Layer7 API Management

 View Only

RHEL 9 Gateway 11.1.00-17707 and SELinux issues

  • 1.  RHEL 9 Gateway 11.1.00-17707 and SELinux issues

    Posted Aug 20, 2024 01:39 PM

    Hello. 

    I am trying to do an install of Gateway 11.1 on RHEL 9 and then upgrade to 11.1.1
    I have Gateway 11.1 installed and it runs but only with selinux in permissive enforcing state. 
    After the gateway starts I can set selinux to enforcing and the gateway will stay running. 
    However with selinux in enforcing mode I cannot successfully restart the gateway. 

    When I installed the packages I had some issues with ssg and GPG keys.  I disabled the rpm install gpg key check with --nogpgcheck could this be the issue? 
    Do you have the GPG key for the 11.1 RPM install?

    Any ideas how to get SSG to start and run with selinux in enforcing mode?



    Helpful info: 
    When ssg fails to start with selinux in enforcing I get the following logs.

    journalctl -xeu ssg.service reports a dozen lines of this and then fails to start. (same entries in systemctl status ssg) 

    Aug 20 07:59:23 devrhel9ssg011lsat.foo.com systemd[1]: Starting Service to run CA Gateway...
    ░░ Subject: A start job for unit ssg.service has begun execution
    ░░ Defined-By: systemd
    ░░ Support: https://access.redhat.com/support
    ░░
    ░░ A start job for unit ssg.service has begun execution.
    ░░
    ░░ The job identifier is 1057766.
    Aug 20 07:59:23 devrhel9ssg011lsat.foo.com bash[3514419]: Starting Process Controller...
    Aug 20 07:59:23 devrhel9ssg011lsat.foo.com bash[3514496]: Starting Gateway Services: done.
    Aug 20 07:59:23 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:23 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:27 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:27 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:39 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:39 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:39 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:39 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:50 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:50 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:56 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 07:59:56 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Can't convert PID files /opt/SecureSpan/Gateway/node/default/var/ssg.pid O_PATH file descriptor to proper file descriptor: Permission de>
    Aug 20 08:00:53 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: start operation timed out. Terminating.
    Aug 20 08:00:53 devrhel9ssg011lsat.foo.com systemd[1]: ssg.service: Failed with result 'timeout'.
    ░░ Subject: Unit failed
    ░░ Defined-By: systemd
    ░░ Support: https://access.redhat.com/support
    ░░
    ░░ The unit ssg.service has entered the 'failed' state with result 'timeout'.
    Aug 20 08:00:53 devrhel9ssg011lsat.foo.com systemd[1]: Failed to start Service to run CA Gateway.


    And in ssg_0_0.log 
    2024-08-20T07:59:57.891-0500 INFO    73  com.l7tech.server.util.UptimeMonitor: Using uptime executable: /usr/bin/uptime
    2024-08-20T07:59:57.891-0500 INFO    156  com.l7tech.server.util.UptimeMonitor: Uptime monitor thread is starting
    2024-08-20T08:00:53.093-0500 INFO    109  com.l7tech.util.ShutdownExceptionHandler: Received shutdown notification.
    2024-08-20T08:00:53.098-0500 WARNING 86  com.hazelcast.instance.impl.Node: [xxx.xxx.xxx.xxx]:8777 [gateway] [5.2.1] Terminating forcefully...
    2024-08-20T08:00:53.099-0500 INFO    1  com.l7tech.server.boot.GatewayBoot: Starting shutdown.
    2024-08-20T08:00:53.100-0500 INFO    1  com.l7tech.server.siteminder.SiteMinderConfigurationManagerImpl: Stopping SiteMinder management task
    2024-08-20T08:00:53.113-0500 INFO    1  com.l7tech.util.Background: Cancelling background task 'com.l7tech.server.telemetry.TelemetryTask@6b24b72' (com.l7tech.server.telemetry.TelemetryTask)
    2024-08-20T08:00:53.114-0500 INFO    1  com.l7tech.server.BootProcess: Stopping server components
    2024-08-20T08:00:53.115-0500 INFO    1  com.l7tech.server.BootProcess: Stopping discovered component HTTP Transport Module
    2024-08-20T08:00:53.116-0500 INFO    1  com.l7tech.server.transport.http.HttpTransportModule: 2401: Stopping HTTP listener: Default HTTP (8080) (#667de99aaa78e2ba04baca0ae8d0cd8c,v0) on port 8080
    2024-08-20T08:00:53.116-0500 INFO    1  com.l7tech.server: Listener state changed
    2024-08-20T08:00:53.136-0500 INFO    1  com.l7tech.server.transport.http.HttpTransportModule: 2401: Stopping HTTPS listener: Default HTTPS (9443) (#667de99aaa78e2ba04baca0ae8d0cd89,v0) on port 9443
    2024-08-20T08:00:53.136-0500 INFO    1  com.l7tech.server: Listener state changed
    2024-08-20T08:00:53.156-0500 INFO    108  com.l7tech.server.transport.http.InputTimeoutFilter: Setting shutdown flag for timeout property update thread (interrupted).
    2024-08-20T08:00:53.156-0500 INFO    108  com.l7tech.server.transport.http.InputTimeoutFilter: Shutting down timeout property update thread.
    2024-08-20T08:00:53.162-0500 INFO    1  com.l7tech.server.BootProcess: Stopping discovered component FTP Server Manager
    2024-08-20T08:00:53.163-0500 INFO    1  com.l7tech.server.BootProcess: Stopping discovered component ManagedTimer Controller
    2024-08-20T08:00:53.163-0500 INFO    1  com.l7tech.server.BootProcess: Stopping discovered component Whirlycache Controller