/xinit /usr/bin/electron main.js -- :0 -nocursor -nolisten tcp
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
But for some reason this service ist started to early and xinit complains with no screens found. After the first systemd restart the app is running.
I searchd systemd device which sounded promising. But using dev-dri-card0 as Requires and After results in Missing Dependency in startup.
# ls /dev/dri
by-path card0 renderD128
# dmesg | grep drm
[ 3.609070] systemd[1]: Starting Load Kernel Module drm...
[ 3.672741] systemd[1]: modprobe#drm.service: Succeeded.
[ 3.673192] systemd[1]: Finished Load Kernel Module drm.
[ 4.327074] fb0: switching to inteldrmfb from EFI VGA
[ 4.332654] i915 0000:00:02.0: [drm] Finished loading DMC firmware i915/bxt_dmc_ver1_07.bin (v1.7)
[ 4.356201] i915 0000:00:02.0: [drm] Panel advertises DPCD backlight support, but VBT disagrees. If your backlight controls don't work try booting with i915.enable_dpcd_backlight=1. If your machine needs this, please file a _new_ bug report on drm/i915, see https://gitlab.freedesktop.org/drm/intel/-/wikis/How-to-file-i915-bugs for details.
[ 4.367399] [drm] Initialized i915 1.6.0 20200917 for 0000:00:02.0 on minor 0
[ 4.376167] fbcon: i915drmfb (fb0) is primary device
[ 4.402186] i915 0000:00:02.0: [drm] fb0: i915drmfb frame buffer device
# systemctl list-units -a -t device | grep card0
dev-dri-card0.device loaded inactive dead /dev/dri/card0
I have no glue whats wrong here. Found some posts saying that drm module is loaded to late (after systemd) ... added drm to initramfs ... no luck.

Ok found a solution
[Unit]
Description=Display Application
After=network.target systemd-user-sessions.service
Conflicts=getty#tty1.service
[Service]
TTYPath=/dev/tty1
PAMName=systemd-user
Environment=NODE_ENV=production
ExecStart=/usr/bin/xinit /usr/bin/electron main.js -- :0 -quiet -nocursor -nolisten tcp
Restart=on-failure
RestartSec=5
[Install]
Alias=display-manager.service
WantedBy=multi-user.target
This way the systemd-logind brings up a user session and all the drm stuff is ready.

yum and dnf install/update takes 5 minutes to start on RHEL8

If I run yum or dnf as root on most recent updated RHEL8 it works smoothly. As soon as I try running it with sudo users (added to wheel group) it takes up to 5 minutes.
Doing a yum clean did not help eiher.
I usually run updates using Ansible from a remote host but Ansible disconnects after several minutes of trying to run the yum module.
I set SELinux to disabled, just in case and checked proxy settings in dnf.conf - It all looks fine. Any input is very much appreciated.
This is the dnf.log
2020-02-20T15:33:13Z INFO Updating Subscription Management repositories.
2020-02-20T15:37:36Z DEBUG DNF version: 4.2.7
2020-02-20T15:37:36Z DDEBUG Command: yum update
2020-02-20T15:37:36Z DDEBUG Installroot: /
2020-02-20T15:37:36Z DDEBUG Releasever: 8
2020-02-20T15:37:36Z DEBUG cachedir: /var/cache/dnf
2020-02-20T15:37:36Z DDEBUG Base command: update
2020-02-20T15:37:36Z DDEBUG Extra commands: ['update']
2020-02-20T15:37:37Z DEBUG repo: using cache for: epel-modular
2020-02-20T15:37:37Z DEBUG epel-modular: using metadata from Sat Feb 15 03:19:39 2020.
2020-02-20T15:37:37Z DEBUG repo: using cache for: epel
2020-02-20T15:37:37Z DEBUG epel: using metadata from Thu Feb 20 06:38:22 2020.
2020-02-20T15:37:38Z DEBUG reviving: 'rhel-8-for-x86_64-baseos-rpms' can be revived - repomd matches.
2020-02-20T15:37:38Z DEBUG rhel-8-for-x86_64-baseos-rpms: using metadata from Thu Feb 13 10:30:57 2020.
2020-02-20T15:37:38Z DEBUG reviving: 'rhel-8-for-x86_64-appstream-rpms' can be revived - repomd matches.
2020-02-20T15:37:39Z DEBUG rhel-8-for-x86_64-appstream-rpms: using metadata from Thu Feb 20 11:06:31 2020.
2020-02-20T15:37:39Z DDEBUG timer: sack setup: 3550 ms
2020-02-20T15:37:39Z DEBUG Completion plugin: Generating completion cache...
2020-02-20T15:37:40Z DEBUG --> Starting dependency resolution
2020-02-20T15:37:40Z DEBUG --> Finished dependency resolution
2020-02-20T15:37:40Z DDEBUG timer: depsolve: 277 ms
2020-02-20T15:37:40Z INFO Dependencies resolved.
2020-02-20T15:37:40Z INFO Nothing to do.
2020-02-20T15:37:40Z INFO Complete!
2020-02-20T15:37:40Z DDEBUG Cleaning up.

I resolved the issue. The proxy was not correctly set in /etc/rhsm/rhsm.conf
I don't understand why running as root would not cause the same problem.

Couchbase-Server Community Edition 5.0.1 Installation issue on MacOS High Sierra version 10.13.2

I had previous working copy of the Couchbase Server community Edition 4*, this stopped opening the Admin Console page from the menu options post upgrade to the macOs high sierra.
Action performed
I have wiped deleted and re-install with the latest version of CB Server 5.0.1.
Clicked the Couchbase Server.app to begin with it has pinned the couchbase icon in the menu bar.
Selected "Open Admin Console"
Browser complained 'Safari Can't Connect to 127.0.0.1:8091'
Checked if there is any process running? And found there are.
Rizwans-MacBook-Pro:logs rizwan$ ps -ef | grep couch
501 6411 6396 0 9:08AM ?? 0:01.48 /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/lib/erlang/erts-5.10.4.0.0.1/bin/beam.smp -A 16 -- -root /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/lib/erlang -progname erl -- -home /Users/rizwan -- -kernel inet_dist_listen_min 21100 inet_dist_listen_max 21299 -sasl sasl_error_logger false -hidden -name babysitter_of_ns_1#127.0.0.1 -setcookie nocookie -run ns_babysitter_bootstrap -- -couch_ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.d/capi.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.d/geocouch.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/local.ini /Users/rizwan/Library/Preferences/couchbase-server.ini /Users/rizwan/Library/Application Support/Couchbase/etc/couch-platform.ini /Users/rizwan/Library/Application Support/Couchbase/etc/couch-custom.ini -ns_babysitter cookiefile "/Users/rizwan/Library/Application Support/Couchbase/var/lib/couchbase/couchbase-server.cookie" -ns_server config_path "/Users/rizwan/Library/Application Support/Couchbase/etc/couchbase/static_config" -ns_server pidfile "/Users/rizwan/Library/Application Support/Couchbase/couchbase-server.pid" -ns_server cookiefile "/Users/rizwan/Library/Application Support/Couchbase/var/lib/couchbase/couchbase-server.cookie-ns-server" -ns_server dont_suppress_stderr_logger true -ns_server loglevel_stderr info
501 6704 6411 0 9:12AM ?? 0:00.80 /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/lib/erlang/erts-5.10.4.0.0.1/bin/beam.smp -A 16 -sbt u -P 327680 -K true -swt low -MMmcs 30 -e102400 -- -root /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/lib/erlang -progname erl -- -home /Users/rizwan -- -smp enable -setcookie nocookie -kernel inet_dist_listen_min 21100 inet_dist_listen_max 21299 error_logger false -sasl sasl_error_logger false -user user_io -run child_erlang child_start ns_bootstrap -- -couch_ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.d/capi.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/default.d/geocouch.ini /Applications/Couchbase Server.app/Contents/Resources/couchbase-core/etc/couchdb/local.ini /Users/rizwan/Library/Preferences/couchbase-server.ini /Users/rizwan/Library/Application Support/Couchbase/etc/couch-platform.ini /Users/rizwan/Library/Application Support/Couchbase/etc/couch-custom.ini
Further to it try the couchbase server starting from the command line via the script available in download. It failed with the below log
Rizwans-MacBook-Pro:Resources rizwan$ ./start-server.sh
Starting epmd ...
Starting Couchbase Server ...
{error_logger,{{2018,1,7},{20,33,26}},"Protocol: ~tp: the name babysitter_of_ns_1#127.0.0.1 seems to be in use by another Erlang node",["inet_tcp"]}
{error_logger,{{2018,1,7},{20,33,26}},crash_report,[[{initial_call,{net_kernel,init,['Argument__1']}},{pid,<0.20.0>},{registered_name,[]},{error_info,{exit,{error,badarg},[{gen_server,init_it,6,[{file,"gen_server.erl"},{line,320}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}},{ancestors,[net_sup,kernel_sup,<0.10.0>]},{messages,[]},{links,[#Port<0.57>,<0.17.0>]},{dictionary,[{longnames,true}]},{trap_exit,true},{status,running},{heap_size,610},{stack_size,27},{reductions,1105}],[]]}
{error_logger,{{2018,1,7},{20,33,26}},supervisor_report,[{supervisor,{local,net_sup}},{errorContext,start_error},{reason,{'EXIT',nodistribution}},{offender,[{pid,undefined},{name,net_kernel},{mfargs,{net_kernel,start_link,[['babysitter_of_ns_1#127.0.0.1',longnames]]}},{restart_type,permanent},{shutdown,2000},{child_type,worker}]}]}
{error_logger,{{2018,1,7},{20,33,26}},supervisor_report,[{supervisor,{local,kernel_sup}},{errorContext,start_error},{reason,{shutdown,{failed_to_start_child,net_kernel,{'EXIT',nodistribution}}}},{offender,[{pid,undefined},{name,net_sup},{mfargs,{erl_distribution,start_link,[]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]}]}
{error_logger,{{2018,1,7},{20,33,26}},crash_report,[[{initial_call,{application_master,init,['Argument__1','Argument__2','Argument__3','Argument__4']}},{pid,<0.9.0>},{registered_name,[]},{error_info,{exit,{{shutdown,{failed_to_start_child,net_sup,{shutdown,{failed_to_start_child,net_kernel,{'EXIT',nodistribution}}}}},{kernel,start,[normal,[]]}},[{application_master,init,4,[{file,"application_master.erl"},{line,133}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}},{ancestors,[<0.8.0>]},{messages,[{'EXIT',<0.10.0>,normal}]},{links,[<0.8.0>,<0.7.0>]},{dictionary,[]},{trap_exit,true},{status,running},{heap_size,376},{stack_size,27},{reductions,117}],[]]}
{error_logger,{{2018,1,7},{20,33,26}},std_info,[{application,kernel},{exited,{{shutdown,{failed_to_start_child,net_sup,{shutdown,{failed_to_start_child,net_kernel,{'EXIT',nodistribution}}}}},{kernel,start,[normal,[]]}}},{type,permanent}]}
{"Kernel pid terminated",application_controller,"{application_start_failure,kernel,{{shutdown,{failed_to_start_child,net_sup,{shutdown,{failed_to_start_child,net_kernel,{'EXIT',nodistribution}}}}},{kernel,start,[normal,[]]}}}"}
Crash dump was written to: erl_crash.dump
Kernel pid terminated (application_controller) ({application_start_failure,kernel,{{shutdown,{failed_to_start_child,net_sup,{shutdown,{failed_to_start_child,net_kernel,{'EXIT',nodistribution}}}}},{k

Ambari dashboard retrieving no statistics

I have a fresh install of Hortonworks Data Platform 2.2 installed on a small cluster (4 machines) but when I login to the Ambari GUI, the majority of dashboard stats boxes (HDFS disk usage, Network usage, Memory usage etc) are not populated with any statistics, instead they show the message:
No data There was no data available. Possible reasons include inaccessible Ganglia service
Clicking on the HDFS service link gives the following summary:
NameNode Started
SNameNode Started
DataNodes 4/4 DataNodes Live
NameNode Uptime Not Running
NameNode Heap n/a / n/a (0.0% used)
DataNodes Status 4 live / 0 dead / 0 decommissioning
Disk Usage (DFS Used) n/a / n/a (0%)
Disk Usage (Non DFS Used) n/a / n/a (0%)
Disk Usage (Remaining) n/a / n/a (0%)
Blocks (total) n/a
Block Errors n/a corrupt / n/a missing / n/a under replicated
Total Files + Directories n/a
Upgrade Status Upgrade not finalized
Safe Mode Status n/a
The Alerts and Health Checks box to the right of the screen is not displaying any information but if I click on the settings icon this opens the Nagios frontend and again, everything looks healthy here!
The install went smoothly (CentOS 6.5) and everything looks good as far as all services are concerned (all started with green tick next to service name). There are some stats displayed on the dashboard: 4/4 datanodes are live, 1/1 Nodemanages live & 1/1 Supervisors are live. I can write files to HDFS so its looks like it's a Ganglia issue?
The Ganglia daemon seems to be working ok:
ps -ef | grep gmond
nobody 1720 1 0 12:54 ? 00:00:44 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPHistoryServer/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPHistoryServer/gmond.pid
nobody 1753 1 0 12:54 ? 00:00:44 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPFlumeServer/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPFlumeServer/gmond.pid
nobody 1790 1 0 12:54 ? 00:00:48 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPHBaseMaster/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPHBaseMaster/gmond.pid
nobody 1821 1 1 12:54 ? 00:00:57 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPKafka/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPKafka/gmond.pid
nobody 1850 1 0 12:54 ? 00:00:44 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPSupervisor/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPSupervisor/gmond.pid
nobody 1879 1 0 12:54 ? 00:00:45 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPSlaves/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPSlaves/gmond.pid
nobody 1909 1 0 12:54 ? 00:00:48 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPResourceManager/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPResourceManager/gmond.pid
nobody 1938 1 0 12:54 ? 00:00:50 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPNameNode/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPNameNode/gmond.pid
nobody 1967 1 0 12:54 ? 00:00:47 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPNodeManager/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPNodeManager/gmond.pid
nobody 1996 1 0 12:54 ? 00:00:44 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPNimbus/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPNimbus/gmond.pid
nobody 2028 1 1 12:54 ? 00:00:58 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPDataNode/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPDataNode/gmond.pid
nobody 2057 1 0 12:54 ? 00:00:51 /usr/sbin/gmond --conf=/etc/ganglia/hdp/HDPHBaseRegionServer/gmond.core.conf --pid-file=/var/run/ganglia/hdp/HDPHBaseRegionServer/gmond.pid
I have checked the Ganglia service on each node, the processes are running as expected
ps -ef | grep gmetad
nobody 2807 1 2 12:55 ? 00:01:59 /usr/sbin/gmetad --conf=/etc/ganglia/hdp/gmetad.conf --pid-file=/var/run/ganglia/hdp/gmetad.pid
I have tried restarting Ganglia services with no luck, restarted all services but still the same. Does anyone have any ideas how I get the dashboard to work properly? Thank you.

It turns out to be a proxy issue, to access the internet I had to add my proxy details to the file /var/lib/ambari-server/ambari-env.sh
export AMBARI_JVM_ARGS=$AMBARI_JVM_ARGS' -Xms512m -Xmx2048m -Dhttp.proxyHost=theproxy -Dhttp.proxyPort=80 -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false'
When ganglia was trying to access each node in the cluster the request was going via the proxy and never resolving, to overcome the issue I added my nodes to the exclude list (add the flag -Dhttp.nonProxyHosts) like so:
export AMBARI_JVM_ARGS=$AMBARI_JVM_ARGS' -Xms512m -Xmx2048m -Dhttp.proxyHost=theproxy -Dhttp.proxyPort=80 -Dhttp.nonProxyHosts="localhost|node1.dms|node2.dms|node3.dms|etc" -Djava.security.auth.login.config=/etc/ambari-server/conf/krb5JAASLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djavax.security.auth.useSubjectCredsOnly=false'
After adding the exclude list the stats were retrieved as expected!

Develop Reference

ruby bash windows laravel spring algorithm oracle macos go visual-studio