Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test network fix for Linux hosts with SELinux enabled, e.g. Fedora, RHEL or others. #5045

Merged
merged 1 commit into from
Oct 30, 2024

Conversation

twoGiants
Copy link
Contributor

@twoGiants twoGiants commented Oct 24, 2024

Type of change

  • Bug fix
  • Documentation update

Description

Currently the test network can only be used on Linux machines with SElinux disabled. When SELinux is enabled on the host two issues appear:

  1. Peer and orderer are crashing after start when using Docker or Podman.
  2. Chaincode can not be deployed when using Docker.

The reason for the first issue are permission errors with Docker/Podman volumes. This can be seen in the container logs:

# peer 1&2
ERRO [main] InitCmd -> Fatal error when initializing core config : error when reading core config file: Config File "core" Not Found in "[/etc/hyperledger/peercfg]"

# orderer
PANI [orderer.common.server] loadLocalMSP -> Failed to get local msp config: could not initialize BCCSP Factories: Failed initializing BCCSP: Could not initialize BCCSP SW [Failed to initialize software key store: open /var/hyperledger/orderer/msp/keystore: permission denied]

To resolve the errors the volume sections of the compose files needs to be modified.

The reason for the second issue is that the peer container can not access the Docker socket. When deploying a new chaincode in a test network running on Docker the following error happens:

Error: chaincode install failed with status: 500 - failed to invoke backing implementation of 'InstallChaincode': could not build chaincode: docker build failed: docker image inspection failed: Get "http://unix.sock/images/dev-peer0.org1.example.com-basic_1.0-c6a45e2d5563c883869149c3dbd941c22fbe27daa21f0552834f5a53fbb8058a-fe69b7bdc0bbe5769bbff0572aa6986343c77b61c84077999a9b65f29c5c0025/json": dial unix /host/var/run/docker.sock: connect: permission denied
Chaincode installation on peer0.org1 has failed
Deploying chaincode failed

To resolve this error the Docker compose file needs to be modified. The volume section needs to be updated and the security option disabled for this container.

The errors in the container logs and during chaincode deployment were added to the test_network.md 'Troubleshooting' section as an aid if someone searches the documentation for those errors.

The necessary changes are documented in a new section called 'SELinux' under the 'Tutorials/Using the Fabric test network' docs.

Additional details

The documented changes were discovered and fixed in a test network running on a Fedora 40 machine.

I deployed a version of the documentation with my changes for the reviewer here. Scroll down for the entry in the test network troubleshooting section, its the last two entries.

Two questions to the reviewer (Update 24.10):

  1. Should I create an issue for this PR? => no
  2. Should the fix be added to the fabric samples test network setup? => can be done, but not needed now

@twoGiants twoGiants requested review from a team as code owners October 24, 2024 14:15
@twoGiants twoGiants force-pushed the selinux-test-network-fix branch from 3024db1 to 6e988af Compare October 24, 2024 14:35
@@ -115,6 +115,57 @@ Optional: Install the latest version of [Go](https://golang.org/doc/install) (on

Optional: Install the latest version of [jq](https://stedolan.github.io/jq/download/) (only required for the tutorials related to channel configuration transactions).

### Distros with SELinux enabled
Copy link
Contributor

@denyeart denyeart Oct 24, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this enhancement. I'd like to have this content in a test-network specific doc topic, or in fabric-samples repository itself. But I'd rather not clutter the main project prereq topic with information for a specific sample. Perhaps the prereq topic could link to the ultimate destination so at least people know about the potential issue at install time, while not being a distraction to users not on SELinux.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to help!

You're right. I have two proposals then:

  1. How about here right above Troubleshooting in the main documentation about the test network? With a mention of this case in Before you begin up top here.
  2. Or here in the fabric-samples repo test network README.md below Podman. And then a reference to this entry in Before you begin here as in proposal 1.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like your proposal 1. Add the content to the test network troubleshooting section and mention/link to it closer to the top. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added changes as discussed.

@denyeart
Copy link
Contributor

To answer the questions in the Description:

  • No need to create an issue, it can be discussed and fixed in this PR. Typically we create an issue for things that are not yet being PRed.
  • If it can be fixed without causing too much disruption to test-network setup that would be ideal. If it will make test-network setup significantly more complex, then I agree with the doc approach. However I'd keep the doc in a test network doc topic or in a fabric-samples markdown file, rather than in the main prereq doc topic.

@twoGiants
Copy link
Contributor Author

  • If it can be fixed without causing too much disruption to test-network setup that would be ideal. If it will make test-network setup significantly more complex, then I agree with the doc approach...

Not to complex but not worth the effort at this point. No issues open and no complains so far. The documentation will tell how to resolve it. I think that should suffice for now.

@denyeart
Copy link
Contributor

Note - you also need to add your email signoff at the bottom of the commit message to pass the DCO check. More details at https://github.com/hyperledger/fabric/pull/5045/checks?check_run_id=32014394611.

@twoGiants twoGiants force-pushed the selinux-test-network-fix branch from 6e988af to 81c2da2 Compare October 25, 2024 16:10
The documentation update adds a description on how to resolve two issues
when running the test-network on a host with SELinux enabled:
1. Peer and orderer crashing after start using Docker or Podman.
2. Chaincode container can not be build when using Docker.

The reason for the first issue are permission errors. This can be seen
in the container logs. To resolve the errors the volume sections of the
compose files needs to be modified.

The reason for the second issue is that the peer container can not
access the Docker socket. To resolve it only the Docker compose file
needs to be modified.

The errors in the container logs and during chaincode deployment were
added to the test_network.md 'Troubleshooting' section as an aid if
someone searches the documentation for those errors.

The necessary changes are documented in a new section called
'SELinux' under the 'Tutorials/Using the Fabric test network' docs.

Signed-off-by: Stanislav Jakuschevskij <stas@two-giants.com>
@twoGiants twoGiants force-pushed the selinux-test-network-fix branch from 81c2da2 to b0611e3 Compare October 29, 2024 10:35
@twoGiants twoGiants requested a review from denyeart October 29, 2024 10:56
Copy link
Contributor

@denyeart denyeart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfect now, thank you!

@denyeart denyeart merged commit 6c2e87c into hyperledger:main Oct 30, 2024
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants