Weird ssh behavior in fog

Development
1

Hello,

this is call for help. I have a SELinux report when Foreman tries to
execute /usr/bin/ssh binary upon noVNC console access to libvirt VM.

It looks like Foreman is trying to reach the VM to determine the vnc
port. Foreman uses fog which uses rubygem-net-ssh. But this gem seems to
be only pure-ruby implementation and I see no signs of running the ssh
binary. It looks like my view is constrained and I am unable to see
anything else.

Anyone has a clue what could cause the Foreman process to start the ssh
binary during noVNC access? Thanks!

··· -- Later, Lukas #lzap Zapletal
2

Isn't that just the libvirt library if you're using a qemu+ssh
connection protocol? Fog::SSH is probably only used for stuff like
running finish scripts.

When launching a console we do an update to the libvirt domain to change
the password etc:

··· On 09/10/14 12:51, Lukas Zapletal wrote: > Hello, > > this is call for help. I have a SELinux report when Foreman tries to > execute /usr/bin/ssh binary upon noVNC console access to libvirt VM. > > It looks like Foreman is trying to reach the VM to determine the vnc > port. Foreman uses fog which uses rubygem-net-ssh. But this gem seems to > be only pure-ruby implementation and I see no signs of running the ssh > binary. It looks like my view is constrained and I am unable to see > anything else. > > Anyone has a clue what could cause the Foreman process to start the ssh > binary during noVNC access? Thanks!


Dominic Cleal
Red Hat Engineering

3

> Isn't that just the libvirt library if you're using a qemu+ssh
> connection protocol? Fog::SSH is probably only used for stuff like
> running finish scripts.
>
> When launching a console we do an update to the libvirt domain to change
> the password etc:
>
> https://github.com/theforeman/foreman/blob/develop/app/models/compute_resources/foreman/model/libvirt.rb#L125
>

Ah, good idea, Michal Privoznik from libvirt team confirmed me this
behavior. When you use qemu+ssh it spawns new process, when you use
qemu+libssh2 then it uses the library directly (I was expecting this for
the former case).

I just experienced when I restarted passenger, but this was due to the
fact I had the noVNC console opened, so browser immediately
re-connected.

Looks like we need to add this to our policy. Case closed. Thanks!

··· -- Later, Lukas #lzap Zapletal
4

On the host I reproduced it with I had to restart httpd after setting
selinux to enforcing to bring the issue back. If passenger has a chance to
start up in permissive it seems like it is OK until a restart with
enforcing enabled.

··· On Thu, Oct 9, 2014 at 9:39 AM, Dominic Cleal wrote:

On 09/10/14 14:21, Lukas Zapletal wrote:

Isn’t that just the libvirt library if you’re using a qemu+ssh
connection protocol? Fog::SSH is probably only used for stuff like
running finish scripts.

When launching a console we do an update to the libvirt domain to change
the password etc:

https://github.com/theforeman/foreman/blob/develop/app/models/compute_resources/foreman/model/libvirt.rb#L125

Ah, good idea, Michal Privoznik from libvirt team confirmed me this
behavior. When you use qemu+ssh it spawns new process, when you use
qemu+libssh2 then it uses the library directly (I was expecting this for
the former case).

I just experienced when I restarted passenger, but this was due to the
fact I had the noVNC console opened, so browser immediately
re-connected.

Looks like we need to add this to our policy. Case closed. Thanks!

I’m slightly surprised you’re able to add compute resource without
having hit the same AVC! Unless perhaps it was permissive and only set
to enforcing later.


Dominic Cleal
Red Hat Engineering


You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

5

I'm slightly surprised you're able to add compute resource without
having hit the same AVC! Unless perhaps it was permissive and only set
to enforcing later.

··· On 09/10/14 14:21, Lukas Zapletal wrote: >> Isn't that just the libvirt library if you're using a qemu+ssh >> connection protocol? Fog::SSH is probably only used for stuff like >> running finish scripts. >> >> When launching a console we do an update to the libvirt domain to change >> the password etc: >> >> https://github.com/theforeman/foreman/blob/develop/app/models/compute_resources/foreman/model/libvirt.rb#L125 >> > > Ah, good idea, Michal Privoznik from libvirt team confirmed me this > behavior. When you use qemu+ssh it spawns new process, when you use > qemu+libssh2 then it uses the library directly (I was expecting this for > the former case). > > I just experienced when I restarted passenger, but this was due to the > fact I had the noVNC console opened, so browser immediately > re-connected. > > Looks like we need to add this to our policy. Case closed. Thanks!


Dominic Cleal
Red Hat Engineering

6

> I'm slightly surprised you're able to add compute resource without
> having hit the same AVC! Unless perhaps it was permissive and only set
> to enforcing later.

You call this "slightly surprised". Dude, I was seeing red! :slight_smile:

It looks like once passenger loads libvirt binding, it does not try to
spawn the ssh anymore. I had to miss the denial during startup or
something, am retesting now because the patch I sent might not have
fixed the issue.

··· -- Later, Lukas #lzap Zapletal