Bamboo Remote Agent using Systemd service fails to start due to SELinux

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問


プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

要約

After configuring the Bamboo remote agent as a Systemd service, attempts to start the Systemd service fails with an error, "Job for bamboo-agent.service failed because the control process exited with error code.".

環境

The solution has been tested in the following environments:

  • Bamboo Data Center versions 9.6.0 and 9.2.7

  • Red Hat Linux 8.8 and Oracle Enterprise Linux 8.9

診断

When starting the service the following error message appears

Job for bamboo-agent.service failed because the control process exited with error code.
See "systemctl status bamboo-agent.service" and "journalctl -xe" for details.

Usually there will be no error messages on the Bamboo agent logs, so use the journalctl command on the remote agent host as the root user.

# journalctl -xe

Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh. For complete SELinux messages run: se>
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh.

                                                            *****  Plugin catchall (100. confidence) suggests   **************************

                                                            If you believe that systemd should be allowed execute access on the bamboo-agent.sh file by default.
                                                            Then you should report this as a bug.
                                                            You can generate a local policy module to allow this access.
                                                            Do
                                                            allow this access for now by executing:
                                                            # ausearch -c '(agent.sh)' --raw | audit2allow -M my-agentsh
                                                            # semodule -X 300 -i my-agentsh.pp

Upon checking the Syslog messages, /var/log/messages , the following log messages appears as well

#cat /var/log/messages
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh. For complete SELinux messages run: sealert -l c105542b-af2a-429f-85db-7b6a758d4105
Mar 29 13:34:46 rhel8 setroubleshoot[23206]: SELinux is preventing /usr/lib/systemd/systemd from execute access on the file bamboo-agent.sh.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that systemd should be allowed execute access on the bamboo-agent.sh file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c '(agent.sh)' --raw | audit2allow -M my-agentsh#012# semodule -X 300 -i my-agentsh.pp#012

原因

Enterprise Linux platforms, like Red Hat Linux and Oracle Enterprise Linux, utilize Discretionary Access Control (DAC) systems such as SELinux to regulate access to the system.

SELinux establishes access controls for applications, processes and files within a system. In this particular case, SELinux is preventing systemd from executing the bamboo-agent.sh, which is located in the <Bamboo-agent-home>/bin folder. SELinux only permits systemd to execute binaries that have the object_r:bin_t:s0 attribute set.

#cat /etc/systemd/system/bamboo-agent.service
[Unit]
...

[Service] 
...
ExecStart=<bamboo-agent-home>/bin/bamboo-agent.sh start sysd
ExecStop=<bamboo-agent-home>/bin/bamboo-agent.sh stop sysd

We can check by using the command below in the <Bamboo-agent-home>/bin,

$ls -lZ <Bamboo-agent-home>/bin
total 700
-rwxrwxr-x. 1 bamboo bamboo unconfined_u:object_r:user_home_t:s0 114340 Mar 29 13:08 bamboo-agent.sh
-rwxrwxr-x. 1 bamboo bamboo unconfined_u:object_r:user_home_t:s0 601160 Mar 29 13:08 wrapper

As seen above the bamboo-agent.sh located in the <Bamboo-agent-home>/bin has the SElinux context of object_r:user_home_t:s0 which causes it to fail.

ソリューション

You'll need to modify the SELinux labelling using the commands provided below. Please replace "Bamboo-agent-home" with your specific path.

[root@rhel8 ~]# semanage fcontext -a -t bin_t "/home/bamboo/bamboo-agent-home/bin(/.*)"
[root@rhel8 ~]# restorecon -r -v /home/bamboo/bamboo-agent-home/bin

Finally restart the Bamboo agent service.

# systemctl start bamboo-agent.service




最終更新日 2024 年 4 月 4 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.