NEED_KEY_GEN_PERMS error when using ipa-getcert

If you run into this error, it’s telling you that certmonger doesn’t have the necessary permissions to write the key and certificate to the filesystem. That leaves one of two things:

  1. A filesystem permission issue, although given certmonger runs as root this seems unlikely (are you trying to write the key to an NFS share that doesn’t have no_root_squash set?).
  2. An SELinux denial.

If it’s number 2, you’ll see something like this out of audit2why -a:

[root@sso72 rh-sso-7.2]# audit2why -a
type=AVC msg=audit(1530787070.795:1633): avc:  denied  { create } for  pid=24058 comm="certmonger" name="sso.key" scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=file
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

type=AVC msg=audit(1530787272.111:1634): avc:  denied  { write } for  pid=24019 comm="certmonger" name="configuration" dev="vda1" ino=12588752 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

certmonger has policy to allow it to write to cert_t, which is everything under /etc/pki.

Change your ipa-getcert request to store the generated cert and key under /etc/pki/ and you should be good!

Visualisations with ELK and CloudForms/ManageIQ

One of the best parts of an Elasticsearch, Logstash and Kibana (ELK) deployment is the ability the visualise data parsed from logfiles and metrics gathered on hosts. Through the use of the filebeat plugin we can slurp log files on a CloudForms host and push them straight to logstash for ingest and eventual searching through Kibana.

Except we don’t want to just naively gather up evm.log and push it to logstash. Sure, we can search for key phrases that we’re interested in, but the evm.log contains a wealth of useful data regarding the health of the cluster.

To extract this information, I wrote a few Grok filters for logstash that pluck key metrics out of evm.log and ingest it into Elasticsearch.

Read more “Visualisations with ELK and CloudForms/ManageIQ”

Kernel panic with Packstack and AMD Ryzen on instance boot

I configured my AMD Ryzen box as a Packstack deployment today and ran into a perplexing problem. When I’d try to boot any instance – cirros, CentOS, doesn’t matter – I’d see lines like this in the log:

[    0.329569] ---[ end trace 8761dba085238f6f ]---
[    0.330876] Kernel panic - not syncing: Attempted to kill the idle task!
[    0.332674] ---[ end Kernel panic - not syncing: Attempted to kill the idle task!

The issue ended up being the CPU model being exposed to the VM via libvirt.

Read more “Kernel panic with Packstack and AMD Ryzen on instance boot”