User talk:Revansx/meza/Installing MEZA 35.x on a local Rock Linux 8 VM from scratch

Current Diffs for GRC-ATF Meza
as of 2023-07-07

TASK [firewall_port : Ensure firewalld port 8080 open for list of servers (RedHat/CentOS only)] ***
ASK [firewall_port : Ensure firewalld port 8080 open for list of servers (RedHat/CentOS only)] *** task path: /opt/meza/src/roles/firewall_port/tasks/main.yml:14 redirecting (type: modules) ansible.builtin.firewalld to ansible.posix.firewalld ESTABLISH LOCAL CONNECTION FOR USER: meza-ansible EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /tmp/${USER}/ansible `"&& mkdir "` echo /tmp/${USER}/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614 `" && echo ansible-tmp-1685054409.3964367-11382-136474469500614="` echo /tmp/${USER}/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614 `" ) && sleep 0'module file /usr/lib/python3.11/site-packages/ansible_collections/ansible/posix/plugins/modules/firewalld.py PUT /opt/conf-meza/users/meza-ansible/.ansible/tmp/ansible-local-8547jzh5prc9/tmpeo0dclpx TO /tmp/meza-ansible/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614/AnsiballZ_firewalld.pymp/meza-ansible/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614/ /tmp/meza-ansible/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614/AnsiballZ_firewalld.py && sleep 0''echo BECOME-SUCCESS-vvtblglloothfbhadcxrmrgimrhnmmwj ; /usr/libexec/platform-python /tmp/meza-ansible/ansible/ansible-tmp-1685054409.3964367-11382-136474469500614/AnsiballZ_firewalld.py'"'"' && sleep 0'74469500614/ > /dev/null 2>&1 && sleep 0' The full traceback is: File "/tmp/ansible_firewalld_payload_y1o7b9_8/ansible_firewalld_payload.zip/ansible_collections/ansible/posix/plugins/module_utils/firewalld.py", line 112, in action_handler return action_func(*action_func_args) File "/tmp/ansible_firewalld_payload_y1o7b9_8/ansible_firewalld_payload.zip/ansible_collections/ansible/posix/plugins/modules/firewalld.py", line 535, in get_enabled_permanent self.check File "/usr/lib/python3.6/site-packages/firewall/core/rich.py", line 573, in check raise FirewallError(errors.INVALID_ADDR, str(self.source.addr)) failed: [localhost] (item=[) => { "ansible_loop_var": "item", "changed": false, "invocation": { "module_args": { "icmp_block": null, "icmp_block_inversion": null, "immediate": true, "interface": null, "masquerade": null, "offline": null, "permanent": true, "port": null, "port_forward": null, "rich_rule": "rule family=\"ipv4\" source address=\"[\" port port=\"8080\" protocol=\"tcp\" accept", "service": null, "source": null, "state": "enabled", "target": null, "timeout": 0, "zone": "public" }   },    "item": "[" } MSG:

ERROR: Exception caught: INVALID_ADDR: [ MSG:

ERROR: Exception caught: INVALID_ADDR: [ Revansx (talk) 23:12, 25 May 2023 (UTC)


 * Hi Rich, Ron C. here. Would it help to disable SELinux on the install? Here's the warning I got after trying to deploy:
 * SELinux is preventing /usr/sbin/haproxy from name_bind access on the tcp_socket port 8081.
 * Plugin catchall_boolean (89.3 confidence) suggests   ******************
 * If you want to allow haproxy to connect any
 * Then you must tell SELinux about this by enabling the 'haproxy_connect_any' boolean.
 * Do
 * setsebool -P haproxy_connect_any 1
 * Plugin catchall (11.6 confidence) suggests   **************************
 * If you believe that haproxy should be allowed name_bind access on the port 8081 tcp_socket by default.
 * Then you should report this as a bug.
 * You can generate a local policy module to allow this access.
 * Do
 * allow this access for now by executing:
 * ausearch -c 'haproxy' --raw | audit2allow -M my-haproxy
 * semodule -X 300 -i my-haproxy.pp
 * Additional Information:
 * Source Context                system_u:system_r:haproxy_t:s0
 * Target Context               system_u:object_r:transproxy_port_t:s0
 * Target Objects                port 8081 [ tcp_socket ]
 * Source                        haproxy
 * Source Path                   /usr/sbin/haproxy
 * Port                          8081
 * Host                          localhost.localdomain
 * Source RPM Packages           haproxy-1.8.27-5.el8.x86_64
 * Target RPM Packages
 * SELinux Policy RPM           selinux-policy-targeted-3.14.3-117.el8.noarch
 * Local Policy RPM              selinux-policy-targeted-3.14.3-117.el8.noarch
 * Selinux Enabled               True
 * Policy Type                   targeted
 * Enforcing Mode                Permissive
 * Host Name                     localhost.localdomain
 * Platform                      Linux localhost.localdomain
 * 4.18.0-477.10.1.el8_8.x86_64 #1 SMP Tue May 16
 * 11:38:37 UTC 2023 x86_64 x86_64
 * Alert Count                   1
 * First Seen                    2023-05-30 19:29:20 EDT
 * Last Seen                     2023-05-30 19:29:20 EDT
 * Local ID                     e4f8aa22-31ca-47ed-9701-db156b9feff0
 * Raw Audit Messages
 * type=AVC msg=audit(1685489360.297:1099): avc: denied  { name_bind } for  pid=7941 comm="haproxy" src=8081 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:transproxy_port_t:s0 tclass=tcp_socket permissive=1
 * type=SYSCALL msg=audit(1685489360.297:1099): arch=x86_64 syscall=bind success=yes exit=0 a0=8 a1=5590df929e68 a2=10 a3=7ffecc0b0548 items=0 ppid=1 pid=7941 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null)
 * Hash: haproxy,haproxy_t,transproxy_port_t,tcp_socket,name_bind 76.188.176.254 23:42, 30 May 2023 (UTC)
 * @Revansx - My theory didn't hold up. I disabled SELinux and tried the Meza installation again. I got the same error.at the task "Ensure firewalld port 8080..." I'm afraid that's as far as my Linux/ansible skills go. RACoulter (talk) 19:25, 31 May 2023 (UTC)

2023-07-03 notes
xsudo rm -r conf-meza/ xsudo rm -r data-meza/ xsudo rm -r .deploy-meza/ xsudo rm -r htdocs/ xsudo rm -r meza/ xsudo userdel meza-ansible xsudo userdel alt-meza-ansible xsudo groupdel meza-ansible
 * 1) clean-up from earlier failed attempts (remove the x)

sudo sed -i -e 's;SELINUX=enforcing$;SELINUX=permissive;g' /etc/selinux/config sudo sed -i.meza -e 's;countme=1$;countme=1\nexclude=ansible ansible-core python38;g' /etc/yum.repos.d/epel.repo sudo reboot sudo sestatus sudo git clone https://github.com/WikiTeq/meza /opt/meza
 * 1) pre-meza steps

cd /opt/meza/

sudo git config --global --add safe.directory /opt/meza sudo git checkout "35.x" sudo git status sudo git remote show origin sudo sed -i -e 's;github.com/nasa/meza.git$;github.com/WikiTeq/meza.git;g' /opt/meza/config/defaults.yml

cd /opt/

sudo bash /opt/meza/src/scripts/getmeza.sh sudo meza deploy monolith -vvvv Revansx (talk) 21:08, 3 July 2023 (UTC)