Juniper Openstack

Bug #1689900
Comment #2

Comment 2 for bug 1689900

Revision history for this message

Harish Kumar (hkumarmk) wrote on 2017-05-12: Re: [Bug 1689900] Re: setenforce 0 returning with exit 1 causing ansible provisioning to fail

it seems the command "setenforce 0" exit with non-zero exit code when it is
already disabled. So it probably just need need to say ansible that "if you
see the message 'setenforce: SELinux is disabled'" in stderr, that is not
failure". You may do it with "failed_when" keyword in ansible.

May be something like this.

- name: Disable selinux for redhat systems
command: setenforce 0

failed_when: (disable_selinux.rc != 0 and disable_selinux.stderr not
in "setenforce: SELinux is disabled" )

when: ansible_os_family == 'RedHat'

BTW, You may have to test this.

On Fri, May 12, 2017 at 7:37 AM, Rudra Rugge <email address hidden>
wrote:

> ** Changed in: juniperopenstack/r4.0
> Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> ** Changed in: juniperopenstack/trunk
> Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> --
> You received this bug notification because you are a member of Contrail
> Systems engineering, which is subscribed to Juniper Openstack.
> https://bugs.launchpad.net/bugs/1689900
>
> Title:
> setenforce 0 returning with exit 1 causing ansible provisioning to
> fail
>
> Status in Juniper Openstack:
> New
> Status in Juniper Openstack r4.0 series:
> New
> Status in Juniper Openstack trunk series:
> New
>
> Bug description:
> R4.0 3073
>
> On Centos 7.1.1503, 'setenforce 0' exited with non-zero value(1) and
> ansible provisioning failed.
>
> We see this manually as well on a similar node nodeg11 below
>
> https://github.com/ansible/ansible/issues/2058 seems related ?
>
> ------------
> nodeg11.englab.juniper.net:
>
> [root@nodeg11 ~]# cat /etc/redhat-release
> CentOS Linux release 7.1.1503 (Core)
> [root@nodeg11 ~]# setenforce 0
> setenforce: SELinux is disabled
> [root@nodeg11 ~]# echo $?
> 1
> [root@nodeg11 ~]#
> [root@nodeg11 ~]# getenforce
> Disabled
> [root@nodeg11 ~]#
> --------------
> ansible logs :
>
> TASK [common : Disable selinux for redhat systems]
> *****************************
> fatal: [10.204.216.222]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.011568", "end": "2017-05-09
> 14:48:47.557790", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.546222", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.59]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.025877", "end": "2017-05-09
> 14:48:47.559846", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.533969", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.221]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.014665", "end": "2017-05-09
> 14:48:47.570706", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.556041", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.58]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.031054", "end": "2017-05-09
> 14:48:47.575227", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.544173", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.60]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.020383", "end": "2017-05-09
> 14:48:47.577564", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.557181", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> fatal: [10.204.216.223]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.015881", "end": "2017-05-09
> 14:42:27.889286", "failed": true, "rc": 1, "start": "2017-05-09
> 14:42:27.873405", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
> to retry, use: --limit @/home/root/jenkins/workspace/
> nodec1-sanity/contrail-ansible/playbooks/site.retry
>
> PLAY RECAP ************************************************************
> *********
> 10.204.216.221 : ok=4 changed=1 unreachable=0
> failed=1
> 10.204.216.222 : ok=4 changed=1 unreachable=0
> failed=1
> 10.204.216.223 : ok=4 changed=1 unreachable=0
> failed=1
> 10.204.216.58 : ok=4 changed=1 unreachable=0
> failed=1
> 10.204.216.59 : ok=4 changed=1 unreachable=0
> failed=1
> 10.204.216.60 : ok=4 changed=1 unreachable=0
> failed=1
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juniperopenstack/+bug/1689900/+subscriptions
>

May be something like this.

- name: Disable selinux for redhat systems
  command: setenforce 0

failed_when: (disable_selinux.rc != 0 and disable_selinux.stderr not
in "setenforce: SELinux is disabled" )

when: ansible_os_family == 'RedHat'

BTW, You may have to test this.

On Fri, May 12, 2017 at 7:37 AM, Rudra Rugge <rudra@contrailsystems.com>
wrote:

> ** Changed in: juniperopenstack/r4.0
>      Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> ** Changed in: juniperopenstack/trunk
>      Assignee: Rudra Rugge (rudrarugge) => Yuvaraja Mariappan (ymariappan)
>
> --
> You received this bug notification because you are a member of Contrail
> Systems engineering, which is subscribed to Juniper Openstack.
> https://bugs.launchpad.net/bugs/1689900
>
> Title:
>   setenforce 0 returning with exit 1 causing ansible provisioning to
>   fail
>
> Status in Juniper Openstack:
>   New
> Status in Juniper Openstack r4.0 series:
>   New
> Status in Juniper Openstack trunk series:
>   New
>
> Bug description:
>   R4.0 3073
>
>   On Centos 7.1.1503, 'setenforce 0' exited with non-zero value(1) and
>   ansible provisioning failed.
>
>   We see this manually as well on a similar node nodeg11 below
>
>   https://github.com/ansible/ansible/issues/2058 seems related ?
>
>   ------------
>   nodeg11.englab.juniper.net:
>
>   [root@nodeg11 ~]# cat /etc/redhat-release
>   CentOS Linux release 7.1.1503 (Core)
>   [root@nodeg11 ~]# setenforce 0
>   setenforce: SELinux is disabled
>   [root@nodeg11 ~]# echo $?
>   1
>   [root@nodeg11 ~]#
>   [root@nodeg11 ~]# getenforce
>   Disabled
>   [root@nodeg11 ~]#
>   --------------
>   ansible logs :
>
>   TASK [common : Disable selinux for redhat systems]
> *****************************
>   fatal: [10.204.216.222]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.011568", "end": "2017-05-09
> 14:48:47.557790", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.546222", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>   fatal: [10.204.216.59]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.025877", "end": "2017-05-09
> 14:48:47.559846", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.533969", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>   fatal: [10.204.216.221]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.014665", "end": "2017-05-09
> 14:48:47.570706", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.556041", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>   fatal: [10.204.216.58]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.031054", "end": "2017-05-09
> 14:48:47.575227", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.544173", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>   fatal: [10.204.216.60]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.020383", "end": "2017-05-09
> 14:48:47.577564", "failed": true, "rc": 1, "start": "2017-05-09
> 14:48:47.557181", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>   fatal: [10.204.216.223]: FAILED! => {"changed": true, "cmd":
> ["setenforce", "0"], "delta": "0:00:00.015881", "end": "2017-05-09
> 14:42:27.889286", "failed": true, "rc": 1, "start": "2017-05-09
> 14:42:27.873405", "stderr": "setenforce: SELinux is disabled", "stdout":
> "", "stdout_lines": [], "warnings": []}
>           to retry, use: --limit @/home/root/jenkins/workspace/
> nodec1-sanity/contrail-ansible/playbooks/site.retry
>
>   PLAY RECAP ************************************************************
> *********
>   10.204.216.221             : ok=4    changed=1    unreachable=0
> failed=1
>   10.204.216.222             : ok=4    changed=1    unreachable=0
> failed=1
>   10.204.216.223             : ok=4    changed=1    unreachable=0
> failed=1
>   10.204.216.58              : ok=4    changed=1    unreachable=0
> failed=1
>   10.204.216.59              : ok=4    changed=1    unreachable=0
> failed=1
>   10.204.216.60              : ok=4    changed=1    unreachable=0
> failed=1
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juniperopenstack/+bug/1689900/+subscriptions
>